That's just the accidental scenario. There's the more nefarious 'Kinko's run', where the terminated employee heads to the local internet shop to download the contact list from online CRM that hasn't been de-provisioned. Like most solutions, there's a people/product/process side to making things easier for employees, while keeping employers out of trouble.
From the product side, many cloud identity providers can leverage SAML to prevent side-door access to cloud service providers. The Service Provider always redirects back to the enterprise for authentication. Assuming the employee has been removed from Active Directory or whatever mechanism the Identity Provider uses, access is cut off.
For many of the SaaS Service Providers that don't support SAML yet, some cloud identity solutions provide Form POST SSO. This Form POST can be paired with a provisioning system to prevent side-door access using a technique called 'password cloaking'. Essentially the user's password at the service provider is unknown to the user. It is periodically reset by the provisioning tool to ensure that it in sync between the Service and Identity Provider's credential vault used for SSO.
Users authenticate to the Identity Provider with their enterprise credentials and get SSO to the Service Provider without knowing the password to that account. This approach isn't without its problems. Reset password wizards at the service provider can be used to circumvent the cloaking mechanism. This is where the people and process come in.
If users can be provided a better experience in getting access to shared file services like Box through the enterprise account that is governed by a Cloud Identity solution, most would opt for that approach, knowing that they're being a good citizen and it's easier anyway. Proper education about available services will get critical mass necessary for adaption.
No comments:
Post a Comment