VPN and Cloud Identity: An Easier Way to Manage SaaS for Business

Once upon a time, in order to utilize software for your business, you would have to go to the store, purchase a hard copy of the necessary software, install it on your computer(s), and then insert a disk each and every time you wanted to use it. Over time this evolved to storing the information on your computer’s internal hard drive to where you no longer needed removable media, but this still created problems with consistent updates and upgrades.

Not exactly convenient, right?

SaaS — not to be confused with “sass” or “sassy” — is changing the way employees access the tools they need to get the job done. SaaS stands for Software as a Service, and is a type of software delivery and licensing option that allows you to access software online or in the cloud via a subscription, rather than having to go out and buy it to install on individual computers. With SaaS, accessing the tools is as simple as going to the website or launching the app.

SaaS is taking the world by storm: if there’s a particular function your business depends on, chances are there’s a SaaS tool available to make the process easier. You might even be using SaaS products without realizing it!

Common SaaS applications include: CRM technology; time management tools; HR and expense software; travel trackers; email services; office productivity applications — the possibilities are endless.

But have you thought about the security of SaaS applications?

A lot of businesses house their more sensitive SaaS tools in a private cloud, which is one of the common methods used for strengthening the security of SaaS applications. When companies control how employees access the business tools, they reduce the risk of a breach.

But what do you do when you have employees working in remote locations away from your office?

And what do you do when you have a lot of different SaaS tools, and your employees are having a hard time remembering all the different sets of login credentials?

Easy: you can use a VPN to provide remote access to the necessary tools, and a Directory-as-a-Service/Identity-as-a-Service (IDaaS) provider such as okta, JumpCloud, or Google Cloud Identity for streamlined authentication.

How it Works

A VPN like OpenVPN Access Server works by providing secure remote access to the internal network that houses all of the SaaS tools employees need to do their jobs. An employee is working from home for the day? No problem. Traveling to a conference? Easy. Conducting a sales pitch at a potential client’s office? Simple!

No matter where employees are or when they need to access the network, an OpenVPN Access Server allows them to get to the information they need, exactly when they need it — while still keeping your network secure.

And with Access Server, you can easily enable multi-factor authentication so that users are required to enter their username and password, as well as a code generated on a device (like their smartphone). This ensures that only authorized users can access the network. Then, once users are connected to the VPN server, the SaaS applications become accessible to them — typically via other unique sets of credentials per application. But for companies that use a lot of SaaS applications, which each have their own unique set of credentials, this can become quite a headache for employees.

Fortunately, there is an easy way to streamline the authentication process: if you use multiple SaaS applications, one option for managing users is with an identity provider, or Identity-as-a-Service (IDaaS). Two examples that are highly compatible with OpenVPN Access Server are JumpCloud and Google Secure LDAP. With these providers, the SaaS applications and the OpenVPN Access Server use the centralized identity management system as a way to allow users to authenticate their login using the same username and password for all the different applications.

But won’t a single login mean lower security? Nope! Not if you set it up right.

For example: Some SaaS applications have security settings where you can allow access to a defined IP address range — such as the company’s network IP address range. Doing this will require remote employees to be connected to the VPN server in order to be assigned with one of these IPs and successfully connect to the service. Then, with Access Server, you can simply add the requirement that multi-factor authentication be enabled.

In a sense, the VPN becomes a gatekeeper that requires employees provide their credentials and multi-factor authentication Once they are in the network, the SaaS applications that only accept the typical username/password login can take the same credentials that were used to log into the VPN (minus the multi-factor code) as credentials for access.

SaaS Application Security in Action

Take for instance a technology services company that creates specialized applications for the communications industry.

They have a strong sales presence in major markets worldwide, and the sales team is often on the road or at different customer locations. Because they’re away from offices most of the time, these road warriors need secure remote access to various SaaS tools, as well as the ability to demonstrate the specialized applications hosted on their internal network.

The team uses a lot of different tools, but the SaaS application security varies significantly between all the applications:

  • Some tools provide multiple-factor authentication…others don’t.
  • Some tools enforce the need to use complex passwords…others don’t.
  • Some tools require users to change passwords regularly…others don’t.

The sales team needs to remember unique credentials for each SaaS application, but often forget their passwords. Some end up using the same simple password for numerous applications. This creates much greater risk, because if one password is compromised, cybercriminals could gain access to all the different SaaS applications that particular employee uses.

The company wants to use a single identity solution that would allow the sales team to access their SaaS applications as well as the internal demo network using only one strong credential on top of multi-factor authentication secured by that identity management solution — rather than team members struggling to remember dozens of different credentials.

To solve this problem, the company chose an IDaaS that provides support for both LDAP and SAML authentication as their central identity management solution for the company. All the SaaS applications were then set up for SAML authentication with the identity provider.

The OpenVPN Access Server, installed at the headquarters location, provides access to the internal network, housing all the components needed for sales demonstrations. LDAP user authentication is set up with the central identity solution, and the VPN connection to Access Server is also authenticated by the use of the same username/password that’s used for SaaS application security.

Now, the sales staff can access and use all the SaaS applications using one strong credential. The sales staff is more productive, and access management to both the internal network and SaaS application is much easier – leading to reduced operational complexity for the IT team, and quick and easy access for the sales staff.

How To Configure Our VPN with Cloud Identity

As more organizations depend on SaaS applications for completing essential business functions, use of single sign-on (SSO encryption), identity federation, and the growth of Identity-as-a-Service (IDaaS) offerings are becoming more important than ever — and companies are rethinking their identity management architecture.

Google Cloud’s adoption of secure LDAP for its Cloud Identity service has made it possible to use Cloud Identity for user authentication by traditional network systems like VPN servers.

To configure OpenVPN Access Server with Google Secure LDAP, you need to be running OpenVPN Access Server 2.5.3 or greater. You must also have already downloaded the LDAP client certificate and private key from the Google Admin console, and ensure a basic VPN configuration has been created.

If you have not already created a basic VPN configuration, you’ll need to run the OpenVPN Access Server setup wizard to create a basic VPN server setup before beginning the configuration.

Specific configuration instructions can be found here:

Directions for Configuring Google Secure LDAP With OpenVPN Access Server