2011 proved to be the year of “three” for Symplified, in that we accomplished a number of milestone events.  We tripled our revenues year-over-year, increased customer adoption by 300%, and passed the 3 million licensed users mark.  In fact, we are nearly up to 4 million licensed users less than a month into 2012 and that figure is growing by leaps and bounds.  This leads me to the year ahead, and all I can say is that it is going to be one heck of an exciting ride.  Metrics are one thing, but satisfied customers are what truly make a business grow.  With a renewal rate of around 98%, there is a reason that our customers choose Symplified as their identity and access management solution of choice.   Our customers’ continued success comes first, and as a result our success has closely followed.

Forrester Research has predicted that by the end of 2012, the average cloud customer will be using at least 10 different cloud applications.   Application counts, user types, mobile adoption rates, and additional authentication methods are all on the rise.  The name of the IAM game in 2012 is going to be convergence, and that is exactly the language we speak.  Symplified provides seamless identity across all of these multifarious platforms and devices, creating an end user experience that has become the benchmark of the industry.  We have a number of innovations in store for the year ahead, so hold on tightly – things are really going to take off!

Symplified | The Cloud Identity Company

Our customers were looking for something new under the tree this season. To make their Holiday Wishes come true, we announced our new Symplified ONE offering today. Straight from Santa’s workshop, Symplified ONE enables a one-to-one connection with a single high-value external web application. While “single sign-on for a single application” may sound redundant at first blush, “seamless identity and access management for a single app” casts Symplified ONE in a more appropriate light.

This new offering allows customers to quickly and simply connect their existing Active Directory user store with an outside application while also affording the company complete access control over employee usage. Employees just click on the application’s icon within the company’s Symplified ONE portal to seamlessly gain the access that they need. They cannot, however, access the application outside of the portal… no sneaking down the chimney or leaving a window open to “side door” attacks. Sorry, Mr. Grinch!

Your administrators will marvel at how easy it is to provision new hires to the application due to the connection with AD, and removing access is even easier than that. With Symplified ONE, adding an individual new web application is a snap. No new credentials, no loss in control, no replication of user stores, and no drop in productivity. Symplified ONE just works, and it is available today!

Symplified | The Cloud Security Company

Naturally, the mobile device, especially iPhone and iPads, have made their way into the workplace. Not because they are neat to have at work, but because they are handy and helpful in getting work tasks completed. Some companies have embraced mobile technology and have provided these devices to their employees to help them improve productivity and get their jobs done more easily.

Over the past few years the line has blurred between personal and work life. This new mobility allows employees to work from the office, their home, or on the road. There is no distinction between location and no delineation when the workday starts or ends. Regardless of the philosophical implications of this new, mobile world and its impact on our lives, it’s with us and it must be managed from an IT perspective.

Companies face the challenge of managing devices that they may not own because the employee has purchased them. This is where identity management can play a key role. In addition to managing cloud-apps and user accounts scattered across your network, your IT staff must implement an identity management solution that can manage mobile devices…one that is flexible enough to include new devices that want to join your network. Mobile devices are those new devices right now!

Your identity management solution must also be flexible enough so that is does not require the installation and maintenance of software on the tablet or smartphone. This type of flexibility makes it possible to secure any mobile platform and operating system since the employee owns many devices and they would prefer to not have corporate controls installed directly on them. Utilizing a single sign-on URL, for example, where the user can go to log in will allow you to manage employee access and yet not impact their mobile device. A single sign-on solution for mobile users also allows them to access the corporate apps to which they have access.

Increasingly the technology assets that your employees use may not be company-owned. IT must strike a balance between their need to access the corporate network and the need to protect and manage access to valuable intellectual property. Identity Management that supports mobile devices is your best option to ensure that both groups meet their objectives.

Symplified | The Cloud Security Company

There are bills currently making their way through congress that, if passed, will seriously affect Internet use and will have negative effects on technology innovators — both companies and individuals. This post gives a brief description of the bills, how they negatively impact technology innovation, and lastly what you can do about it.

