What if you and your employees could use one user name and password across all the web applications you use? Intel (INTC) and McAfee (the security software company Intel acquired in 2011) are today rolling out software for providing such single sign-on across all software-as-a-service applications, with user names and passwords stored and managed in Salesforce’s cloud utility, Force.com. This is the first in a series of cloud computing security products Intel has planned. It already has an on-premise identity management product called McAfee Identity Manager.
The new product, which is called Intel Cloud SSO, is meant to help companies that seek the lower cost and quicker deployment of saas applications but balk at the security implications. "One of the biggest challenges of moving to a cloud/saas environment is getting a level of control on who’s accessing what information when," says Girish Juneja, director of application security and identity products at Intel.
"One of the things we've learned in this process is the average enterprise uses 20+ cloud applications," says Juneja. "This ranges all the way from Amazon's web services to the Paleo payroll application. In many cases, users are carrying bags of passwords -- in some places, it's yellow sticky notes around the computer, in other places it's in a file somewhere."
The trend toward "bring your own device" or "IT consumerization" -- in other words, the common occurrence of employees wanting to access work documents and applications from their personal devices, such as iPads, iPhones, and Android phones -- adds to the challenge of trying to control who can access what from where and when. "While enabling users to use the device they want, there's a security issue that needs to be addressed well," Juneja says.
The solution being rolled out today comes out of Nordic Edge, an identity software company Intel acquired in 2011. Force.com was selected for its wide corporate adoption. "We could have hosted it on many different cloud platforms, but force.com has the largest number of enterprise customers trusting it for their CRM solution," says Juneja.
Intel calls the pricing structure for the software "freedom licensing," with one subscription price per user, no matter how many apps they use. "It frees the user, admin or buyer from worrying about whether using new features down the road will change their pricing." This is reminiscent of the application service provider model of the 90s, with its per-user licensing fees, versus the more common pay-by-the-drink model of some of the large cloud providers today, where you pay only for what you use.
Intel expects the user base for this new software to fall into two groups: those who already use Salesforce CRM and want to extend the identity management there across other web apps such as Cisco Webex or LinkedIn, with one set of credentials for all saas apps. "If an employee leaves the organization, there's one simple button to deactivate them from all those services," Juneja says. The other anticipated user group is companies that do not use Salesforce today but are just making forays into cloud. Such companies can start managing identities for non-Salesforce apps in Intel's cloud service. Alternatively, they can locally control their access through a directory they’re already using, such as Active Directory or any LDAP-enabled directory, but still offer single sign-on through an "identity bridge" Intel has developed that allows the cloud service to perform authentication through the local directory.
The specialty of this product is its ability to handle identity provisioning, according to Juneja. “There are many cloud identity solutions that just focus on single sign on. But the soft underbelly of identity is identity provisioning,” he says. “How do I provision a user from one identity store into other saas applications – the identity store has to have some notion that the user exists as a valid user in the system.” The technology acquired from Nordic Edge can enable account provisioning and deprovisioning for multiple saas applications from one point.
The software also provides a one-time password, again part of the Nordic Edge technology. “Whether you're carrying an iPhone, iPad, BlackBerry, Windows Mobile or Android device, you download an app, you can access the service using a one-time password -- this enables BYOD in the enterprise,” Juneja says. “Now I don’t care as much if you’re bringing your own device because I can still add a level of control over from which device you can use to actually access an app.”
Intel has been beta testing this service since March with 20 accounts (200 companies signed up for it, but only 20 were selected, Juneja says.