saas - implications for enterprise infrastructures
DESCRIPTION
SaaS - Implications for Enterprise Infrastructures. IT Complexity and Cost: a driver to SaaS?. IT Budgets. Enterprise Infrastructure Architecture Principal. I.T. Should be seamless to users and the business Infrastructure Applications Access Helpdesk Physical Location. - PowerPoint PPT PresentationTRANSCRIPT
EMEA
Kevin SangwellArchitectMicrosoft EMEA HQhttp://blogs.technet.com/sanger
SaaS - Implications for Enterprise Infrastructures
EMEA
IT Budgets
IT Complexity and Cost: a driver to SaaS?
EMEA
Enterprise Infrastructure Architecture Principal
I.T. Should be seamless to users and the business Infrastructure Applications Access Helpdesk Physical Location
EMEA
Comparing sourcing models
Series1In house Application OutsourcedApplication
ASP SaaS
Flex
ibilit
y
Shar
ed R
esou
rces
EMEA
Comparing Outsourcing & SaaS
OutsourcingBusiness Aspects
Technical Aspects
• Driver: cost reduction• Often transfer staff • Individual contract• Individual SLA• Fixed price & term contract + change requests• Upgrades subject to contract (€€€)• Providers = System Integrators or Services companies
• Move existing application to external organisation• Internal infrastructure often “extended” to include outsourced application• Single tenant on application• Maybe some shared infrastructure
EMEA
Comparing Outsourcing & SaaS
Outsourcing SaaS SubscriptionBusiness Aspects
Technical Aspects
Business Aspects
Technical Aspects
• Driver: cost reduction• Often transfer staff • Individual contract• Individual SLA• Fixed price & term contract + change requests• Upgrades subject to contract (€€€)• Providers = System Integrators or Services companies
• Move existing application to external organisation• Internal infrastructure often “extended” to include outsourced application• Single tenant on application• Maybe some shared infrastructure
• Driver: satisfying business need• Standard contract*• Standard SLA*• Pay as you go• Provider = Hoster , SaaS provider (ISV)• Upgrades are part of service
• Application only available via this provider/ISV• Typically multiple tenants on shared infrastructure• No integration with enterprise infrastructure*
*Provider may negotiate individual contract/SLA for large enterprises,but this is not the normal model
EMEA
SaaS: Replacing Challenges
SaaS ProviderYou• Integration
• Identity Management
• Data• Operations• Security
• Contract Management• SLAs• Compliance
• Service Delivery• Service Level
Management • Capacity Management • Availability Management • IT Continuity
Management • Financial Management
• Service Support• Helpdesk• Training
EMEA
Why should you care?
Some people may be after your headAnother
username & password!
Where is the training?
I can’t access the CRM application!
Sales Team
Um, what CRM
application?
Helpdesk Lawyers ‘R Us
Are we still in compliance with
regulations?
What about our privacy policies: customer and partner data?
CSO
EMEA
We are responsible for
Integration Users: another username, training? Helpdesk: another application, where is
2nd line, what about password resets..Contractual
Lawyers: regulatory compliance Data ownership
EMEA
Integration
Infrastructure Integration Identity Management Data Operations Security
EMEA
Integration
Infrastructure Integration Identity Management
Identity and Access ManagementRole based access control
Data Operations Compliance
EMEA
Why integrate identity management?Costs
Password resets Cost $23 each* Account for up to 30% of helpdesk calls*
Account provisioning / de-provisioningSecurity
Forgetting to de-provision user accounts or reflect job changes
Architectural Principal Move away from “IT getting in the way of
business”
*Gartner figures
EMEA
Identity Integration OptionsActive Directory Trust
Widely adopted Trusts well understood No need for password sync Single Sign-On possible Operates in real time Proprietary: requires AD in both organisations Trust is broad: not constrained to certain users Multiple ports need to be opened on firewall SaaS provider needs to manage multiple AD
trusts Authorisation in SaaS application still a problem
GoodBad
EMEA
Identity Integration OptionsMeta directory (e.g. Microsoft Identity
Integration Server) Extremely flexible (constrained trust) Password sync may be possible Scheduled replication SSO possible, but unlikely You need to buy a metadirectory product €€ (SaaS
provider does not) May need integration code in SaaS provider Metadirectory rules are complex and may break
if you make changes to your internal directory service
GoodBad
EMEA
Identity Integration OptionsFederation (e.g. Active Directory
Federation Services / ADFS) Standards-based (WS-Federation) Operates in real time ADFS is part of Win2K3 R2 EE: no additional
license Extremely Flexible: constrained trust and more Loosely coupled: allowing changes to be made to
source and destination directories independently Doesn’t require “identity” in SaaS application Not widely adopted yet Relatively new technology
GoodBad
EMEA
SaaS Provider
TennantNamespace(s)
You
PrivateNamespace