Basics About the Bills
They are the Senate bill Protect-IP Act, and the House bill Stop Online Piracy Act (also known as the E-Parasites act) and are very similar. The positive intention behind them is to reduce piracy of copyrighted information on the Internet. Sounds good so far. The problem is how they do it. If you’ve got 4 minutes, this video is a great summary:

http://tinyurl.com/7sbu983

Since most piracy takes place outside the US, and the government can’t do anything to shut down the actual site, these bills give the government the right to legally require any infrastructure providers with US operations to block Internet access to these sites, and any websites to remove links and imbedded content. And, if they don’t comply, the companies and sites could be shut down. It also allows for entities to sue each other to remove links, embedded content, etc.

Why this is Bad for Innovation
These bills would put restrictions and create huge liabilities for any site that employs user-generated content, as it is impossible to control everything that any user is going to post on a site. There are already controls in the Digital Millennium Copyright Act to protect copyrighted content, as pointed out in this Wikipedia article, and these recent bills take it too far. Google has been opposed to these new bills. Facebook, Twitter, and eBay have also recently publicly called out against them.

Fred Wilson (a prominent VC in NYC), has a great post on these bills. Even if a web technology company is not guilty, just the fact that they may have to pay huge lawyer fees to defend themselves against frivolous lawsuits could be enough to ruin them. The big companies are better able to handle lawsuits like these, but it would crush a 3-person start-up. And that would make venture capitalists less likely to invest in a new Internet technology innovation. Fred also points out that it is the technology sector that is creating jobs in America today, and bills that stunt technology innovation are bad for the economy. We need more jobs and technology is one place that is providing job growth today.

What You Can Do
You can go to the American Censorship website to send a letter about SOPA. You can also visit Fred Wilson’s blog post and use new technology from Votizen that turns your comments on his post into a letter about the Protect-IP act to your representatives. Last, spread the word. That’s one of the greatest accomplishments of Internet technology innovation, isn’t it?

Symplified | The Cloud Security Company

These access scenarios create a number of challenges for companies who must look beyond their firewall to manage identities hosted in the cloud or in another repository somewhere within the corporate network. Secure access to resources and applications scattered between the enterprise network and the cloud is quickly becoming the norm at many companies. Companies who are faced with these challenging identity management scenarios quickly find out just how portable their identity management solution is.

For some companies who have implemented older identity management systems, they may have difficulty adapting their solution to include cloud-based apps. There are problems with vintage identity management solutions. By vintage, I mean those IAM solutions that don’t work in the cloud and those solutions that provide a very rigid set of features designed to support a very specific application or set of applications. You will find that integrating new applications with legacy IAM systems to be very difficult and costly. The solution to adding new applications requires changes to the application itself and the client software. Client software is typically “brittle” meaning that it’s easily broken when modifications are required. Adding new applications to be supported by a vintage IAM solution can take weeks to months for developers to build the code to support them.

The idea of portable identity and access management means your IAM solution can be extended across multiple user types and across multiple infrastructures. For example, you may be a smaller company that has adopted a number of cloud apps to handle various aspects of your business such as payroll, HR, customer management, and so on. You also have a workforce that is using Active Directory and that is your central repository for managing all users and their access.  Rather than having to manage user access and multiple user stores in the cloud and behind your firewall you want a common user store to manage all users. If a change is made behind the firewall to a user, you want that change effective outside the network as well. A portable identity management system allows you the flexibility to have your user reside wherever you want.

I believe that with your identities in the cloud, you shouldn’t be forced to compromise between the cloud and the enterprise.  That’s why Symplified provides a complete feature-rich platform that includes all the necessary components you need to realize a portable identity and access management solution. These components include single sign-on, access management, user management, and audit. Without a complete IAM solution you may find that as your needs change and your business moves towards the cloud, that you’re left to choose between the cloud and the enterprise and duplicate access in multiple locations. That’s not the direction I believe most companies want to in. Simplicity is the buzzword of today’s IT administrators and users.

