Carl Weinschenk spoke with Jon Brody, vice president of marketing, TriCipher.

Weinschenk: What is the security and compliance situation as applications move into the cloud?
Brody: For the large enterprise, issues of security and compliance are pretty constant, whether the application is accessed inside the firewall or outside the firewall as in software-as-a-service. The requirements are invariant. The auditors don’t care how you do it, as long as X, Y and Z get done. The investment to date has largely been for apps inside the firewall. The challenge is how to achieve results that auditors, partners and clients expect. There have been tremendous investments inside the firewall. [The challenge is that] applications may not be protected when the assets are outside the firewall.

Weinschenk: What is the current dynamic?
Brody: I think enterprises are being challenged now as their business units begin to aggressively adopt SaaS applications. They need to extend controls built over a long time to SaaS apps outside their control. Can they tweak their policies, procedures and technologies for security and compliance? I think the answer is no, these existing systems can’t be tweaked. The first tweak is to try to force users who want to avail themselves of SaaS apps to come back through the enterprise network to pick up controls and policies and go out again. That would be the ideal way to reuse investments – to come into the network before going out. That may be the way a lot of enterprises react because of the immediate value, but it is not a long-term solution because it’s hard to prevent users from going directly to the app. I think, ultimately, you want to do what is most convenient for users in order to keep them productive.

Weinschenk: So SaaS has great value, but is risky.
Brody: SaaS gives you the ability to extend productivity of users in a way that is convenient to them. I want Salesforce, I can go right onto it -- but the identities I create on Salesforce may be inconsistent with the ID formulation specified by the enterprise. That is important because enterprises must track consistently to be compliant. If I’ve got three identities on three systems doing the business of my company, I have pretty much escaped control of IT. Extending existing controls that ask me to come inside before going outside is difficult to achieve. User IDs are key to compliance and tracking, and also key to bread-and-butter stuff like ensuring that employees use consistently strong passwords.

Weinschenk: Can’t existing federated identity and single sign-on approaches be used for these purposes?
Brody: Those systems are not widely deployed today. Enterprises have single sign-on and Web access management solutions and they are good for users who go to the enterprise network before going out on the Internet. They don’t do anything for users who are not [routed through] the network, but instead are [just] on the Internet. These people are not coming from the inside first, but going outside to outside. Increasingly, there are users -- perhaps younger users -- on the outside, perhaps at home or on the road. They are using the Internet and bypassing the corporate network to get to assets that are outside, such as Salesforce or Concur or WebEx. So enterprises don’t really have a way of controlling activities except admonition and education.

Weinschenk: You say that Salesforce works with companies to restrict access to applications if the person hasn’t been routed through the corporate network. Isn’t that the answer?
Brody: Not all SaaS vendors are that sophisticated. Secondly, there are a lot of ad hoc subscriptions to really groovy new SaaS services that don’t happen with IT awareness. As you move to an SMB market where there is no IT organization -- but still security and compliance requirements -- you are really in trouble.

Weinschenk: What is your company, and your sector, proposing?
Brody: We offer a SaaS service that provides managed or identity management in the cloud. This is one technological approach to providing the security and compliance controls that partners and customers expect.

Weinschenk: What must be accomplished in such a cloud-based service?
Brody: Providing a consistent identity that is strongly authenticated is a fundamental component of any security plan. This includes the need to know, to some degree of certainty, who is on. The second component has to do not so much with security but, for example, with your ability to federate those identities to partners. I can integrate more services for my customer if I can move authenticated identities back and forth between partners. Salesforce has a universe of application builders on the Salesforce platform and outside [developers] that all add value to the customer relation management platform Salesforce provides. This is a big benefit to Salesforce as well as the user. The guys at Salesforce are capable enough that they can develop security and compliance functions in their service. But most developers of Web properties are better served by spending time developing their applications and business processes and shouldn’t really be spending time figuring out strong authentication. They shouldn’t spend their time figuring out federation.

Weinschenk: So your company and others provide those functions to SaaS providers who are busy doing other things – such as developing their applications and platforms.
Brody: There are a number of providers that relieve the developer of the burden of some very technical but required capabilities and allow them to concentrate on their core business. We provide strong authentication, single sign-on and federation to the Web application. The benefits of the service are that there is no software, no hardware and you can use only as much as you need.