390 likes | 518 Views
SaaS - Implications for Enterprise Infrastructures. IT Complexity and Cost: a driver to SaaS?. IT Budgets. Enterprise Infrastructure Architecture Principal. I.T. Should be seamless to users and the business Infrastructure Applications Access Helpdesk Physical Location.
E N D
IT Complexity and Cost: a driver to SaaS? IT Budgets
Enterprise Infrastructure Architecture Principal • I.T. Should be seamless to users and the business • Infrastructure • Applications • Access • Helpdesk • Physical Location
Comparing sourcing models Shared Resources Flexibility Outsourced Application In house Application ASP SaaS
Comparing Outsourcing & SaaS *Provider may negotiate individual contract/SLA for large enterprises, but this is not the normal model
You SaaS Provider SaaS: Replacing Challenges • Integration • Identity Management • Data • Operations • Security • Contract Management • SLAs • Compliance • Service Delivery • Service Level Management • Capacity Management • Availability Management • IT Continuity Management • Financial Management • Service Support • Helpdesk • Training
Why should you care? • Some people may be after your head What about our privacy policies: customer and partner data? Um, whatCRM application? Another username & password! Where is the training? CSO I can’t access the CRM application! Helpdesk Are we still in compliance with regulations? Sales Team Lawyers ‘R Us
We are responsible for • Integration • Users: another username, training? • Helpdesk: another application, where is 2nd line, what about password resets.. • Contractual • Lawyers: regulatory compliance • Data ownership
Integration • Infrastructure Integration • Identity Management • Data • Operations • Security
Integration • Infrastructure Integration • Identity Management • Identity and Access Management • Role based access control • Data • Operations • Compliance
Why integrate identity management? • Costs • Password resets • Cost $23 each* • Account for up to 30% of helpdesk calls* • Account provisioning / de-provisioning • Security • Forgetting to de-provision user accounts or reflect job changes • Architectural Principal • Move away from “IT getting in the way of business” *Gartner figures
Identity Integration Options • Active Directory Trust • Widely adopted • Trusts well understood • No need for password sync • Single Sign-On possible • Operates in real time • Proprietary: requires AD in both organisations • Trust is broad: not constrained to certain users • Multiple ports need to be opened on firewall • SaaS provider needs to manage multiple AD trusts • Authorisation in SaaS application still a problem Good Bad
Identity Integration Options • Meta directory (e.g. Microsoft Identity Integration Server) • Extremely flexible (constrained trust) • Password sync may be possible • Scheduled replication • SSO possible, but unlikely • You need to buy a metadirectory product €€ (SaaS provider does not) • May need integration code in SaaS provider • Metadirectory rules are complex and may break if you make changes to your internal directory service Good Bad
Identity Integration Options • Federation (e.g. Active Directory Federation Services / ADFS) • Standards-based (WS-Federation) • Operates in real time • ADFS is part of Win2K3 R2 EE: no additional license • Extremely Flexible: constrained trust and more • Loosely coupled: allowing changes to be made to source and destination directories independently • Doesn’t require “identity” in SaaS application • Not widely adopted yet • Relatively new technology Good Bad
You SaaS Provider Private Namespace Tennant Namespace(s) Active Directory Federation ServicesProjects AD Identities to other security realms User: Fred Job: Sales Employee: 166798 Manager: BobM Office: Oslo User: Fred Office: Oslo Subscriber: Yes Based in Oslo: Yes • Access Granted
You SaaS Provider Private Namespace Tennant Namespace(s) Active Directory Federation ServicesProjects AD Identities to other security realms Federation Server Federation Server
Integration • Infrastructure Integration • Identity Management • Identity and Access Management • Role based access control • Data • Operations • Compliance
Portal Document Mgmt CRM Role Based Access Control (RBAC) Sales Role Author on Account Activity pages Owner for Sales Order Processing documents Manager for Eastern Europe sales teams Michal Sales Dept
Portal Document Mgmt CRM Role Based Access Control (RBAC) Sales Role Author on Account Activity pages Owner for Sales Order Processing documents Manager for Eastern Europe sales teams
Portal Document Mgmt CRM SaaS Role Based Access Control (RBAC) Sales Role Author on Account Activity pages Owner for Sales Order Processing documents Manager for Eastern Europe sales teams Reader on Sales Order Processing pipeline
Role Based Access Control (RBAC) • RBAC + Federation approach • Configure Federation to transform group claims to SaaS Application Cookie: User Group: Org1 Managers Database: Org1 North East Cookie: Group: Managers Region: NE P Authorisation AD Group Member: Sales Managers North East Region SaaS Application
Alternative to Role Based Access Control • Implemented only in SaaS Application • Another (external) application in which you need to perform admin • Do the business get delegated admin of users inside the SaaS app? • How do they include enterprise users in the SaaS app as Federation won't necessarily reveal users in SaaS app?
