Reclaiming unused cloud subscriptions

Last month the BSA released a paper aimed at helping organizations ‘Navigate the cloud’. The core message was that in a cloud era, Software Asset Management is more important than ever.

One of the key action points from the paper emphasized that SAM functions should:

“… initiate organization-wide policies governing the cloud to address, among other issues, the process for provisioning and releasing cloud services, required approvals and notifications, required controls, and the required terms and conditions to be included in cloud arrangements”

With this in mind I was particularly interested to chat with Dan Power of OneLogin.

In a nutshell OneLogin is cloud based single sign-on. It acts as a password vault for enterprises with multi-factor authentication, integrates with your network directories such as AD and can handle user admin.

So for example if you wanted to introduce a new cloud based application to the business, you could automatically create thousands of user accounts at once for the new service using OneLogin. Similarly, users can be decommissioned with the same ease.

Reclaim unused Salesforce.com subscriptions when a user is removed from Active Directory

Internet radio station Pandora uses OneLogin to reduce the overhead of user administration of cloud apps whilst also addressing compliance and transparency requirements. Pandora can see when an app has been provided, when it was accessed and when access was revoked.

Whilst OneLogin were probably not intending to address the ITAM market – this kind of automated administration tool has great value to those of us responsible for managing cloud based software, especially if we want to ensure we’re paying as little as possible for cloud subscriptions.

Reclaiming subscriptions from leavers

An example:

1. Fred leaves the company
2. HR notifies IT or removes Fred from Active Directory
3. OneLogin notices Active Directory change and works to remove or retire all of Fred’s authorized applications, for example communicating with Salesforce.com directly to retire Fred’s account.

The prerequisites here are:

1. For OneLogin to talk to the cloud app it has to use SAML, a protocol for apps to talk to each other, which OneLogin claim is the ‘Gold Standard’ for signing into cloud applications. “It completely eliminates all passwords and instead uses digital signatures to establish trust between the identity provider and the application” Source
2. HR and IT are sufficiently organized and synchronized to keep Active Directory accurate

I like that this is browser or login centric. SAM tools have only just begun to explore tracking web based apps; and from what I have seen so far it has been done as an extension of their existing agent infrastructure. This misses the opportunity to talk more interactively with the apps and also track usage across multiple devices (e.g. I might login to my Salesforce.com account on my work PC, home PC, tablet, personal device and so on).

One challenge I foresee as the industry navigates management of cloud-based applications is Discovery. It is no good just managing the apps we know about, with the growing trend for buyers of IT to be outside the IT department – I also want to see the apps we might have missed.

Image Credit