The Largest Online Community
for Software CEOs and Executives.

Please Get Your Password Out of My SaaS!

Cloud computing and mobility have transformed business, and how people use software to conduct business and life.  Layer in the connective and sharing nature of social media and we’re in the midst of a seismic shift in both personal and professional life, with a blurring of the lines that today’s connected enterprise cannot ignore.  The migration to the cloud impacts us all – pure-bred Software-as-a-Service (SaaS) applications, legacy on-premise software that is core to business operations and mobile apps that put software in the palm of your hand – and has untethered users and pushed applications and data beyond traditional perimeters. 

The transformational power of the cloud is enabling greater employee productivity, driving increased partner value and accelerating the ability to conduct business and connect with people.  Software is integral to this cloud migration and any software company that hasn’t embraced cloud will be left behind.  At the heart of this migration are cloud identities – they hold the key to ensuring security in this new perimeter-less world.  They pose both challenges and opportunities for today’s software company, so let’s examine the state of cloud identities and the strategies that software companies need to employ as they take their applications to the cloud!

The Enterprise, SaaS and the Consumerization of IT: New Challenges to Old Password Management Problems

Whether using an on-premise, SaaS or mobile app, business users demand easy, instant access to the software they need to do their jobs.  Yet often in an attempt to ensure the desired level of security, software apps require unique users and passwords. Think about how many applications you use on a daily basis, and how you manage all of the credentials to access them.  From a user’s perspective, the problem with passwords isn’t a new phenomenon. The proliferation of cloud and mobile services is only exacerbating the issue by extending the password problem outside the enterprise; for the multiple services for a person to use, and extending passwords across sites and apps that they use every day to do their jobs, conduct business or be productive. Looking at the core problem of simple passwords and re-use across services, it’s easy to see how vulnerable the password process is for the every day person. For the enterprise, it is magnified as the consumerization of IT brings greater access to mobile apps and cloud services, but also greater potential for an issue to arise.  

In some sense, passwords are a necessary evil, but they cause so many headaches.  How do you empower employees while ensuring access control and security?  How do you provide a compelling, frictionless experience for customers without sacrificing account security?  These are the issues that cause the tension between security and usability.  It’s a challenging dichotomy, but each side doesn’t need to be at odds with the other. 

Standards: The Building Blocks of Identity

The advancement of standards alongside the increasing adoption of mobile and cloud services gives enterprises the ability to control what they need, while providing people (employees, customers, partners) what they need in the vehicle they want it (cloud service, mobile apps).  Standards will drive a transformation of identity in the enterprise; one that is already afoot but poised to accelerate greatly as mainstream adoption of mobile and cloud services grows and as stakeholders of all kinds embrace standards.  Even the Federal Government, via its National Strategy for Trusted Identities in Cyberspace (NSTIC), is pushing for standards. This effort was further fueled by $16.5 million in funding, initiating a series of pilot programs as part of an effort to gain consensus among the private sector for an identity ecosystem.

In parallel, industry is adopting myriad identity standards: simple cloud identity management (SCIM), OAuth, Security Assertion Markup Language (SAML) and OpenID.  These are the core standards that companies ranging from Microsoft, Google,, Facebook and Twitter, among countless others, are embracing.  By connecting organizations’ identity schemas with applications and services through these standards, companies can provide the accessibility users want combined with the security enterprises need – while minimizing the reliance on passwords.  Jettison the password from your SaaS offering, and you’ve minimized the vulnerabilities related to security process while emphasizing the utility of your software.

Identity services like Facebook, Google and Microsoft Live can extensibly and seamlessly be connected to software in today’s cloud environment.  This enables companies to retain the controls they need to ensure the right people are accessing the right applications appropriately, without inserting another clunky step in the authentication process. This allows people to do the jobs they need to do, while leveraging the existing infrastructure and services in place they already use and minimizing the impact on the enterprise. Subsequently, this streamlines the identity access and authentication process while expediting the user’s ability to tap into the services they want and need. Standards are the key. Any single sign-on (SSO) or Web authentication service you consider should (and must) embrace standards – otherwise, the benefits are short-term, and you’ll be locked out of future benefits (pun intended!).

What to Look for in a Cloud Identity Management Solution

There is a lot of talk about cloud identity these days, and it’s important to understand nuances relevant to SaaS. Specifically, it’s vital to leverage a cloud identity solution that embraces standards – this is crucial to adoption in enterprise environments. IT is reluctant to adopt anything that may be orphaned or obsolete in the near-future.  Standards-based solutions help alleviate those concerns, making the adoption process easier in the sales process. Additional criteria that cloud identity solutions should enable for your SaaS application:

  • Accelerated On-Boarding Process: on-boarding new customers to your service should take just minutes, accelerating your implementation and speeding adoption;
  • Increased Usage: reliable, seamless SSO access to your service accelerates adoption and usage, translating to a broader service footprint and higher renewal rates;
  • Predictable TCO: with a flat-rate pricing model, you keep your cost of ownership low and predictable;
  • High-Performance: SaaS operates at the speed of cloud, so cloud identity management must ensure high-availability, multi-tenant architecture and secure SAML-based SSO to ensure performance; and
  • Deployment Flexibility: Private Cloud and Public Cloud both require dynamic scaling and support needs – be sure whatever you choose is flexible and proven to work in both environments to drive broader customer benefit.

A Kick in the SaaS: How Box used Identity-Standards for Customer Benefit

Let’s take a look at a good example of identity standards in a SaaS environment of a hot start-up: Box.  With a quickly expanding user base, Box required a Single Sign-On (SSO) solution to help secure its customers’ online content and make it easier for these companies to control user access.   As the size of Box’s enterprise deployments increased, the company needed a way to provide centralized user management for customers with hundreds or thousands of users spread across teams and departments.

SaaS providers like Box can give their customers the benefits of SSO and have access to a pay-as-you-go pricing model (more benefits of SaaS). Using a standards-based solution, Box was SSO-enabled in less than two hours, meaning it was able to extend its customer-base tremendous value at a fraction of the time other solutions required.  In addition, Box delivered proven SSO and support without a significant R&D investment, and being standards-based provided the confidence in accommodating future use cases and customer deployments.

“Ping Identity offered us an ideal SAML-based SSO solution and the partner support we needed for successful deployments. By partnering with Ping Identity, we can offer our customers a scalable, enterprise-grade process for securely managing deployments of hundreds or thousands of Box users in conjunction with other SaaS applications,” said Tomas Barreto, engineering manager, Box.

I got 99 Problems but a Password Ain’t One

The state of enterprise cloud identity is at a tipping point.  The transformational impact of cloud, mobile and social media, the integral role of standards and increasing consumerization of IT requires enterprises to think about identity and security in a new way.  Enterprises must navigate and follow prescriptive measures to ensure simple-to-use, secure identities for the future.  Security and usability need not be competing forces – with standards and the right approach, together they can enable a new world of productivity and security that is only now possible because of cloud identities.

Leveraging federated identity and cloud identity management can remove the password problem that SaaS can unintentionally exacerbate for enterprise customers.  Not only can it enable better security for your customers, it can enable better usage and utilization of your SaaS applications within your customer base – strengthening engagement, ‘stickiness’ and user reliance on your apps over the long-term.

Take the plunge, and see how you can infuse better identity strategy and enablement into your SaaS endeavors.

Read More In: Strategy and Leadership

Tags : cloud identitiescloud identity managementcloud securitycloud SSOidentity managementpassword managementSaaSsecuritySSO