Part of my role at Ping Identity is to manage our partnerships with GoogleApps and Salesforce.com. In seeing the Identity requirements that enterprise IT shops are putting on those two SaaS leaders, it’s clear that the line between On Demand applications and On Premise applications is blurring and that a hybrid model is emerging where the goal is to more closely integrate Software as a Service applications and functionality into enterprise IT infrastructure. As SaaS vendors and their customers sort through the security implications of this hybrid On Demand slash On Premise model for cloud applications, they face a number of very interesting Identity Management challenges.
The typical large enterprise IT shop has relatively mature production implementations for standard Identity Management functionality such as user authentication, single sign on, user management, provisioning/de-provisioning, and audit. Because these implementations were designed and deployed to support users accessing applications running inside the enterprise, they often do not transition well to a model that calls for users to access applications (such as Salesforce.com and GoogleApps) which are hosted outside the corporate firewall. The result is that an IT shop that has deployed an effective common model for identity management within the enterprise sees that common model breakdown when requirements call for integration with On Demand applications. This breakdown comes in the form of proliferating On Demand user name and password accounts for users, manual processes for provisioning and de provisioning users to On Demand applications, limited audit visibility across On Demand, and constraints around data integration between external and internal applications.
One approach to these challenges is to move some Identity Management functionality to an On Demand model. Vendors such as Covisint, Conformity, TriCipher and now Ping Identity (through our acquisition of the Sxip Access hosted service) offer some aspect of Identity functionality through a hosted service. These services sit between a company and an On Demand vendor and broker Identity transactions such as authentication and user management. The value of a hosted service is it aggregates connections between companies and their SaaS vendors which diminishes the administrative hassles of managing many to many relationships on both sides. The limitation of a pure On Demand Identity or Identity as a Service (IDAS) model is deep integration. As mentioned above, Enterprise IT is looking for SaaS application to be woven into their internal infrastructure in a hybrid On Demand/On Premise architecture. Integrating an On Demand application requires user information to flow from the enterprise environment to the On Demand application and back. Because the IDAS does not explicitly provide software that runs in the enterprise – this level of seamless integration is often out of scope for an IDAS Identity broker.
Another approach to addressing the enterprise Identity challenges of On Demand applications is to deploy technology inside the firewall that makes Identity information exportable. This is the business Ping Identity is in. We provide standards based technology that gives the enterprise a portable identity capability. Many of our customers use our technology to pass identity information to Salesforce.com and GoogleApps for things like enabling single sign on – so users do not have to use a separate user name and password account for those services. Going forward the same technology and standards can be used to enable and secure deep integration to On Demand Services. In addition, this basic portable Identity capability allows an enterprise to more easily leverage On Demand Identity Services.
Salesforce.com famously promotes their service with the slogan “No Software” – the idea being that line of business user of Salesforce.com can get all the value they need from the application through a web browser without having to engage their corporate IT department to install complicated software behind the firewall. As Salesforce.com matures as a vendor and as their customer base expands to include large enterprise deployments, the “No Software” religion is under pressure to move to a more flexible model where enterprise IT applications are tied directly into Salesforce.com to provide single sign on, integrate with intranet portals, and exchange application and reporting data. This hybrid model will become the norm as large enterprises shift some of their applications to the cloud, but continue to leverage past investments in internal infrastructure. It is increasingly obvious that the Identity roadmap for the cloud points toward a hybrid model as well – where large enterprises have the capability to make their user identities portable and pass Identity information back and forth with their cloud based vendors in a secure and seamless manner.