Integration • Infrastructure Integration • Identity Management • Data • Operations • Compliance
Data Integration • LoB apps are typically islands, but need to share data • EAI • Do you have another application which needs this data? (CRM & Accounting) • Is the data used in a workflow? • ETL • Do you want to do data mining in house? (CRM) • How do you get the data into the “Universal Business Management Tool” (Excel)
Integration • Infrastructure Integration • Identity Management • Data • Operations • Compliance
Operations Replace text w/drawings • How are helpdesk going to treat the SaaS App? • Not involved at all • Then how do you measure quality? • Ideally add the SaaS Vendor as a 2nd line in the Trouble Ticketing system • Trending/metrics for decision support:- • Is user training needed? • Bugs/poor performance or availability: challenge the SaaS provider • Helps with SLA measurement • “Light weight” integration with the enterprise monitoring system • Helpdesk know of a problem before your users
Integration • Infrastructure Integration • Identity Management • Data • Operations • Compliance
Security / Compliance • Are you subject to regulations? These extend to the SaaS Provider • Industry regulations • SoX, ECB, BASEL II, EMV • Data Protection • EU & USA incompatible • Common Criteria to at least EAL 3 on all layers of the SaaS stack – network, OS, application, Database etc.
SaaS Infrastructure Integration Checklist (SiiC) • Define and implement an Identity Management strategy • Obtain skills in Federation technology and products • Create an architecture for operations and data integration which supports SaaS Applications • Doing it one by one = quick path to chaos
We are responsible for • Integration • Users: another username, training? • Helpdesk: another app, where is 2nd line, what about password resets.. • Contractual • Lawyers: regulatory compliance • Data ownership
We (IT) are responsible for • Contractual • Operations, operations, operations • Data ownership
Operations, operations, operations • Does the provider follow formal operations frameworks? • Security accreditations? • User training? • Ability to turn on/off functionality • Can you define when upgrades occur
Operations, operations, operations • Impact on business continuity • Can you make brick-level restores? • Is there a charge for this? • What Disaster Recovery or Business Continuity level do they offer?
Data ownership & Compliance • What is “data”? • Do you have any internal policies about customers data • Microsoft policy for Personally Identifiable Information (PII) = no vendor has access to PII without adopting our policy (legal agreement)
Summary • Consuming SaaS in the Enterprise = Integration • Infrastructure • Operations • SaaS has similar challenges to outsourcing • Contracts • SLAs • Multiple SaaS applications introduce a new set of complexities we need to address
SaaS “Keep My Job” Checklist • Identity Integration • RBAC • Operations Integration • Security Accreditations • Contractual SLAs • Data Ownership • WS Data Access Pain/effort • Data Ownership LoB Application Tactical Application
Conclusion • Enterprise LoB Applications delivered as SaaS • Paradigm not yet mature • SaaS Providers • Technology • Software plus Services • Established technology patterns • Windows Update, Hosted Email, Spam filtering.. • Established business model • Reuters, Bloomberg, Antivirus..