Kindle Notes & Highlights
Read between
January 13 - January 17, 2020
Richard Stallman, founder of the Free Software Foundation and creator of the computer operating system GNU, told the world in 2008 that using web-based apps like Gmail was “worse than stupidity . . . if you use a proprietary program or somebody else's web server, you’re defenseless. You're putty in the hands of whoever developed that software.”1
“Why Email Is Safer in Office 365 Than on Your Exchange Server,”4 declared another 2017 headline from CIO.com.
SaaSOps is all about automating the operational administrative and security tasks necessary to keep an organization’s SaaS applications running effectively.
SaaSOps is based on two core principles: management and security.
SaaSOps was born out of a need for faster, more efficient management of SaaS apps (with less human error).
SaaSOps is all about automating the operational administrative and security tasks necessary to keep an organization’s SaaS applications running effectively.
SaaSOps noun a philosophy referring to how software-as-a-service (SaaS) application data is managed and secured through centralized and automated operations (Ops).
Instead, SaaSOps focuses on what’s in IT’s wheelhouse: the operational tasks related to managing users and the ways those users engage with SaaS applications.
Authentication vs. authorization. Authentication is the process of granting access to apps by verifying that users are who they claim to be. Authorization is what comes next. It grants access to specific SaaS data, configurations, resources, or functions.
For companies moving to SaaS, authentication solves the first order problem: identity and access. Authorization solves the second order problem: user interactions.
SaaSOps introduces a new concept for IT in the digital workplace: Control and secure the user, not the infrastructure or perimeter.
To protect your data, you have to control and secure who has access to it.
Authentication is the process of granting access to apps by verifying that users are who they claim to be. Authorization is what comes next.
However, while authentication is a good way to begin controlling and securing users, it’s only half the battle. It’s akin to a doorman at the entrance of a building: They grant entry, but what happens after that? Security doesn’t stop there. Inside the building, there are CCTV surveillance cameras, alarm systems, and additional guards, all to monitor what people are doing, look for abnormal activity, and make sure they continue to behave in a safe manner after they enter.
Security and the building
Similarly, once a SaaS app authenticates a user, security shouldn’t stop there. It’s critical that you understand what’s actually happening within those applications post-authentication too.
This is the authorization layer. What data are users authorized to access, download, forward, copy, export, change, add, update, preview, edit, print, upload, share, delete, create, and so on? What entitlements or settings can users modify? What groups and distribution lists can they join, view, edit, delete, or share? That’s where the concept of user interactions come in.
Put another way, authentication solves the first order problem for companies moving to SaaS: identity and access. Authorization solves the second order problem: user interactions.
Authentication vs authorization
There are three types of interactions: interactions with your own data, interactions with trusted users, and interactions with untrusted users.
Sixty-two percent of IT professionals believe that the biggest security threat actually comes from well-meaning but negligent end users.
Seventy-five percent of IT professionals believe that cloud storage/file sharing and email are the biggest security challenges.
Trusted users have authorized access to the right data at the right time.
• Worker type (remote/part-time/temp vs. full-time). Similarly, if you have a significant number of remote, part-time, or temporary employees (e.g., contractors), that may also place you on the right side of the spectrum. Less loyalty, higher turnover, a transient workforce, users relying on their own Wi-Fi to access company data, lack of control over user devices—all of this may mean stricter security rules.
