In my last blog post, I wrote about how it’s a brave new world of SaaS apps and mobile devices for today’s knowledge workers who now have a myriad of choices on how to access business applications, with mobile being the new, preferred way to access applications. And they use a lot more applications than just a few short years ago. These increasing number of applications can be accessed via the Cloud or software-as-a-service (SaaS), as well as on-premise, and span across CRM (customer relationship management), ERP (enterprise resource planning), HCM (human capital management), SFA (sales force automation) and many, many others. But this introduces some interesting challenges, including the rise of too many passwords for end-users, increasing numbers of mobile devices accessing applications, and IT management loss of control and visibility.
The first challenge is that end-users deal with too many passwords. Within Centrify, a small-to-midsize company of just a few hundred people, we routinely use eighty different SaaS applications, including Salesforce, Webex, Dropbox, and many other common SaaS applications. And hundreds more if you count all of the procurement, invoicing, and financial applications. Every one of these applications represents a username and password. That represents an unreasonable number of passwords to have to ask users to manage on their own.
At the same time passwords are just becoming inherently weak. The fact that we even call passwords a security measure has become a little bit of a joke. It’s more of an inconvenience to end-users than they are to people who are phishing or trying to breach the password stores. We see this through all sorts of news articles with even the largest vendors having trouble maintaining security over passwords. Then you add into that all the end-user sharing and re-use of passwords, and passwords by themselves are no longer sufficient.
The second challenge is the increasing numbers of mobile devices accessing applications. With all of these mobile devices being used as clients it’s interesting that we are at one of the lowest stages of security as an enterprise that we’ve ever been. And these devices are something that need to be managed and trusted so that they don’t have spyware, or aren’t being used by people who don’t belong to the organization.
We also need to recognize that end-users prefer their SaaS clients to offer rich mobile clients on the device. Facebook itself bet big on HTML5 as the interface for mobile and discovered that Facebook users preferred rich mobile clients. And so this last year you’ve seen them pour tens of millions of dollars into building rich mobile clients to Facebook. Similarly, most enterprise SaaS applications today have rich mobile clients because that is the preferred choice of end users.
The third challenge is that IT must deal with the challenge of relying on users to manage their own passwords to address the increasing adoption of individual SaaS applications and their mobile apps, and deal with the number of remote and untrusted devices being used. It’s amazing how in just a few years most knowledge workers have gone from using just their laptop for work to using their laptop, their home computer, mobile devices, etc. They routinely swivel between an iPhone and/or tablet depending on which form factor or client works best for them. That’s an amplifying effect to this password problem. It just increases the surface area for security problems.
In summary, IT needs a new model, one that secures the proliferation of mobile devices, solves the password challenge, and allows you to regain, as IT, some of the access control and visibility that you had enjoyed when you managed everything inside the firewall. The formula for this is to start to get away from using passwords as the primary security mechanism for apps, which I’ll write about in my next blog post.
Until then, what do you think?