People often assume that all identity services are inherently security services as well –- perhaps because these services enable access to applications and often transmit information that people consider sensitive. In reality, identity infrastructure providers offer a wide range of capabilities – each with different security properties. Some service providers focus on offering end users the convenience of only having to log in once to access all of their applications. Other vendors take a more security-oriented approach, focused on enabling the enterprise to control end user access to sensitive resources, where SSO is a secondary benefit. It is very important that enterprises adopting cloud identity services aren’t confused about exactly what they are going to get from the service they choose, because security and convenience are very different things.

How do you know if an identity service is security-oriented? Here are a few things to look for:

A security-oriented identity infrastructure service won’t require you to replicate and manage your users outside your enterprise.

• Local network login credentials stored and/or managed in a third party datacenter weakens security of a local network.
• This is just making the fundamental problem of identity silos worse, creating another point of user administration.
• Combining user data across multiple enterprises makes it a more attractive target for hackers.
• Storing the Personally Identifiable Information in a third party datacenter increases the risk-profile that data could be compromised (more attack vectors), and violates end-user privacy agreements in many cases.

A security-oriented identity infrastructure service will provide an enterprise with the ability to create a secure cloud application access environment.

• It will provide true access control by preventing a user from accessing an application directly.
• It will enable an enterprise to enforce extensive and flexible policies around strong authentication and authorization for specific applications – basing them on such things as user profile information and their device.
• The service will not require end user traffic from multiple customers to come through the same monolithic platform – becoming a single point of a failure and making it more susceptible to threats such as DDoS.
• It will enable an enterprise to extend its existing user stores (i.e. Active Directory) to manage the provisioning and de-provisioning of accounts in cloud services.
• It will not trust the client device with application credentials.

A security-oriented identity infrastructure service will provide a detailed audit trail of all of the user’s interactions with all applications.

• Enterprises need to have their own audit trail of their end-users’ activity and not rely on that of their application providers (SaaS) across all protected applications.
• This audit trail will not depend on the client device.

A security-oriented identity infrastructure service will provide an option for you to keep web traffic inside your enterprise.

• Many of the requests for application services contain sensitive data embedded in the HTTP requests. Data such as account numbers and PII may be part of a standards-based SSO login request.

While it is important for Single Sign-On to be implemented securely, it is only one small part of the identity integration required to provide secure access to web applications and resources. A secure implementation of properties such as access control, audit, and provisioning is required to provide an environment where it is possible for an enterprise to manage risk and be compliant with regulation.

Past IAM solutions have proven to be costly and difficult to expand across multiple applications and partners. Every time users needed to access a new application, a new connector needed to be built. This process could take weeks or even months to complete. This is a significant drawback to the older IAM solutions. Consequently, we are seeing the introduction of Single sign-on solutions that address the typical complexity of IAM across the enterprise and cloud landscape. Single sign-on from the cloud is gaining traction as a viable solution for many companies looking to bridge access between their internal web applications and their cloud applications.

However, there are multiple considerations when evaluating single sign-on solutions from the cloud. One of the first considerations is to understand what applications you would like to manage. Are you a company that has legacy applications that reside behind your firewall and need a high level of configuration? These applications will most likely continue to reside behind the firewall. It’s becoming more common that companies need to grant access to these applications to external partners and sometimes customers. You want to ensure that your IAM solution has a way to enable these types of applications with complete security, provisioning, and auditing capabilities.

Perhaps you are you a company that has made the jump entirely to cloud applications. What kind of authentication mechanisms do you have in place? Are you relying solely on the application provider to provide authentication for all your users? Maybe you are looking for a way to provide single sign-on to your employees for multiple cloud applications.

