This is part one of our three-part series on work from home - an application and identity management guide. In this section, we’ll cover the ins and outs of identity and access management. Before we get into the meat of this write-up, we’ll start with a little baseline background.
SaaS is exploding. Unless you live on Mars, this is a pretty obvious statement! But what isn’t perhaps as obvious is the gaping hole this explosion is causing in your IT security posture. In many organizations, Active Directory (AD), which used to control all access to company resources, now only governs 20% of applications while 80% of a user’s application load comes from a 3rd party like Salesforce.com or Concur.
That also means IT is no longer the linchpin to get applications up and running. If a user or group of users want to share files, they can have an app up and running in 5 minutes with a credit card. Similarly, when internal applications are not easy to use, the workforce is finding, they now have the power to go out and sign up for tools on their own.
IT is struggling to provide users with the flexibility to get tools the way they want them, while also trying to get their arms around provisioning, usage, and de-provisioning.
Identity and Access Management Defined (loosely)
It’s essential to define these terms before we dive into these two distinct functions within an IT security framework.
Identity Management – This refers to the process of assigning and then managing the attributes of a user. Who are they, what groups they are a part of etc. For example, “This person is remote, part of the Marketing functional area,” and so on.
Access Management – This refers to the process of taking the above identities, or groups of identities and deciding what IT resources they have access to.
These terms are very closely related and often used interchangeably. This is likely because traditional IT environments where corporate assets have been housed internally have utilized Active Directory (AD) to address both of these dynamics. Who you are and what you can access.
However, with the explosion of SaaS, AD isn’t able to perform these functions by itself any longer.
Solutions for identity management can be segmented into two buckets:
Here are a few of the options:
Traditional AD – Companies not yet “cloud-enabled” are using this tried and true structure, whether hosted on-premises or in some sort of private cloud environment. It works great; it’s robust and very familiar and easy to manage. But, it’s lacking when companies start venturing out to SaaS applications, and identities must be created and maintained at these providers individually; it’s extremely time-consuming for IT to create, manage, and audit.
Directory as a Service – Seriously … another DaaS?? In all seriousness, these are purpose-built solutions hosted by 3rd parties specifically for managing user identities. They are often built to integrate with other cloud solutions like SaaS applications. A great example of this would be Azure AD, which is very popular. Mostly due to the fact it’s given away for free in some instances. These are great for companies that are entirely “cloud-enabled,” but they aren’t built upon full-blown AD. So, companies that have any legacy infrastructure that requires full AD must maintain both. And while these two can integrate with each other, it can only be managed using the full AD instance as opposed to the cloud directory instance since that’s the scaled-down version.
In part two of this series on work from home - an application and identity management guide, we’ll dig into what SSO is, how it works, and the three big considerations for why to use SSO. For a much more thorough dive into the work-from-home guide, follow the link above.