Active Directory Federation ServicesProjects AD Identities to other security realms
User: FredJob: SalesEmployee: 166798Manager: BobMOffice: Oslo
User: FredOffice: Oslo Subscriber: Yes
Based in Oslo: YesAccess Granted
EMEA
SaaS Provider
TennantNamespace(s)
You
PrivateNamespace
Active Directory Federation ServicesProjects AD Identities to other security realms
FederationServer Federation
Server
EMEA
Integration
Infrastructure Integration Identity Management
Identity and Access ManagementRole based access control
Data Operations Compliance
EMEA
Sales Role
Role Based Access Control (RBAC)
MichalSales Dept
Portal
Author on AccountActivity pages
Document Mgmt
Owner for Sales OrderProcessing documents
CRM
Manager for EasternEurope sales teams
EMEA
Role Based Access Control (RBAC)
CRM
Portal
Document Mgmt
Author on AccountActivity pages
Owner for Sales OrderProcessing documents
Manager for EasternEurope sales teams
Sales Role
EMEA
Role Based Access Control (RBAC)
CRM
Portal
Document
Mgmt
Author on AccountActivity pages
Owner for Sales OrderProcessing documents
Manager for EasternEurope sales teams
Sales Role
SaaSReader on Sales OrderProcessing pipeline
EMEA
Role Based Access Control (RBAC)RBAC + Federation approach
Configure Federation to transform group claims to SaaS Application
SaaS ApplicationAD Group Member:Sales ManagersNorth East Region
Cookie:Group: ManagersRegion: NE
P Authorisation
Cookie:User Group: Org1 ManagersDatabase: Org1 North East
EMEA
Alternative to Role Based Access Control
Implemented only in SaaS Application Another (external) application in which
you need to perform admin Do the business get delegated admin of
users inside the SaaS app? How do they include enterprise users in the
SaaS app as Federation won't necessarily reveal users in SaaS app?
EMEA
Integration
Infrastructure Integration Identity Management Data Operations Compliance
EMEA
Data IntegrationLoB apps are typically islands, but
need to share dataEAI
Do you have another application which needs this data? (CRM & Accounting)
Is the data used in a workflow?ETL
Do you want to do data mining in house? (CRM)
How do you get the data into the “Universal Business Management Tool” (Excel)
EMEA
Integration
Infrastructure Integration Identity Management Data Operations Compliance
EMEA
OperationsHow are helpdesk going to treat the SaaS
App? Not involved at all
Then how do you measure quality? Ideally add the SaaS Vendor as a 2nd line in the
Trouble Ticketing system Trending/metrics for decision support:-
Is user training needed? Bugs/poor performance or availability: challenge the
SaaS provider Helps with SLA measurement
“Light weight” integration with the enterprise monitoring system Helpdesk know of a problem before your users
EMEA
Integration
Infrastructure Integration Identity Management Data Operations Compliance
EMEA
Security / ComplianceAre you subject to regulations? These
extend to the SaaS Provider Industry regulations
SoX, ECB, BASEL II, EMV Data Protection
EU & USA incompatibleCommon Criteria to at least EAL 3 on
all layers of the SaaS stack – network, OS, application, Database etc.
EMEA
SaaS Infrastructure Integration Checklist (SiiC)
Define and implement an Identity Management strategy
Obtain skills in Federation technology and products
Create an architecture for operations and data integration which supports SaaS Applications Doing it one by one = quick path to chaos
EMEA
We are responsible for
Integration Users: another username, training? Helpdesk: another app, where is 2nd line,
what about password resets..Contractual
Lawyers: regulatory compliance Data ownership
EMEA
We (IT) are responsible for
Contractual Operations, operations, operations Data ownership
EMEA
Operations, operations, operationsDoes the provider
follow formal operations frameworks?
Security accreditations?
User training?Ability to turn on/off
functionalityCan you define when
upgrades occur
EMEA
Operations, operations, operationsImpact on business continuity
Can you make brick-level restores? Is there a charge for this?
What Disaster Recovery or Business Continuity level do they offer?
EMEA
Data ownership & ComplianceWhat is “data”?Do you have any internal policies
about customers data Microsoft policy for Personally Identifiable
Information (PII) = no vendor has access to PII without adopting our policy (legal agreement)
EMEA
SummaryConsuming SaaS in the Enterprise =
Integration Infrastructure Operations
SaaS has similar challenges to outsourcing Contracts SLAs
Multiple SaaS applications introduce a new set of complexities we need to address
EMEA
SaaS “Keep My Job” Checklist
Identity Integration RBAC Operations
Integration Security
Accreditations Contractual SLAs Data Ownership WS Data AccessLoB Application Tactical Application
Data Ownership
Pain/effort
EMEA
ConclusionEnterprise LoB Applications delivered
as SaaS Paradigm not yet mature
SaaS ProvidersTechnology
Software plus Services Established technology patterns
Windows Update, Hosted Email, Spam filtering..
Established business modelReuters, Bloomberg, Antivirus..
EMEA
QUESTIONS?