Next, are you using Active Directory along with other authentication schemes to manage user access? You may have some applications that utilize Active Directory for authentication. You may have other cloud apps that use that application’s user store. Is your intention to continue to manage Active Directory users and cloud users separately or would you like to see them managed from a central location? Are you looking to manage some of your accounts internally while managing other accounts in the cloud? What type of synchronization would need to occur between these sources? The security of placing your directory data in the cloud is also something to consider.

I realize these are a lot of questions. But, they are critical points that you must consider before deploying a cloud-based IAM solution. While single sign-on is the first thing that comes to mind when managing user access, we also need to understand that access control, user management, auditing, and reporting are essential elements of a complete IAM solution. If your company is typical, you most likely have a mix of internal and external applications. You probably have multiple user stores scattered across your network. Switching over to a completely cloud-based IAM solution may be your end goal, but you realize that it will take time to fully make the transition. Your IAM solution must be flexible enough to take into account all these variations of user access and application location.

Symplified is the leading provider of flexible and complete identity and access management. Your applications can reside anywhere. Your users can be internal or external. Your account information can reside internally or in the cloud. You can grant application access to any user, at any time, and on any device. Symplified scales for any size organization with complete auditing and reporting capability. While single sign-on gets front page news, there is a supporting cast of characters that comprise complete IAM.

Symplified | The Cloud Security Company

The original challenge for IT was to make sure that external employee-owned devices could attach securely to the network so that corporate access and its data were secure. IT was stuck in the middle trying to meet employee expectations and keep the network (and their jobs) safe from unwanted intruders. The first level of access for mobile devices was email. As soon as someone purchased a Smartphone or tablet, they wanted it to have personal and corporate email access.  For many companies, providing email access to their employee’s mobile devices is being done on a regular basis. Companies are also implementing mobile use policies and enforcing them through various software solutions.

But the consumerization of IT goes beyond iPhone, iPad, and Android devices connecting to your network. Companies must also look at what the cloud has done in terms of consumerization of IT and how it might impact their employees and the corporate network. Anyone, including your employees, can access cloud applications. All anyone needs is a network connection and a credit card, and sometimes they don’t even need a credit card. Because it’s their own device, employees will access any applications that they feel are important to their jobs and personal lives. This means that employees will access social network sites along with corporate applications. Their social activities and work activities tend to blur together throughout the entire day. There is no longer a clear delineation between a job and personal life.

Your employees want application access beyond corporate email, that’s for sure. Depending on their job function, they want access to CRM systems, HR systems, payroll, and other sales tools. They may also want access to Google Apps and other corporate resources hosted in the cloud. So, the question of consumerization is much broader than just employees bringing their own laptops or iPads to work and connecting to the corporate network. Enterprises and IT managers must also look at the applications their employees need to access behind your firewall and in the cloud. Companies must devise a strategy to provide streamlined and secure access to these applications.

Employees want the ability to access sales tools (or whatever application) from their desktop in the morning, move into a meeting with their iPad that afternoon, with access to the same application. This transparency across devices and applications that reside anywhere is the utopia for employees who are using their own devices in the workplace. Achieving this utopia requires cutting edge identity and access management tools that support single sign-on and provide secure mobile access. Reporting capabilities that can track mobile device usage and access are also paramount given this age of compliance and regulation.

Symplified manages users, not devices. There’s a big difference. With Symplified, a user can utilize whatever device works best for them and still receive the same seamless access to all their applications, whether on-premises or cloud apps. IT can unburden them from trying to manage disparate devices accessing the corporate network and focus on helping employees securely work the way they want to work, regardless of location or device. IT can provision and grant access to users once for any and all devices in the user’s possession.

The consumerization of IT is here to stay and it’s no longer just an iPhone here and there. It’s a large portion of your employees who want access to all that helps them lead a more fulfilling work and personal life. We can choose to ignore this reality or embrace it to create a more effective and productive workforce. Instead of being a roadblock to productivity, IT can embrace it knowing they do it efficiently and securely. Let the consumerization roll in!

