Managing SaaS Accounts in an Organization
by Mark Miraglia | January 4th, 2016
Systems Administrators have it tough. Go up and shout it from the rooftops: SYSTEMS ADMINISTRATORS HAVE IT TOUGH!!! When they’re not making sure that your network isn’t compromised and that “Stu in the warehouse” can connect to the label printer, they’re usually managing a massive pool of users that require carefully managed permissions to access file locations, applications and services.
At PINT, our SysAdmin team has come up with a solution that assists in keeping our network secure and lets them continue to do the rest of the things we have all come to rely on them to do everyday.
Managing SaaS Accounts: Solutions
Enterprise SaaS (Software as a Service) use has grown common across many industries in recent years. The use of SaaS products has increased as cloud hosting platforms have made application delivery scalable, and client side complexity has decreased user wait time and network traffic burden. The result? We all rely on quick, dynamic applications used across many more devices and platforms. Big SaaS winners with which readers might be familiar include:
- Google Apps
Additionally, the list of arguments in favor of SaaS adoption are almost as long as the number of SaaS apps on the market:
- Application services are in constant competition with each other to provide better, more efficient tools (to the benefit of the enterprise consumer)
- Workers are able to access their application suite from within and without the office, and
- Hefty license fees are often eschewed in favor of more manageable, portable subscription fees.
However, this explosion in SaaS use is not without its demerits. The frequent argument against non-locally hosted SaaS is that organizations lose control of proprietary content and data (which is valid and worth consideration), but today we’re focusing on a lesser-considered issue to wholesale, enterprise adoption: user management.
Passwords and People
Permission management across enterprise networks is usually accomplished through Active Directory or by traditional UNIX/Linux permission groups. It is a complex management process that balances the security demands of the company with the user needs of its employees. On top of the technical demands, many companies have lax standards for permission requests, and SysAdmins are often asked to “make it work” when an executive requires VPN access on their business trip or a client “needs” insecure transfer protocol access to dump a bunch of files onto the network. This is the stuff of SysAdmin nightmares, but they are also issues that SaaS adoption solves in one fell swoop.
“People want the apps they want, and woe unto the Ops team that tries to deny them their
There is however, a tradeoff. When you have users logging into SaaS applications from the insecure wifi network at the coffee shop with credentials based on their kids’ birthdays or the old “admin/password” combo, how can your company possibly trust that its information is secure? Once a packet-sniffing hacker or disgruntled former employee decides to wreak havoc across a suite of applications, a lot can be compromised before your organization discovers the breach.
Individual Password Managers
Naturally, the market has responded with options to mitigate this risk, the first of which is the adoption of enterprise password management tools. Readers may be familiar with the popular consumer options LastPass and the newer Dashlane, but there are a multitude of similarly-oriented products that cater to enterprise needs (both LastPass and Dashline offer commercial applications, as well). The common structure of the consumer-grade tool is a locally-run software application into which the user logs with a strong, master password.
The application then generates and encrypts any passwords required by the user, and works with a browser plugin (LastPass even accommodates some of the more esoteric browsers) to authenticate to any site or service using these encrypted credentials. Thus, the user never actually knows what the creds are, and the only possible security holes are the local device and the master password…both of which are required to defeat the system.
Premium consumer and enterprise versions of password management services offer many additional features including:
- Multi-factor authentication
- Multiple user management
- Automation of frequent changes
- Security compliance features
All of these are extremely important to SysAdmins/IT, and enable efficient onboarding and offboarding of users. The insecure network access issue is solved by multi-factor auth, and user access is centrally-controlled by the IT team.
Many of the enterprise services also offer integration with Active Directory, and domain-authenticated users then have access to password groups specified by IT. The drawback to this system is that it relies on local encryption, and is therefore tied to a device. This introduces concerns of OS/browser compatibility and other device-related issues. While Password Managers solve many of the concerns raised by insecure passwords and multiple users, it’s clear that a more elegant, universal solution is needed to establish user identity across the web.
Single Sign On
Another group of services seeks to meet the same need from a different direction: Single Sign On. Consumers will be familiar with SSO services. Have you ever accessed a SaaS account or comment section of a website by using your Google, Facebook or Twitter credentials? Then you’ve used SSO.
To the end user this may appear seamless, but the process involves these Identity Providers acting as sources of truth rather than asking for a password. Instead, your SaaS app sends a request to Google/Facebook/Twitter (or uses your browser’s logged-in state) to verify your identity before letting you in. Boom: passwords eliminated.
All of this is increasingly possible due to widespread implementation of SAML and a network of Identity Providers (Google, etc.) in which SaaS providers place trust. In all likelihood this, coupled with oAuth API integrations, is the direction that identity establishment on the web is headed. The big players (Oracle, Microsoft, etc) offer integrated SSO solutions and there are a variety of smaller solutions out there.
PINT’s SysAdmin team opted for the latter (SSO) option. They set up an enterprise-oriented solution (Bitium) that integrates with Active Directory and provides an administrative layer over one of the major Identity Providers, which then serves as the source of truth for SSO. They are able to manage permission groups through AD, sync those with the SSO solution, and implement SSO on the web through the Identity Provider in question.
Here’s what happened:
- It was complex
- The transition was something of a paradigm shift for those users accustomed to managing their own SaaS accounts
- The end result was well worth it from a team and security management perspective
On and off-boarding pain points have been instantly numbed or excised altogether, and removing the proliferation of shared passwords has increased confidence that sensitive materials aren’t accessible throughout the organization.
Additionally, Bitium’s easy-to-use interface allows users to add apps as they need them. This gives PINT’s IT team ongoing insight into what SaaS applications are in use. They are able to monitor usage, compare services and budget for the future, eliminating the “shadow IT” SaaS applications can quickly evolve into if left unchecked.
This system puts a measure of control in the user’s hands by allowing them to self-select their applications (pending approval, of course) while retaining ultimate control over access at the appropriate Systems level.
SaaS Account Management: Worth the Effort
The convenience of SaaS applications is here to stay and reactionary rejection of web-based platforms is the equivalent of burying one’s head in the sand. Hopefully the rise of enterprise-focused Password Management and SSO will convince even larger organizations to face their security fears and adapt to and adopt the growing SaaS ecosystems to the benefit of their employees. For PINT’s part, this shift has meant ease of access and more productivity in and out of the office, and we can remain confident in the security of our systems and information.