Authentication and access issues surround SaaS

Don't believe 'no management' vendor hype, says Ephraim Schwartz

Of all the issues IT departments will deal with in 2007, from coping with regulatory compliance to building out SOAs, SaaS (software as a service) could quickly become the new focus. In fact, forget about SaaS vendors’ claims that the SaaS model eliminates the need for significant IT oversight, the opposite is actually closer to the truth.

As SaaS enters the mainstream, either by way of pure-play SaaS players such as Salesforce.com or by way of Microsoft, Oracle, or SAP offerings, one critical challenge must be addressed. And that challenge is access and how to manage it, says David Thomas, executive director of the Software and Information Industry Association (SIIA). Fortunately, Thomas says, companies are working behind closed doors to solve the problem. But as is often the case with closed doors, Thomas is not at liberty to talk about the projects or their progress.

I found that Aladdin Knowledge Systems is one of those companies working in stealth mode on SaaS access management. I spoke with Benny Shavi, director of business development at the Israeli-based company, about the challenges Aladdin and other companies are trying to solve to help make SaaS an enterprise-worthy alternative.

Suppose your company has a payroll of 5,000 or more employees divided into ten departments and each department uses between four and ten SaaS applications. IT is dealing with, at the low end, 40 hosting organisations to make sure every user can access SaaS apps at any time from anywhere on any device.

The question is: how will authorisation and authentication be handled when a new staffer comes on board or an employee is terminated? How do you know that a former employee has been removed from all those systems? How are the passwords managed? Add to this the fact that many SaaS applications are coming in through the back door, department by department, and it’s easy to see how managing SaaS access can quickly become a nightmare.

HASP (Hardware Against Software Piracy) ID, which Aladdin will make available in the first quarter of 2007, is a firmware token on a USB key fob or smart card with software built around it on the back-end. That software can be customised and linked to what Shavi calls Shadow Domain technology. This feature uses the same system as LDAP or Microsoft Active Directory, but it is standing in another domain, Shavi says.

“[Shadow Domain] allows you to do all enrolment and management of SaaS,” Shavi says. So, if you extend access rights to, say, an HR program, that change is updated in the Shadow Domain and is then replicated to, say, Active Directory. Without HASP’s firmware token, the user cannot access any SaaS application.

This kind of two-factor authentication is not perfect, but by having two components — something you know (the password) and something you have (the token) — security is enhanced.

All of the passwords can be aggregated into a single virtual password on the token. The token can store X.509 credentials, a PKI standard for authorisation and authentication, and Aladdin provides an SDK to create and extend any additional information. The files might be related to user information that is not necessarily stored on the server.

Just as the network-connected desktop gave rise to Microsoft, Oracle and SAP, vendors such as Aladdin give IT the tools to manage SaaS. The Webtop, as SIIA’s Thomas calls it, will be a fundamental game changer that will spawn new giants in the industry.

Join the newsletter!

Error: Please check your email address.

Tags SaaSmanagementauthentication

More about AladdinAladdin Knowledge SystemsMicrosoftOracleSalesforce.comSAP AustraliaSoftware and Information Industry Association

Show Comments
[]