LDAP is the de facto standard when it comes to managing identity information in an enterprise. It authenticates who you are, with a user name and password, and authorizes what you can do, by means of roles (groups). There are other interesting attributes associated with the ‘who’ such as your name, email address, manager etc. In a frevvo context, the name would typically be used to identify an applicant on a form, while the email and manager can be used to route notifications or escalations in a workflow. In order to route workflow tasks by role, we need to answer the question ‘who are the users that have this role?’. This is information that the LDAP can provide and is not the typical authentication or authorization function that it is used for. We need a direct connection to the LDAP in order to make this query which most organizations are happy to allow as long as the access is within their firewall. This approach has been used successfully in frevvo on-premise deployments for many years.
Let’s now consider a frevvo cloud tenant that needs to access the LDAP. The LDAP now needs to be exposed to the internet, raising visions of hackers stealing identities and personal information. The immediate reaction is to use the tried-and-trusted VPN to secure the connection or single sign-on protocols like SAML that abstract away the LDAP. On the other hand, there is the less popular solution of using a secure LDAP (over SSL or TLS) connection, which is the equivalent of the trusted HTTPS. What is the right approach? VPN offers no more security than secure LDAP as this blog argues, is harder to implement in a multi-tenant product like frevvo, and costs more. Single sign-on protocols like SAML (provided by commercial products like Microsoft ADFS or the open-source Shibboleth OpenSAML) are great for authentication and authorization (and single sign-on, of course) but will not satisfy the routing requirements. We would need to provide a back channel to upload role information to frevvo as we currently do for tenants that do not use LDAP (CSV file import). This is an additional integration that has to be managed by the customer who has the onus of keeping it synchronized, and comes with the risk of stale routing data.
Secure LDAP has the benefit of being just a configuration change (we support both the deprecated LDAPS and the recommended TLS in 6.1) with no change in functionality. Communication between frevvo and LDAP is encrypted, similar to HTTPS. On the other hand, the customer, being in control of security, has to take precautions to ensure that the LDAP information is accessible only to frevvo (origin IP address restrictions), that the data cannot be changed (read-only access), and only the required attributes are exposed (selective replication). In case of Active Directory (by far the most popular LDAP), Microsoft recommends the use of RODC (read-only domain controller) and provides guidelines to implement the above. With this in place, passwords need not be replicated to the RODC (as authentication will be forwarded to the associated writeable DC) and hence are not exposed even if the RODC is compromised.
So what is the right approach? Secure LDAP is, well, secure, has all the capabilities we need to provide the required product features, and requires the least integration effort. This would be our recommended approach. For the skeptical, there is SAML with data upload, which is planned for a later release.
Rightscale just released their brand new 2016 State of the Cloud Survey with some interesting insights. It affirms what many other reports have concluded: Cloud Adoption is growing and
Hybrid Cloud is the preferred strategy in enterprises.
71% of companies are using hybrid cloud environments. It makes sense: for Cloud Apps to be truly useful, they need access to internal systems. That’s just common sense. We see our customers choosing hybrid cloud for many reasons but the most important one is:
Business processes running in the cloud are far more effective if they’re integrated with important data in business systems such as HR systems, databases and authentication systems.
These systems won’t go to the Cloud overnight for sure and maybe not for years. Hybrid Cloud is then obvious. If you’re a CIO, you can take an incremental approach and start seeing benefits quickly without having to move internal business systems and data wholesale to the cloud.
Our customers are increasingly taking advantage of this approach. We provide a Database Connector, secure Active Directory/LDAP support, Microsoft Azure AD, SAML for single sign on, a File Connector so you can save files to a network drive, and a Google Apps Connector so you can update a Google Sheet and/or upload files to Google Drive.
The Road to Hybrid Cloud. The cloud computing model continues to create a larger and larger footprint in the IT landscape as enterprises pursue the model’s benefits including but not limited to: 1) shared resources 2) facilitated access to information and resources from anywhere on any device 3) on demand provisioning and reallocation of computational resources. The greatest benefits are typically achieved using public cloud services however most organizations are unwilling to put ALL their data (particularly sensitive information) into public cloud solutions. In order to still reap the benefits of the cloud computing model, organizations will implement some solutions on internal private cloud platforms.
What is Hybrid Cloud and How Does It Work. A hybrid cloud refers to an environment that runs both public and private cloud services AND provides a way to to share data between them. Typically the data shared with public cloud services is limited and secured/encrypted to reduce exposure. Exposing a server within your firewall to a public cloud service is not what we mean by hybrid. A hybrid cloud connects 2 or more internal and external cloud platforms in such a way that they can exchange information.
What Are the Advantages. A hybrid cloud allows organizations to leverage the efficiency gains of the cloud computing model without having to expose all their data to public cloud services by providing mechanisms to securely share data. Once mechanisms have been defined for exchanging data between internal and external cloud platforms, CIOs can incrementally control what data is exposed to public cloud solutions. The ability to integrate internal data with external/public cloud services is hugely beneficial (if not required) to leverage public cloud services in a compelling and useful fashion.
The Benefits of frevvo. When you sign up for an account on app.frevvo.com, you’re using frevvo in the public cloud. If you deploy frevvo within your organization, you are setting up frevvo as a multi-tenant, private cloud solution. Either way, there are many examples of frevvo participating in hybrid cloud architectures. A frevvo account running in the public cloud could be configured to securely access LDAP information running within a private cloud. Enterprises running frevvo within their private cloud infrastructure can write data to google spreadsheets (public cloud). Another example is utilizing frevvo’s database connector to allow frevvo from either a public or private cloud to integrate with any back-end relational database.
