Top 8 challenges for Identity and Access Management when using SaaS applications
More and more companies are using SaaS applications (Software as a Service). This creates new challenges in terms of application administration, management, and security. We will address eight main challenges that a company will meet in regard to identity and access management, as well as the best way to solve each of them.
The importance of identity for SaaS applications
Cloud services revolutionize businesses. Organizations everywhere, both small and large, are moving from local software to cloud-based services. The transition to this hybrid configuration makes it increasingly important to control who can access which applications. A whole new set of challenges related to identity management is presented to the IT department. In addition, employees must keep track of multiple usernames, passwords, and URLs to access their applications.
The IT department’s role has fundamentally changed. As the managers of these new services, they must be able to provide insight and advice on SaaS products to ensure that the company maximizes the business value of its investments.
1. Employees are tired of all the passwords
Although the SaaS model in general makes it easier for users to access their applications, the increase in complexity of the process corresponds to the increase in the number of applications. Each application has different password rules and expiration times. The variety of password rules combined with a multitude of expiration times creates a bad user experience when employees have to spend time trying to remember, manage, and reset these ever-changing passwords and access authorizations in all their applications.
An even greater concern is perhaps the security risk caused by employees getting bored of all these passwords, and therefore using obvious or reused passwords written down on Post-it-notes, easily available on their mobiles or stored in Excel files on laptops.
IAM services can reduce these concerns by offering Single Sign-On (SSO) across all of these applications. This gives the employees a central place where they can access all their applications with a single username and password with no compromise in regards to security. In addition, such an identity management system will also allow different departments to manage identities for both cloud-based and local applications.
Most companies use Microsoft Active Directory (AD). This authoritative user directory manages access to basic IT services such as email and file sharing. AD is also often used to control access to a wider set of business applications and IT systems. An adequate IAM solution utilizes Active Directory and allows employees to continue using their existing user account as well as associated passwords to access the SaaS applications. This also increases the likelihood that employees will use the SaaS applications offered to them by your company.
2. Ineffective onboarding and deficient offboarding
When a new employee starts working at a company, it is usually the IT department that provides access to the corporate network, file server, email account, printer and so on. Since many SaaS applications are managed at a departmental level, access to these applications is often provided by someone who is responsible for the application rather than by the IT department. This can easily lead to a fragmented process and a poor user experience for the new employee.
A high-quality identity and access management service should be able to automate the user creation and deployment of SaaS applications as a natural extension of an existing onboarding process. When a user is added to, for example, Active Directory, he or she should automatically be able to access applications that are pre-defined as necessary for the group to which the employee belongs in the organization.
In most cases, a greater challenge must be faced when an employee leaves the company. The IT department generally has routines for revoking access to email and corporate networks centrally. However, one must rely on the administrators of the various applications outside the IT department to remove the access which they have provided the employee for each individual SaaS application. This makes the company vulnerable by leaving the business’ critical applications and data in the hands of potentially disgruntled former employees. In addition, auditors look for shortcomings in how the company handles such processes.
An IAM service should not only facilitate the IT department to easily add new applications, but it should also provide:
- Automated resource removal processes across all local and cloud-based applications
- Extensive integration through Active Directory
- Central overview of application usage
The IAM service should simply offer the company security that when employees leave the company, they will no longer have access to the company’s data.
3. Lack of compliance
An organization must carry out all activities in accordance with applicable laws, regulations and other rules, as well as in conformance with internal regulations and guidelines. Visibility around compliance also applies to the highest degree for IAM. An organization must understand who has access to applications and data, who has provided this access and how it is used. Cloud services rarely offer such listings.
In order to answer auditors about which employees have access to which applications and data, central visibility and control across all systems is required. An IAM service should allow comprehensive access rights across services and provide centralized compliance reports on the information management related to access management, on-/offboarding, and user and administrator activity.
4. Separate user directories for each application
Most companies have made a significant investment in a corporate directory, such as Active Directory, to manage local application access and network resources. For this reason, they wish to make use of this investment and extend it towards cloud-based services as well.
An IAM solution should be easy to integrate into your company’s Active Directory and/or LDAP directory, allowing the organization to seamlessly make use of existing infrastructure and management processes. As users are added or removed from the company’s central directory service, this will also automatically be reflected in access to cloud-based applications.
5. Access management on different units
One of the great benefits of cloud applications is that they are available from any device connected to the internet. However, multiple apps also mean multiple URLs and passwords, and the connection to mobile devices introduces yet another access point to manage and to provide user support. IT departments need to facilitate access to multiple devices and platforms without compromising security – a demanding task to perform without the right tools.
An application portal centrally provided by the IAM solution will present all applications a user has access to, thus solving the challenges regarding access “anywhere, anytime, from any device.” The IAM application portal will provide “Single-Sign-On” access to all applications, which should also function from the various mobile devices of the employees.
6. Cumbersome management of SaaS integrations
Centralizing of Single Sign-On and user management requires building integrations with SaaS applications. Managing such integrations can be quite demanding if they are custom built and owned by the IT department.
Like local applications, SaaS applications change over time. A good IAM solution should keep track of these changes and ensure that application integration and thus access, is always up to date and functioning properly. In order for this to actually work, the IAM provider must “own” the integration, in other words, the IAM provider must have a large portfolio of such integrations available in their solution. As the different integration interfaces for different services gradually change and expand, the IAM provider should update their integrations and thereby save the IT department from this responsibility so that they no longer need to track dependencies between integrations and application versions.
In addition, adding a new service or application should be as easy as downloading an app to your mobile phone. With minimal and enterprise-specific configuration only, new SaaS applications should be integrated into SSO and user management within minutes.
7. Shadow IT
Since cloud applications are becoming ever easier and cheaper to install, companies are also using more SaaS solutions every day. These solutions are often managed by the department that uses them. This can benefit the IT department as the application management is handed over to others, freeing up time, but it can also create a new problem as there is no longer a key place to manage users and applications, as well as access reports and analysis.
An IAM solution allows the IT department to facilitate access management. The execution of it should be done by others than the IT department in terms of delegated access management, but IT must be able to see that this responsibility is being taken care of. Without an IAM solution, this will hardly be possible.
8. Sub-optimization without central overview
One reason for the increase of cloud applications is that the monthly subscription model has replaced the expensive one-time cost for local software licenses and the “hidden” costs concerning server rooms and associated infrastructure. The finance department prefers to pay for the services while the subscription runs. However, without centralized insight into usage and costs, it is impossible for both the IT department and finance departments to have an overview of the subscription purchases and whether the application is in line with the cost.
A cloud-based IAM service should provide accurate visibility of the utilization rate and help the IT department optimize subscription costs. Managers should have access to reports showing the use of the service within their part of the organization.
In this article, we have presented and discussed eight main challenges connected to identity and access management for businesses that start using SaaS applications. In Cloudworks, we make sure that our customers’ investments work seamlessly with their local IT infrastructure. Our skilled consultants can contribute both in the assessment phase and with the actual implementation.
Contact us today to discuss how we best can assist your company!