Reality Check: Easing the burden of SaaS

Of all the issues IT will deal with in 2007, from maintaining regulatory compliance to building out SOAs, SaaS (software as a service) could quickly become the new focus of IT. In fact, forget about SaaS vendors' claims that the SaaS model eliminates the need for significant IT oversight; the opposite is actually closer to the truth.

As SaaS enters the mainstream, either by way of pure-play SaaS players such as or by way of Microsoft, Oracle, or SAP offerings, one critical challenge must be addressed. And that challenge is access and how to manage it, says David Thomas, executive director of the Software and Information Industry Association (SIIA). Fortunately, Thomas says, companies are working behind closed doors to solve the problem. But as is often the case with closed doors, Thomas is not at liberty to talk about the projects or their progress.

I found that Aladdin Knowledge Systems is one of those companies working in stealth mode on SaaS access management. I spoke with Benny Shavi, director of business development at the Tel Aviv, Israel-based company, about the challenges Aladdin and other companies are trying to solve to help make SaaS an enterprise-worthy alternative.

Suppose your company has a payroll of 5,000 or more employees divided into 10 departments and each department uses between four and 10 SaaS applications. IT is dealing with, at the low end, 40 hosting organizations to make sure every user can access SaaS apps at any time from anywhere on any device.

The question is, How will authorization and authentication be handled when a new employee comes on board or an employee is terminated? How do you know that a former employee has been removed from all those systems? How are the passwords managed? Add to this the fact that many SaaS applications are coming in through the back door, department by department, and it's easy to see how managing SaaS access can quickly become an IT nightmare.

HASP (Hardware Against Software Piracy) ID, which Aladdin will make available in the first quarter of 2007, is a firmware token on a USB key fob or smart card with software built around it on the back end. That software can be customized and linked to what Shavi calls Shadow Domain technology. The Shadow Domain feature uses the identical system as LDAP or Microsoft Active Directory, but it is standing in another domain, Shavi says.

"[Shadow Domain] allows you to do all enrollment and management of SaaS," Shavi tells me. So, if you extend access rights to, say, an HR program, that change is updated in the Shadow Domain and is then replicated to, say, Active Directory. Without HASP's firmware token, the user cannot access any SaaS application. This kind of two-factor authentication is not perfect, but by having two components -- something you know (the password) and something you have (the token) -- security is enhanced.

All of the passwords can be aggregated into a single virtual password on the token. The token can store X.509 credentials, a PKI standard for authorization and authentication, and Aladdin provides an SDK to create and extend any additional information you want to store in the key. The files might be related to user information that is not necessarily stored on the server.

Just as the network-connected desktop gave rise to Microsoft, Oracle, and SAP, as vendors such as Aladdin give IT the tools to manage SaaS, the Webtop, as SIIA's Thomas calls it, will be a fundamental game changer that will spawn new giants in the industry.