In Summary. This cloud computing phenomenon migrates both, public cloud and private cloud services, to solve your business needs. From small business to large enterprises, being able to keep private information secure as well as hosting public information is very beneficial. As noted on the infographic (pictured to the left) using frevvo in the hybrid cloud is a business strategy to lead you to successful business agility. Our cloud based product is mobile ready, with a drag & drop easy design, that allows you to create custom forms and workflows to increase business agility.
We see our customers taking a similar approach. Why? The reality is that today’s typical organization (small, medium or large) has existing business systems – the so-called legacy investments. They contain really important information like customer data that takes time to transition to cloud (if it’s transitioned at all). That’s where hybrid cloud comes in.
Hybrid Cloud allows CIOs to take a pragmatic step-by-step approach. Clearly, it makes sense for new projects to use Cloud where possible. The benefits – particularly when it comes to speed and agility – are too great to ignore. But cloud-based projects/apps are less useful if they can’t access information in those pesky legacy systems. The obvious solution is integration a.k.a. Hybrid Cloud. For example, our customers integrate from frevvo’s public cloud to their internal LDAP systems for authentication. They’re deploying cloud-based forms and approval workflows that work with existing SQL databases. A new project like automating an internal purchase requisition approval can be done quickly without great development expense in the cloud while still using critical data that’s sitting in existing systems. That’s just smart.
The company starts realizing benefits in weeks rather than gains that won’t materialize for 5 years.
Senseless Vendor Policies
Recently, we got a nasty surprise from Salesforce – access to our data using their API is metered and extremely limited.
That’s ridiculous. No wonder customers want to control their data and deploy hybrid cloud strategies. The benefits of Cloud IaaS are flowing to Salesforce not customers.
Multiple Cloud Apps
No matter what Oracle says, the reality for most organizations is that no single Cloud vendor will provide every service they need. An obvious requirement then is to integrate data/applications between clouds. Sounds like Hybrid Cloud to us.
Persistent Security Worries
Unfortunately, customers are leery of cloud security. While many of these concerns are unfounded and are based on misconceptions, it’s not easy to let go of your critical data. After all, that’s what makes your business your business. Hybrid cloud allows you to take a staggered approach and keep your data where you’re comfortable managing it while still deploying modern apps that reap the benefits of increased productivity and agility.
The role of the CIO and the IT department continues to change towards brokering services rather than building systems. Cloud simply doesn’t happen overnight and, meanwhile, CIOs must manage existing systems that run the business today. Hybrid cloud allows them to take a sensible incremental approach to re-shape the existing infrastructure over time while still delivering real business benefits in a timely manner.
Are you ready to replace your expensive paper processes with automated, efficient, electronic forms/workflows? Looking for a low cost, low code workflow management system to quickly automate processes, enhance productivity and drive down costs? Not sure where to start?
Paper-based processes throttle the growth of an organization. There are simply too many bottlenecks in designing, filling, and storing paper forms. On top of that, when you consider the costs of correcting errors and dealing with misfiled, damaged or lost forms, it’s easy to see how paper-based processes are expensive and inefficient.
I spend a lot of time with our customers. Most of them easily grasp the benefits of process automation. But many of them still have questions that generally fall into the “Will it work with my _____”?
Automating manual processes helps reduce paperwork and increase efficiency for a 50 or 5000-person company, for those who prefer Cloud or On-Premise, independent of where the organization operates, and the systems you have. Let’s look at how:
Your customers, partners and users want to interact with your organization on their own timelines. Often, they’re distributed all over the world.
If you can only process Sales Orders, Purchase Requisitions and routine approvals during business hours in your timezone, you’re probably losing business and wasting people’s time.
Automated workflows with frevvo are instantly available 24×7 – there’s no need to wait till you’re in the office at your desk, approvals can be processed from any time zone worldwide and your business can flow faster.
With the release of 6.2, customers will have the option to login to frevvo via SAML 2.0. This is primarily meant for cloud tenants who use LDAP but do not want to expose it over the internet. Of course, there will be those who prefer to use it simply because it offers single sign-on (SSO). The inability to access LDAP does require us to store user and role information in frevvo in order to route the workflow tasks. This data duplication may seem unwarranted in on-premise deployments, where LDAP is accessible. On the other hand, there is still Integrated Windows Authentication as an SSO option.
The use of SAML requires the configuration and installation of a SAML identity provider product. These products can be free (Shibboleth, OpenSSO) or commercial (ADFS, PingFederate, etc), require IT savvy personnel to set it up, or be subscription based cloud providers like OneLogin who provide connectors to hook up your LDAP with SAML. Once setup, you need to release attributes about the user viz. user id, first name, last name, email, manager user id, and role names. Manager and Role attribute values are typically available as distinguished names (DN) in the LDAP, and require additional lookup and transformation to convert them to identifiers. The support for/ease of doing this varies depending on the LDAP and SAML product. Other custom attributes can also be released for use in frevvo forms. In addition, the ‘frevvo.User’ role must be configured for any user to be authorized to access frevvo. The Add/Edit Tenant screens allow configuring the service and identity provider metadata as well as mapping the attribute names. Security in SAML is achieved via signing/encrypting the communication and this requires managing cryptographic keys. This can be setup in the key-store provided with frevvo.
While the user attributes can be discovered and saved on login, routing to other users requires user/role information to be available upfront. This can be accomplished using the bulk user CSV upload feature that is already available for use with the default security manager. Custom attributes, however, will not be persisted. With user information coming from 2 sources viz. login and upload, the most recent data will be used. Complete information needs to be provided from either source as there is no support for merging data.