User and access management in Cloud applications – a challenge

It appears that ‘the cloud’ continues to expand within the commercial world. Google Apps, Salesforce.com, GoToMeeting, Office 365, itslearning, etc. are all being widely deployed. Controlling who has access to specific applications and corresponding data is even more complicated with cloud applications. Providers of cloud solutions confer little priority to developing better management of user accounts and access rights in their applications. Consequently, user and access management in cloud applications entails a number of challenges:  

1. Federation is not a replacement for provisioning - Working with cloud applications means more authentication sources; Active Directory in one’s own corporate network and one or more authentication sources, for example AD, LDAP directory or database in the cloud. There are only a few possibilities for synchronizing user accounts between both authentication sources, (like AD Federation Services from Microsoft and the SAML standard. In this manner, end-users can log in transparently to the cloud applications. However, federation is not a replacement for provisioning and basic user account management.
2. Too many manual actions - Providers who do not support federation frequently offer a web-browser that managers can use to control access to the cloud application directly. This necessitates a sequence of manual operations and is time-consuming and error-prone. Also, when it’s possible to import a basic CSV file into the cloud application, it still requires manual intervention by the application manager. 
3. Different conventions for naming and passwords  - Conventions governing naming standards and passwords are often inconsistent between network and cloud applications. In the network, a user ID might be based on the log-in name, and in the cloud it might be the e-mail address. This complicates exchanging user account details between the environments, and many times, differences also apply to password conventions. When extremely complex passwords are required in the corporate network, cloud applications might not be able to handle this type of password. The possibility also exists that the cloud application requires a different duration for password expiration than within the corporate network. 
4. Missing organizational structure  - The reporting hierarchy structure within an organization is often utilized to assign authorizations to employees based on their role or position, commonly referred to as Role Based Access Control (RBAC). Within the corporate network this structure is contained in an HR system or within Active Directory. Cloud applications normally cannot translate this organizational structure, and the web based provisioning functionality they offer does not offer a robust method for incorporating this level of detail. Naturally, it is possible to transfer the entire organizational structure to the cloud application, but this requires an enormous volume of management activity when something in the hierarchy changes. 
5. What if the connection drops? - Providers who offer links between the network and cloud applications often use event-based synchronization between the systems. However, they do not have a procedure in place to deal with a temporary drop in the connection. Cloud applications do not provide any guarantee or notification that synchronization completed successfully.
6. Reject bulk actions - Performing bulk actions in cloud applications is occasionally rejected by the application. Some cloud applications which impose restrictions on the number of actions that can be carried out in one pass, or require that no management activities are undertaken during working hours to prevent overloads on their network.

Working with cloud applications generally means that organizations no longer have user and access management in their own hands, and that the rules and SLAs of the cloud applications apply. User and access management are of secondary importance to business requirements. If it is requisite for your organization to have control of user and access management, Tools4ever can help you.

Tools4ever acknowledged that the migration of applications to the cloud would bring new challenges in the field of user and account management. With this in mind, Tools4ever developed links (connectors) that offer the following functionality:

• Password synchronization. If a password is changed in Active Directory, this change will be automatically implemented (synchronized) in the cloud application;
• Auto provisioning of user accounts linked to UMRA's proprietary user account management process, ensures synchronization of user accounts for employees through the HR system, as well as any changes made by the helpdesk, managers and even end users. User accounts are created, modified, enabled, disabled and removed etc. in a completely automated way;
•  Integrated access management from the end users to the cloud application. Accesses to various components of the cloud application are assigned/revoked on the basis of the end user's organizational role. UMRA features an advanced RBAC module that controls access to the cloud application on the basis of the department/job title in the HR system, as well as the choices that managers have made for their employees;
• A centralized dashboard that provides IT managers with an overview of the cloud applications deployed by each user. The dashboard can be used to control the license costs as well as for logging and reporting purposes;
• Single Sign On for all cloud and web applications based on existing Active Directory credentials. This means that users are no longer required to remember a host of user names and passwords.

For additional information or to download one of our solutions , please visit our website. 

Customer Satisfaction and Password Resets

Two recent customers of Tools4ever, a bank and a car dealership, brought to light a new value proposition of our password management solutions that I had not previously thought of.  In both cases, these clients have a great number of employees that spend the majority of their time interacting with clients.  Can you imagine a client’s frustration if a bank teller needed to wait on hold for 10-15 minutes to get the helpdesk online to reset a password? Worse yet, what if it was a Saturday and the helpdesk was unavailable, how much productivity would be lost?

Both of these organizations turned to Tools4ever for assistance. In the case of the bank, they were receiving 3-5 calls per day for password resets. By implementing Self Service Reset Password Manager (SSRPM) and Enterprise Single Sign On Manager (ESSOM), they were able to drive that number to virtually zero calls.  ESSOM reduces the number of credentials a user needs to remember down to one and SSRPM allows self-service should the employee forget that set. 

The auto dealership had an SSO solution that was being phased out by the vendor and support was coming to an end.  They knew the calls to the helpdesk would increase dramatically as users would go from 1 set of credentials to needing to remember between 5 and 10. Implementing the Tools4ever ESSOM solution fit the bill. All of their dealer and financial applications were easily accommodated. Taking it one step further, all employees were “pre-enrolled” into ESSOM. Their user names and password were entered into the database and encrypted. This means the end user never even are made aware of what their credentials are for the various applications. If some leaves, shutting off their ESSOM profile prevents access into any application.

I am always amazed at the new ways our customers find to utilize our products to increase productivity and, in this case, help insure their customers have a more positive experience.  For more information, please visit our website.