Businesses are signing on to cloud-based Software as a Service (SaaS) Web apps to cut costs, but that can give rise to another problem — employees may have to sign on to multiple Web apps, and that could lead to security issues.
Employees may forget the passwords for some apps, for instance; or someone could hack into a Web application user’s account.
Okta, a recently launched San Francisco-based company led by former Salesforce.com executives, is offering an on-demand identity and access management service that may help resolve these problems.
“Over the last several years, companies have adopted several cloud- and Web-based applications,” Eric Berg, Okta’s vice president of products, told TechNewsWorld.
“We find they can be running anywhere between five and 25 different cloud and Web-based applications with siloed identity and access management support and non-centralized user management and reporting across the applications,” Berg added.
“Historically, single sign-on has been one of the most long-lasting problems in IT, going back to the beginning of the mainframe and now extending into the cloud,” Rob Enderle, principal analyst at the Enderle Group, pointed out.
The Okta Solution
Okta’s on-demand services have four key capabilities, Berg said.
These are single sign-on across cloud and Web apps for end users, centralized user provisioning and de-provisioning across cloud applications for IT teams, reporting and analytics across usage and activity for all an enterprise’s cloud and Web apps, and deep integration with Microsoft Active Directory so clients can federate on-premises directories with their cloud apps.
For single sign-on, it supports SAML (Security Assertion Markup Language) version 1.1 or 2.0, or any proprietary protocol a vendor has implemented, Berg said. Or it will integrate its Secure Web Authentication Technology.
“One password is required to log into Okta, and that can even be your Windows network password,” Berg remarked. “You can then access other applications which are just one click away.”
Okta makes it “very simple” for users to centrally administer apps that still require separate passwords, Berg stated.
Every session with Okta is secured over SSL. Customer data and their instance of Okta is secured at the application and database level, and the company’s data center is SAS 70 Type II compliant.
“We have specifically architected our service to prevent cross-site scripting, request forgery and SQL injections,” Berg said.
These are the three major types of attacks that plague Web-based apps.
In addition, Okta has a third-party security consultant run “regular” whitebox penetration tests on its service, Berg said.
Okta offers a catalog of pre-integrated business and consumer Web apps from companies such as ADP, Cisco, Citrix, Facebook, Google, LinkedIn and Salesforce.com.
The ability to de-provision users — cancel access to accounts for staff who are moving to other departments or leaving a company — is critical. Accounts that haven’t been de-provisioned are known as “orphan accounts,” and such accounts are a major threat to enterprise security.
Further, provisioning and de-provisioning user accounts is a labor-intensive task that is also usually time-sensitive, Greg Potter, a research analyst at In-Stat, told TechNewsWorld.
“Tools like Okta that automate these tasks not only reduce labor expenses but also cost less because fees for Software as a Service are based on the number of users,” Potter added.
At large enterprises, it’s almost impossible to provision and de-provision users manually, and major vendors such as CA have pushed into automating this task over the past few years.
“Password management is definitely a real IT issue,” Potter said. “However, Okta isn’t the only solution to this problem.”
Many enterprises use Microsoft Active Directory services to manage authorization and authentication, Potter pointed out. There are also simple password-saving programs such as LastPass to manage passwords but these “do not do anything to manage cloud services,” he added.
Some cloud service providers provide LDAP (Lightweight Directory Access Protocol) and Active Directory integration tools, like Google provides to Google App customers, Potter said.
The service “helps keep unauthorized use down,” Enderle told TechNewsWorld. “It also helps track overall usage and thus can be used to identify applications that aren’t used enough as well as help justify updates to heavily used applications.” Further, Okta’s service may help improve productivity by making it easier to sign on to Web apps, reducing the aggravation engendered by lost passwords.
Other Benefits of Single Sign-On
Businesses can purchase single sign-on applications from security companies, Charles King, principal analyst at Pund-IT, pointed out. However, these are implemented across the enterprise, and integrating them can require considerable effort and expense.
“Rather than providing an overarching solution that can be, and typically is, applied across an entire business organization, Okta is taking an application-centric view of the issue,” King told TechNewsWorld.
“So, rather than delivering up a larger single sign-on service that would then have to be integrated, and that in some cases requires considerable effort, this solution delivers the security capabilities based on the application itself,” King continued.
Okta may be latching on to a good thing — In-Stat says spending on SaaS will increase 112 percent between 2010 and 2014.
“Okta might succeed in the larger sizes of businesses, which use three or more cloud-based applications,” In-Stat’s Potter said. “If a firm only uses Salesforce.com and Google Apps, its service seems like a bit of overkill.”