"Business technology news for Europe's senior executives...."
New Account

The Magazine

Issue 12

We speak to the key decision-makers looking to steer their businesses through these choppy economic waters.

E-magazine
  • Previous Issues

Blog

Spencer Green
Chairman, GDS International

Sales and the 'Talent Magnet'

A lot is written about being a ‘Talent Magnet’, either as a company, or as President. It’s all good practice – listen, mentor, reward, provide clear goals and career maps. Good practice for the employer, but what about the employee?
25 May 2011

What are the challenges moving to the Cloud?

Nordic Edge | www.nordicedge.se


A n increasing number of companies and organisations are moving their services to Software as a Service (SaaS) provider. Protecting business-critical information that is located in the “cloud” requires both secure log-in procedures and an efficient user-administration.

About cloud computing
Cloud computing (where customers use the Internet to access data or applications that are housed on servers somewhere else) is a style of computing that is still at an early stage but already customers are beginning to identify the benefits. Users do not need knowledge of, expertise in, or control over the technology infrastructure in “the cloud” that supports them; companies can add capacity or capabilities without needing to invest in new infrastructure or license new software.


The concept incorporates Infrastructure as a Service (IaaS) where customers can access storage and virtual servers on demand, Platform as a Service (PaaS) where providers deliver development environments as a service and Software as a Service (SaaS) where users access a particular application through the browser. Examples of SaaS vendors include Google, Microsoft and Salesforce.com.

Challenge

Many organisations today are running their own servers for file storage, applications, email boxes, etc. However this can be expensive – as well as the physical hardware and software, it requires skilled staff, computer rooms, power, licenses and maintenance. There are also concerns like uptime requirements, especially for operations with high availability requirements, and service continuity should disaster strike.

However, there are challenges for companies considering moving to the Cloud:

  • The standard authentication method is username/password, which for many organisations is too weak for protecting corporate assets;
  • Cloud applications require an account to be setup, which means double the administration overhead.


Solution
The Opacus solution adds strong authentication to the login-process. One of the main benefits with Opacus is the flexibility to allow customers to implement two-factor authentication with the cloud application. A range of authentication methods is supported such as One-Time Passwords (sent via SMS, email, chat), hardware and software tokens or X.509-certificates.
Opacus also integrates the local user store with the cloud application and gives the customer central administration of users. Adding and deleting users can both be performed using central
administration. Opacus can also perform batch-jobs like mass-population of user accounts.

Benefits
With Opacus, users of the cloud application gain improved security and easy-to-use user administration. The solution saves time and money and can easily be adapted to the company’s needs.

Two-factor authentication
The Opacus solution provides two-factor authentication to the cloud application using credentials from the customer’s own user store.

Instead of authenticating directly with the cloud application, the user will be redirected to authenticate with Opacus. The Opacus solution supports a wide range of authentication methods and different authentication methods can be used simultaneously. During the authentication process, user attributes from the data store may be used to apply access control rules, for example LDAP/Active Directory group membership. After authentication is completed, a further plug-in may be activated to update user stores with, for example, a last login date.

Authentication modules are provided for Smart Card and Software certificates (X.509), One-Time Passwords (SMS, Mobile Phone Clients, Pre-fetched Codes, etc.), Windows Integrated Authentication (AD SSO), hardware and software tokens.

SAML SSO
Using the built-in SAML support, users can authenticate with any of the supported authentication modules and be automatically logged into any service that supports SAML 2.0 or SAML 1.1 Single Sign-On methods.

Users already logged into a local Windows Active Directory environment can be automatically signed on to services supported by the SAML SSO service; no additional login will be required. External users can be prompted for other supported strong authentication methods such as One-Time Passwords.

User administration
The Opacus solution simplifies and automates the administration of user accounts by introducing central administration. The local administrator manages the user account and, whenever a change is made, the change is propagated to the cloud application. If, for instance, a new user account is created in the local user store, Opacus will create the same account in the cloud application.

Provisioning/De-provisioning
Provisioning in Opacus means that when a user account is created in the local database, the user account is also created at the cloud application.

De-provisioning means that when an account is deleted in the local user store, the account is also deleted or disabled in the cloud application.

A user who has not logged into the cloud application before can automatically be created in the cloud application. Using the user name or other identity factors Opacus can create and provision users to the cloud application from data obtained by calls to other user stores or external data sources.

Delegated user administration
The Opacus solution can be configured to delegate the user administration to different administrators based on many different attributes; for instance, group, role or title. It is possible to introduce workflow processes where certain actions will require approval before taking effect. This allows organisations to delegate user account responsibilities to local departments and groups.

Batch transactions
The Opacus solution can create batch provisioning transactions using a comprehensive rule set. This is important (especially for larger organisations) when, for instance, creating all users when first moving to the cloud application.

Reporting
Opacus can also generate reports (for instance a list of inactive users or a list of users who has not logged in during the last 60 days).

Location of the Opacus platform
Opacus can either be located in the customer’s own network connected to a local user store, or be located in “the Cloud”. In the latter case, all user information is managed in the cloud application user store.

Local user store
Opacus provides provisioning of user accounts and groups between the customer’s own user store and the cloud application user store. A wide range of different databases is supported such as Microsoft Active Directory, Novell eDirectory, MySQL, Microsoft SQL Server, etc.

User store at the cloud application
The Opacus solution itself can also run at the cloud application for organisations that do not have their own user store. In this scenario the primary user administration is performed at the cloud application (for username/password) and Opacus takes care of the additional data items required (like mobile phone numbers). This provides the possibility for organisations to add strong authentication without the need for their own infrastructure.

Technical specification
Authentication modules are provided for:
Smart Card and Software certificates (X.509), One-Time Passwords (SMS, Mobile Phone Clients, Pre-fetched Codes, etc.), Windows Integrated Authentication (AD SSO), Simple Username/Password (LDAP, AD, SQL, NIS/YP, File), Swedish e-ID (BankID, Telia/SEB, Nordea, SITHS), any third-party authentication service supporting RADIUS, etc.

Supported user stores:
Microsoft Active Directory, Novell eDirectory, Sun LDAP Directory Services, OpenLDAP, Siemens DirX, MySQL, OpenSQL,etc.

About Nordic Edge
Nordic Edge is a leading provider of trusted Identity and Access Management (IAM) solutions that enable organisations to secure and manage their digital identities. With Nordic Edge’s solutions, organisations can improve business processes and meet regulatory compliance requirements. The offering includes two-factor authentication, role based delegated user administration, synchronisation and provisioning. More than 10 million identities are being administered by Nordic Edge’s solutions and over 1 million users securely login with Nordic Edge’s products each month. Nordic Edge was founded 2001 in Sweden and has customers in more than 25 countries.

Contact details:
Oscar Morén, VP Sales
T: +46 70 217 67 85
E: [email protected]
www.nordicedge.se