In many ways, identity management in enterprises is back where it was in 2001. We've spent the last decade cleaning up users and roles and provisioning and single sign-on but then the cloud happened. Half of the access your users need is outside the enterprise in the cloud (I made up that stat, please don't quote it). And the cloud isn't quite as easy to control.
The first part that is out of control is that individual business units can go out and contract with a cloud application; they don't necessarily need to rely on IT to install it and configure it. They usually get a web-based management console and take to doing the provisioning & deprovisioning manually despite there being a much smarter way to handle it.
So your first and biggest challenge is just knowing what applications there are. Finance is usually the only place that can even help you with that. Then you need to know who should and shouldn't have access to this application. Basically, what roles in your organization should have what role in that application.
Then you have to speak to that application. Thankfully, most cloud applications have APIs but you have to learn all of their APIs and find a way to code the basics of provision, deprovision and roles. You need to find a way to manage changes in roles and make sure that you aren't paying for users that aren't using the application any more.
And, lastly, the age old password issue. The most insane downside to the business setting up their own cloud apps is that they will still blame IT for them having to remember another password.
All of the above sounds familiar. It is exactly the same discussion that was had around whiteboards at the turn of the century, just with the added cloudy complication that IT doesn't control all of the applications.
Rest assured though, some identity and access management vendors have kept up. EmpowerID's metadirectory connects to cloud or on-premise applications equally. Managing user provisioning, authentication and role based access control are as simple as mapping our workflow shapes to cloud application APIs.
Your provisioning and deprovisioning can be handled based on your role within the organization. Only sales gets an account in Salesforce, marketing to Hubspot, support to Zendesk, everyobody to Office 365. By managing roles dynamically, if someone moves from sales to marketing, you can deprovision the Salesforce account, improving security and your monthly bill.
And each of these applications has roles within it so not all Sales department roles get the same level of access in Salesforce. An account executive has a certain level of access, while a sales director has a more robust role. By incorporating a simple drag and drop visual role mapping capability, EmpowerID allows you to manage application roles in the same way you manage your corporate roles.
But connectors and APIs don't help with the password problem. Thankfully, SAML, OAuth, OpenID, WS-Trust and WS-Federation do. Most cloud applications are SAML-enabled, meaning that you can federate with the cloud applications and offer a single sign on experience. Users authenticate into your network, click on a link to their cloud application, empowerID's secure token service sends a SAML claim over to the federated application and, boom, single sign on!
EmpowerID's claim to fame in this equation is that it is one single platform handling the provisioning, deprovisioning, RBAC, and federated single sign on. They can be decoupled, but having a single purpose-built platform handling all of the heavy lifting for on premise and cloud identity management is much more 2013 than 2001.
We learned a lot of lessons in Identity and Access Management (IAM) over the last decade, let's not let the cloud make us forget them. I've included a few links to whitepapers below, please click on them to see how empowerID embraces the best practices of IAM in the cloud. And, most importantly, schedule a demo to see how it might fit into your environment.