64554kstoyhtqp9.jpg
Image: vorakorn kanokpipat / FreeDigitalPhotos.net

A topic that I have not yet seen addressed much, but which has been a growing pain in my daily practice, is identity management in SaaS environments. We all know the routine: Human Resources calls to terminate all access from user Jane Doe at 3pm sharp. Ideally, all authentication and access is managed via an IdM solution. In practice, there are several, if not dozens, of SaaS web sites that users throughout the organization use, and on which they have created accounts. If you are lucky, these accounts are associated with the organization, but it is not uncommon to find people signing in with their private @gmail.com, @yahoo.com, or @hotmail.com addresses.


Realistically, there is nothing wrong with that. These people are trying to solve a business problem, have found a convenient and cheap way to do so, and don't have to bother anyone to make their work processes more efficient. Unfortunately, from a CISO's perspective, many red flags go up. We worry about the risk of accidental data loss, disclosure or manipulation, leading to reputation damage, intellectual property drain, insider abuse, and many other nasty things that would require the full CSIRT playbook to be activated.

So, when we know about things, and users actually ask us ahead of time, our first inclination is to say "no." Of course, all that leads to, is that the next time, users will simply not ask. So, in the end, we grind our teeth, say "Thank you for involving us," and give them the green light. The concept there is that "at least we know about it."

Of course, this does nothing to solve our problem; an Identity Management infrastructure that took years to build, leading to SSO that finaly works without having to store plaintext credentials, is slowly crumbling as we start engaging with all these vendors who have never heard of techniques like SAML, Shibboleth, CAS, LDAP, or what-have-you.

Finding a way that is flexible, scalable, controllable, and vendor-accepted is going to be an interesting challenge. I do not have good answers to address this issue at the moment, but it has been on my mind a lot. I'm open for suggestions!