“Hosters Need to Think about Identity as a Platform Play”

Cloud Security Blog (Jun 7 2010) IAM

Categories:

Cloud Security: Compliance, IAM
Trusted Cloud Initiative: Certification, Trusted Cloud

Entities Mentioned

Authors

MatthewTGrant

We asked Novell's Dale Olds to talk about the identity management marketplace and who, in the end is best positioned to handle identity in the SaaS space specifically. Here's what he told us. - Ed.
The pressure on SaaS vendors and others to address issues of identity is being driven by the fact that anyone can build a SaaS application and put it out there and then anyone in a corporation can whip out a credit card and sign up to use it.
Thanks to such incremental, department-level purchases, SaaS applications rapidly proliferate and create what has been referred to as “SaaS sprawl.” Eventually the business forces for the enterprises consuming these SaaS applications say, “We need some ability to control this,” and the controls they want are identity focused. So they begin asking SaaS vendors to support things like federated identity, compliance and audit reporting, and better authorization systems.
The problem is that the SaaS vendors want to focus on their content. They have a certain level of expertise and they want to write the simplest yet deepest, most valuable application in a particular niche. They don’t want to worry about the quirks of the SAML 2 protocol. (Not to mention the fact that holding user accounts and managing security for their clients is more of a liability than anything else.)
Now, we recently conducted a survey where we asked SaaS vendors who should implement these identity measures. A third said, “We should OEM it;” a third said, “We should handle it ourselves;” and a third said, “The hoster should provide it for us.”
In other words, about two thirds said they don’t want to do it themselves, and I would maintain the other third hasn’t tried it yet.
On the OEM front, the SaaS vendors could partner with someone to handle identity and security. While some of the larger SaaS players, like Salesforce and Google, wouldn’t want to say, “powered by Novell” - they’d want to say they manage this themselves - for a lot of the smaller SaaS vendors, it might be to their advantage to say, “We didn’t roll our own. Security protocols are hard. We went to a trusted name and got them to implement it for us.”
Nevertheless, I think the better idea is selling to the hosters to enable the SaaS applications platform-wise to manage identity. Not only would this solve a problem for the SaaS folks, it would solve a big problem the hosters have: stickiness.
You see, people can move an application from one host to another without much trouble. The hosters want to be able to hold on to relationships with specific SaaS customers and the idea of identity services is one of the stickiest things possible. Why? Because where people have their user accounts is a very sticky thing.
For proof-of-concept, you need look no further than Google. A while back people were asking, “What’s Google doing with all these email accounts? Why are they hosting email and not even advertising to people? How does that help?”
The answer was pretty simple: It gets them mission-critical identities. So now they’ve started to turn around and enable those accounts to be, via OpenID, an identity source that can automatically access the applications in their marketplace built on Google App Engine.
Which means that SaaS vendors writing apps on Google App Engine have identity management handled for them.
Google has realized that, as a platform play, identity is incredibly sticky and valuable. Salesforce has recognized the same thing and begun extending all the SAML 2 capabilities and account information of Salesforce to all the SaaS applications built on Forge.com.
Isn’t it time that other hosters got in the game?

Bookmark or Share this article

Related Articles
- Compliance as a Service: Does It Exist?
- also mentions Salesforce
- More Thoughts on Identity Management Cloud Vendors
- also categorized in IAM
- Cloud Computing [Security] Architectural Framework
- also categorized in IAM
- Novell and Red Hat: Taking Linux to the Cloud
- also categorized in IAM
- SPML Is On Life Support ….
- also categorized in IAM
- SaaS Provisioning: It's About the Connectors!
- also categorized in IAM
- Cloud security: Try these techniques now
- also categorized in IAM
- Cloud Security Alliance Research Report is Now Available
- also published in Cloud Security Blog
- How to fix cloud security
- also categorized in IAM
- Microsoft's Cloud Plan: What's In It For You?
- also mentions Google App Engine

Recent Comments

Reply Permalink

On 8/5/10 Steven Lord said:

"Though this article brings up some interesting points on SaaS vendors, the real point is the value a security based SaaS vendor can give beyond just Identity Management. When looking for a vendor, is there a strategic partnership play that can be made with multiple products that they offer? Products such as Role and Compliance, Log Management, Access control, etc. tie into Identity Management to help companies gain control of their users, Federated partners and their access into systems and data. A true cloud based security vendor should be able to offer a suite of these products that are managed from a central console. The cloud offers companies the opportunity to quickly gain access to these tools that they might otherwise have difficulty implementing themselves. It also allows IT to concentrate on business revenue generating products and offload these backend systems to a cloud vendor with the expertise.

Steve Lord
Solutions Architect
Acxiom Corporation
"

Login to comment.

This site is edited and moderated by Novell