Aside from pricey legacy identity and access management vendors like Oracle, Novell and CA, a new breed of SaaS products has popped up in recent years to help organizations better integrate mobile endpoints and SaaS apps into their environments through single sign-on. This movement is turning "a once-boring enterprise niche into something sexy," said Gregg Kreizman, an identity access management analyst at Gartner, Inc., a Stamford, Conn.-based research firm.
As is often the case with enterprise technology, both types of identity management vendors -- which exist to serve distinct market needs -- have started offering similar feature sets as one another to provide customers a full range of governance, provisioning and de-provisioning, group policy, and single sign-on access.
The goal of many of these newer identity vendors is to integrate with Active Directory in the short term and help companies transition off it over the long-term by offering AD-like functionality within the feature set, said Thomas Pedersen, cofounder of OneLogin Inc., a cloud identity startup headquartered in San Francisco.
OneLogin began in 2010 after a group of employees from Zendesk, a customer service software vendor, had conversations with Sun Microsystems about its on-premises identity and access management (IAM) product. It was costing the company approximately $100 per user per month and didn't adequately handle Software as a Service (SaaS) apps and mobile access.
"It was a complete disconnect from what we needed and what they were providing," Pedersen said, who figured there must be other companies out there with the same shifting IAM needs.
OneLogin's enterprise offering costs $5 per user per month, and includes typical cloud-based IAM features such as directory integration, support for unlimited Software as a Service (SaaS) apps, desktop sign-on and legacy application connectors, VPN integration and auditing controls. The company competes with vendors such as Okta, Ping Identity and Symplified.
However, OneLogin aims to differentiate itself from its competition with new features such as password vaulting for managing non-Security Assertion Markup Language (SAML)-enabled applications (which is pretty much every legacy Windows application); single login and password setup for applications shared among employees; and federated search capabilities across cloud applications. Those features are especially important for shops that use a lot of cloud apps.
Pandora Internet Radio, a streaming music service based in Oakland, Calif., uses approximately 80 cloud applications, and its application ecosystem grows all the time, said Richard Rothschild, VP of enterprise information services. Pandora relies on cloud applications like Salesforce.com for customer relationship management (CRM), human resources and financial applications, Box for storage, and plenty of others.
The IT department at Pandora coordinates with the business team to find and vet cloud applications to help limit application sprawl, and relies on OneLogin for IAM, a switch after it initially selected Okta.
"We want to use the best app for the company, but it gets complicated pretty fast," Rothschild said.
Complexity is a small price to pay, however. The upside of being a 100% SaaS environment is it's easier to swap applications in and out to find the best one, he said. And, Pandora's IT department needs only nine employees to manage its entire infrastructure. Rothschild estimates the company spends approximately one-third of the cost of offering the same services via an on-premises deployment.
Active Directory: Never say die, despite SaaS dominance
Pandora still uses Active Directory as its central employee directory because it's still the best tool for onboarding, offboarding and managing employee profiles. Similarly, ServiceSource, a service revenue performance company based in San Francisco, still uses Active Directory as well, but it's merely an afterthought, said Amrith Nambiar, ServiceSource's director of business applications.
ServiceSource is transitioning between an on-premises Windows applications and a SaaS applications environment. It uses Workday as its central directory, which then sets up a profile in Okta, which then automatically provisions employees into Active Directory. Okta then provides identity and access controls for IT and a single sign-on workspace for ServiceSource's 2,600 worldwide employees.
"When you talk about identity management, there are so many variables caused by business applications, proliferation of our own products, legacy applications and temporary contract workers," Nambiar said. "How do you tie them all together in a seamless and efficient way? That's the problem we're having."
ServiceSource is in the third of four stages of its Okta deployment, which began in 2012 as a way to ensure Sarbanes-Oxley (SOX) compliance. The first stage was adding basic single sign-on for SaaS apps; the second phase was migrating off Active Directory by making Workday the company's central directory; and the third phase was building automation between Workday and Okta for provisioning and de-provisioning employees. The final push will be to set up more granular profiles so employees will automatically have certain apps provisioned for them upon being hired or transferring to a new department, for example.
The goal is to have an identity system to give employees the ease of use to work on any device from wherever they want without sacrificing the security and control that SOX compliance requires.
"I had a business analyst who spent two or three hours a day checking cloud apps against our AD to disable access to them," said Nambiar. "Now it's a nonissue. Access to those apps is disabled at the push of a button."
Big public companies can't ditch their investment in Active Directory because of the legacy stuff, Nambiar said, but anyone starting a company today could live without it by relying on SaaS apps combined with a modern IAM product.
"We don't have a problem with shadow IT and even managing mobile devices and remote access is a nonissue for us," he said.
Let us know what you think. Write to us at firstname.lastname@example.org
This was first published in April 2013