Problems in corporate use of SAAS
So, succumbing to the newfangled trends, small and large companies are beginning, who are timid, who quickly and decisively subscribe to various services.
The initial euphoria and “Wow!” - the effect is passing.
And on weekdays we get problems that weren’t really thought of before ...
From our experience, a typical set of an abstract company consists of applications from the following groups:
Usually, such services are used by 12 or more full-time employees.
')
Every employee now needs to invent and memorize from 3x to 7i (according to the number of services in the company) new, multi-character and unique passwords. And then regularly change them.
Obviously, no one will do that. Employees, rather, will write down all the passwords on a sticker and stick it on the monitor or come up with one simple password for all services.
As a result, the lack of security of corporate data of the company.
Can everyone remember different long meaningless character sets?
Since the accounts for public services are beyond the control of the company, any person who somehow acquired your employee’s password can gain access to corporate information. If you go back to problem number 1, then you understand that this is done simply by elementary methods of “social” engineering.
A good solution is to use the principles of two-factor authentication in services — when, besides the password, a person needs to confirm his person with some kind of personal technical device.
The most popular ways:
However, there are too few services that use two-factor authentication !
Another problem is due to the fact that you do not control services - you can’t limit your employees access to corporate information in time and space.
One side:
And if your employee stole a password or his laptop? And now at the other end of the planet is the attacker!
The ability to use external services anywhere turns into a problem.
Is this exactly your accountant making the payment?
And now someone will have to add new employees to all the many corporate services.
And then, when employees are fired, you need to remember to delete or suspend his account in the external service.
Otherwise, data loss may occur.
Those. numerous routine day-to-day operations.
Such an awkward moment when you did not have time to delete the employee’s account in the service of document flow and the projects of your contracts went to competitors.
In many medium and large companies, employees are already managed through Active Directory or LDAP directories.
But rare public services are able to synchronize their information field with corporate directories on the fly.
Now we have to manually duplicate everything in EVERY (!) New service.
Do the services you have purchased use the “pass-through” Windows authentication technology, in which the user only needs to log in to the Windows domain?
No windows authentication!
If a company has grown long ago, has an extensive branch structure or large divisions, sometimes it is necessary:
In this situation, additional difficulties arise before the corporate IT service.
- Delegation ??!
- No, not heard.
Any working company over time acquires some layer of its own information, both structured and not.
However, when using several services from different suppliers, we get a situation where the same information requires multiple manual duplication.
If necessary, make changes to previously created information objects, you must also manually make changes in all applications.
Actual examples:
As a result, we have a situation where one information system cannot understand data from another system without additional tweaks or manual labor.
We have seen and felt all these problems on our experience over 3 years of work in the Softcloud.ru project.
And as a result of discussions, the requirements for a new SAAS instrument were born, which will provide the opportunity to:
PS I’m taking comments out - we started to implement all these ideas in the ez-login.com project
Pps. Subsequent publications - How we did SaaS: the practice of building a cloud product using the example of EZ-Login:
Part 1. About analytics
The initial euphoria and “Wow!” - the effect is passing.
And on weekdays we get problems that weren’t really thought of before ...
From our experience, a typical set of an abstract company consists of applications from the following groups:
- postal service
- CRM
- accounting
- document flow
- communication (voice and video conferencing)
- subscription antivirus
- corporate knowledge base (repository of instructions, manuals)
Usually, such services are used by 12 or more full-time employees.
')
1. Head - House of Soviets
Every employee now needs to invent and memorize from 3x to 7i (according to the number of services in the company) new, multi-character and unique passwords. And then regularly change them.
Obviously, no one will do that. Employees, rather, will write down all the passwords on a sticker and stick it on the monitor or come up with one simple password for all services.
As a result, the lack of security of corporate data of the company.
Can everyone remember different long meaningless character sets?
2. Stop! Who goes?
Since the accounts for public services are beyond the control of the company, any person who somehow acquired your employee’s password can gain access to corporate information. If you go back to problem number 1, then you understand that this is done simply by elementary methods of “social” engineering.
A good solution is to use the principles of two-factor authentication in services — when, besides the password, a person needs to confirm his person with some kind of personal technical device.
The most popular ways:
- one-time codes sent to a person’s personal mobile phone via SMS
- one-time codes on personal electronic charms
- one-time codes on mobile devices
- disposable codes on scratch cards
- using certificates on electronic tokens
However, there are too few services that use two-factor authentication !
3. You do not go there! You go here!
Another problem is due to the fact that you do not control services - you can’t limit your employees access to corporate information in time and space.
One side:
- great flexibility in the work of employees!
- office ceases to be a cell!
- You can do your job from an Internet cafe on the other side of the planet!
And if your employee stole a password or his laptop? And now at the other end of the planet is the attacker!
The ability to use external services anywhere turns into a problem.
Is this exactly your accountant making the payment?
4. One of the hands of Shiva
And now someone will have to add new employees to all the many corporate services.
And then, when employees are fired, you need to remember to delete or suspend his account in the external service.
Otherwise, data loss may occur.
Those. numerous routine day-to-day operations.
Such an awkward moment when you did not have time to delete the employee’s account in the service of document flow and the projects of your contracts went to competitors.
5. The other hand of Shiva
In many medium and large companies, employees are already managed through Active Directory or LDAP directories.
But rare public services are able to synchronize their information field with corporate directories on the fly.
Now we have to manually duplicate everything in EVERY (!) New service.
Do the services you have purchased use the “pass-through” Windows authentication technology, in which the user only needs to log in to the Windows domain?
No windows authentication!
6. All sisters in earrings
If a company has grown long ago, has an extensive branch structure or large divisions, sometimes it is necessary:
- acquire services centrally
- distribute services across divisions
- transfer the distribution of accounts to services under the control of divisional administrators
In this situation, additional difficulties arise before the corporate IT service.
- Delegation ??!
- No, not heard.
7. My yours do not understand!
Any working company over time acquires some layer of its own information, both structured and not.
However, when using several services from different suppliers, we get a situation where the same information requires multiple manual duplication.
If necessary, make changes to previously created information objects, you must also manually make changes in all applications.
Actual examples:
- Addresses and bank details of your partners or a list of commodity nomenclature. They need to be duplicated, both in the accounting system and in CRM.
- Contracts agreed and fixed in the ERMS are also likely to be duplicated in CRM.
As a result, we have a situation where one information system cannot understand data from another system without additional tweaks or manual labor.
We have seen and felt all these problems on our experience over 3 years of work in the Softcloud.ru project.
And as a result of discussions, the requirements for a new SAAS instrument were born, which will provide the opportunity to:
- use single entry point ideology ( SSO )
- have, but not memorize many, long and complex passwords
- use multi-factor authentication in the form of:
- one-time personal codes sent as SMS
- one-time personal codes transmitted via e-mail
- applications of electronic USB tokens
- to work, both from stationary computers, and from personal mobile devices
- control the place and time of use of corporate services
- work in a single account administration point
- use Windows authentication to external services
- manage subscriptions to external services from one point
- provide the ability to delegate service management
- ensure reporting on the use of all services by your employees
- combine existing applications into a single directory so that users can read their descriptions in one place and compare the declared capabilities
- in the future, provide synchronization of specified information between different services
- apply the tool in both public and private mode (Public / Private Cloud)
PS I’m taking comments out - we started to implement all these ideas in the ez-login.com project
Pps. Subsequent publications - How we did SaaS: the practice of building a cloud product using the example of EZ-Login:
Part 1. About analytics
Source: https://habr.com/ru/post/148271/
All Articles