Symplified | The Cloud Security Company

But many security breaches are the result of user error. The “door” to the corporate data has been left open somewhere and someone has found a way to hack into the servers that contain the data. A password has been found or an old user account was never deleted. Other reasons for the breach could be that someone did not update the virus software on the end user devices. Or someone did not apply the necessary patches to the servers or client devices to prevent a particular breach.

Many companies, even small ones, face ever more complicated security challenges. As they open their business up to global customers and partners, managing security and access to corporate data becomes more difficult. There is so much to know about how to provide secure access and so much to keep track of that’s it’s quite likely that mistakes will be made. Using multiple products to manage identities is also difficult and prone to errors. Provisioning users is ongoing as employees, customers, and partners request access to your data to conduct business. Deprovisioning users is also needed whenever an employee leaves or someone else must have their access to your network revoked. And then there is the ever present compliance rules that you enforce and report on.

Cloud-based identity management makes sense for any size company because of several key reasons. First, I would argue that the cloud is more secure than many networks. A cloud-based identity management service can be provided by a well-trained provider who is SAS-70 compliant. They do this security stuff day in and day out. That’s their specialty. They are constantly focused on delivering security and you’re not.

Second, they provide updates to core software components automatically. You don’t have to worry about updating an identity management system when it’s being delivered through a cloud security provider. You can leave the heavy lifting to them and they can provide you with guaranteed levels of service. A cloud service eliminates you having to plan and manage a costly, complicated, and lengthy update to your network.

And third, they are on the lookout for hackers all the time. They provide tech support 24X7 and can send you alerts when needed so that your network continues to run without interruption. The cloud can also generate audit reports across your entire system without having to do more than push a button in many cases.

So, what’s in cloud-based identity management for you? Peace of mind, that your identities are protected and hence your data too. Nearly all companies recognize the benefits of cloud apps such as email, CRM, and HR applications. Managing identities in the cloud makes good business sense and good security sense.

Author: Darren Platt, Founder and CTO

Symplified | The Cloud Security Company

From the End User’s perspective, they would like:

• Convenience - Want the ability to only authenticate once.
• Security – It’s more secure only having to remember one username/password – they can make it stronger and don’t need to keep written down.
• Privacy – Users want to know that their personal information is not being shared unnecessarily or insecurely.

From the Enterprise’s perspective, they would like:

• Control – Enterprises need to be able to enforce policies about what users are able to do for risk management and regulatory compliance.
• Visibility – Enterprises need to be able to quickly understand how their users are interacting with their protected resources.
• Productivity – Enterprises want employees to be able to access their tools as easily as possible and have customers access their products and services with minimal friction.

When we talk about the IT function within an enterprise we could be talking about a role within a business unit or a department within an enterprise – it really depends on the size and structure of a given enterprise.  What they are concerned about is:

• Flexibility – Different scenarios require different types of deployments. For example, in some cases an enterprise needs its identity solution to provide a way to manage users while in other scenarios they already have a user repository. Another example: in some cases it makes sense to have a user come through a portal to access their applications while in others those users need to be able to access their applications directly from a bookmarked URL.
• Multi-Tenancy – The true cost savings of the cloud are only offered by the cloud providers who are able to leverage a multi-tenant infrastructure.  With identity services, this means that the integration required to interact with SaaS providers is provided as part of the platform.
• Quick Deployments – Enterprises that are adopting Identity-as-a-Service solutions need to realize the benefits of those services as quickly as possible, and are unable to wait for the typical multi-month deployment of on-site WAM infrastructure.
• Scalability – As enterprises adopt cloud offerings they want to know that these capabilities will scale and ‘burst’ with their usage.
• Security – Part of the overall responsibility of the role.

Any enterprise wanting to deploy identity technology should consider how the concerns of each of these types of stakeholders would be addressed by a proposed approach.

Author: Darren Platt, Founder and CTO
Symplified | The Cloud Security Company