Main content

Managing the sprawl of SaaS, cloud and mobile

Phil Wainewright Profile picture for user pwainewright August 19, 2013
How are identity and access management tools helping enterprises manage cloud and mobile apps alongside their existing IT, and what are the emerging trends?

Concept with a man catching a falling puzzle piece.
Business users love the convenience of being able to sign up for new applications on-demand and use them on any device, any time, any place. IT and security managers are less enamored.

A proliferation of Web apps, a boom in mobile working and the persistence of unsafe browsing habits are causing more and more headaches for those entrusted with safeguarding enterprise data. When security breaches occur, it's IT that carries the can. No wonder they want to get more control and oversight of what users are up to.

During July and August I've posted a total of six articles on the topic of identity and access management — three vendor interviews and three customer case studies. Taken together, they provide a useful snapshot of enterprise adoption of these technologies to help manage cloud and mobile apps, along with insight into their future evolution.

One app at a time

[sws_pullquote_right]Read also:

Identity in a hybrid world

Reed gets ready for the mobile office

Retrofitting the Internet for identity

Getting cloud apps out to the cornfield

SailPoint jibes identity to the cloud

Steelcase, furnishing the cloud  

Enterprise apps reborn in the cloud [/sws_pullquote_right]

Although vendors like to show off the ease with which a portfolio of apps can be plugged into their access management platform using ready-made connectors, the reality on the ground is that it's never as easy as that.

In each of the three case studies — all of them introduced by vendors — it was very much a case of adding one application at a time. At US-based agribusiness Wilbur-Ellis, the pace of its three-month long implementation was governed by technology issues, such as getting SAML integration working well with one of its cloud applications.

UK recruitment website operator Reed Online was moving to single sign-on as part of general switch away from older applications to a new suite of cloud-based IT. It phased in implementation of applications and onboarding of groups of users across many months:

The digitally savvy developers and product managers were the first users brought onboard, with Google Apps being the first new app on the system. Six months later, all users had been brought off the old Lotus Notes system onto Google.

"We are now at that tipping point where you have all the applications across the board that you would need," says [director of technology Mark] Ridley.

Alongside single sign-on, mobile device management was an important part of the infrastructure at Reed, which has moved away from desktops towards laptops and Chromebooks, with static Chromeboxes in the call center.

Bridging on-premise to cloud

Cloud-based single sign-on vendors are mining a lucrative seam of businesses that use Microsoft Active Directory (AD) for identity management within their existing on-premise infrastructure. It's relatively easy to hook into AD using the SAML federated identity protocol — unless, they say, you're using Microsoft's own software to do this. As Okta's CEO Todd McKinnon told me:

"You have to have multiple different Microsoft servers that have to be set up with your VPN and it's really hard to do ... [Microsoft's] move to the cloud is confusing people and we're benefitting from it."

With many mid-sized businesses now adopting cloud apps and mobile working, the prevalence of Active Directory in that market provides a lot of opportunity for vendors to ease the transition to a hybrid IT landscape. At 10,000-strong workplace furniture maker Steelcase, there are four separate AD instances, one for each global region plus a fourth for external users.

Larger enterprises tend to have a more complex access management infrastructure already in place, and the challenge there is connecting into those existing systems while extending to cloud and mobile. The scope is familiar to enterprise access management vendor SailPoint, which last month launched an all-new cloud-based identity management platform:

As well as connecting to everyday directory services such as LDAP and Microsoft's Active Directory, it also plugs into more esoteric identity services ranging from RACF on IBM mainframes to mobile device management systems. As [founder and president Kevin] Cunnigham told me in our earlier conversation:

"Often it's a combination of access points ... There's a big opportunity to cater to that hybrid environment and give a 360-degree view.

"Enterprise-grade provisioning and governance are key parts of the offering alongside SSO — there's complex workflow and policy settings around that kind of thing."

Ping Identity founder and CEO Andre Durand noted that larger enterprises often have the additional challenge of access management across their partner and customer ecosystem:

"We have companies such as banks offering applications over the Internet to their customers. Their websites are becoming increasingly federated websites — sometimes what's on the website is coming from partners. It appears as though it's coming from Bank X or Company Y, but its actually a big mashup of websites.

"They need infrastructure to support the aggregation of all of those websites to make sure it looks like one website."

Looking to the future

Many enterprises still have separate teams that manage various components of access management, with silos of responsibility for security, compliance, threat protection and application administration. The proliferation of cloud and mobile applications and increased use of Internet resources such as business information services and social media is forcing the whole area to be looked at more strategically today. As Sailpoint's Cunningham told me:

"If you take all those silos of identity management and just pierce a hole through the side, that's what's happening with consumerization of IT. Identity's becoming much more of a business transactional process that merges all of these activities into one transaction."

For many users, the most noticeable impact of unifying identity and access management across all the applications and online services they use will be that they won't have to type in their ID and password so often as they move from one to another. Ping's Andre Durand describes a crusade against passwords:

"Let's not forget what the real priority is in identity. That is to wire the world to talk standards so that we can eliminate the password altogether ...

"When we succeed at that, we're going to live in a different world, where identity is not siloed, where it's free to move and follow a transaction, no matter how many boundaries it passes — you don't have to enter a new password every time you hit a boundary."

Durand described the existing and emerging standards that he believes will play a part in that password-free world: SAML of course but also newer specifications that play better with mobile and which straddle the enterprise and individual, consumer worlds, such as OAuth, OpenID Connect and SCIM.

System for Cross-domain Identity Management (SCIM), which is backed by Google,, Cisco and VMware among others, specifies a standard for provisioning and deprovisioning that promises to simplify the process of adding cloud applications to an identity and access management infrastructure. A finished proposal is expected next year.

People not technology

Realizing Durand's frictionless vision depends on enterprises and application developers abandoning their old habits of crafting proprietary identity and access management stacks. "There is no other path to that future," says Durand:

"They have to write their applications to not embed identity into their application but leverage the existing identities that exist either in the enterprise or out in the cloud. They have to make calls out to an externalized identity infrastructure."

Whether they will be ready to take that step remains to be seen. But as Okta's McKinnon points out, if information and computing are to operate as a shared utility, access management has to be standardized around people rather than the technology:

"Computing is becoming more people centric. You want IT to be people centric, you don't want it to be technology centric. You want to be thinking about how can we get the right information to the right people to make them effective. Access management — what sits between people and information — is a critical piece of the utility."

There's a lot more to write about this topic, along with other aspects of governance, integration and process management across multiple cloud, mobile and conventional applications. We'll be revisiting it in coming months as it's a core concern in today's digital enterprise.

Disclosure: Oracle, and SAP are diginomica premium partners.

Image credit: © James Thew -

A grey colored placeholder image