Challenges before introduction

Strengthening the governance of the Group’s various SaaS

On November 1, 2005, the Yamato Group, also known as Yamato Transport, shifted to a holding company. Since then, Yamato Holdings has been consistently focusing on strengthening its corporate governance.

One of its policies has been to focus on cross-group security governance. Mr. Yusuke Shibata, who is in charge of IT strategy at Yamato Holdings, says, “We have a lot of work to do. Security incidents could lead to the loss of corporate brand equity. If we leave cybersecurity initiatives to our group companies, there could be huge disparities in the level of measures taken.”

Under these circumstances, SaaS has become increasingly visible as a serious issue. Similar to the many global companies that are moving toward employing cloud services, all Yamato Group companies actively use a wide variety of SaaS. However, some of these services are vulnerable from a security perspective, or engender concerns regarding continuity.

Even if SaaS itself does not have any issues, it is unlikely to ensure security if there is a defect in its operation. For example, if some accounts are left unused due to the resignation or transfer of personnel, these accounts may be misused by third parties to gain unauthorized access.

In the summer of 2018, the company started a project to build an identity authentication management system for SaaS that centrally manages access to systems and applications that are used by the entire group. As part of this process, the company adopted IIJ ID Service as the platform to manage SaaS accounts. This is a cloud-based IDaaS (Identity as a Service) that links IDs between the company portal and multiple SaaS to support single sign-on (SSO) and multi-factor authentication.

Why Yamato chose IIJ

Highly esteemed IIJ ID Service that scales as needed

Although the use of SaaS is increasing across the entire Yamato Group, the types of SaaS employed and the number of accounts of each SaaS varies by company and division. “Under these circumstances, we focused on the advantage that IIJ ID Service can start small, with a monthly charge per account and no initial costs, including for server installation,” says Ms. Satomi Takei of Yamato Holdings.

Though IIJ ID Service was not the impetus for taking on this project, Yamato Holdings chose the service after comparing similar services provided by several vendors. The key factor in choosing the service was IIJ’s substantial support. “For example, when doing SSO integration using SAML 2.0 or multi-factor authentication, failures may occur due to subtle differences in the specifications of each SaaS. In such cases, IIJ took care to thoroughly answer our inquiries.”

In addition, Yamato System Development, a group company that is in charge of building the identity authentication management system for SaaS, conducted a proof-of-concept trial prior to the introduction of IIJ ID Service. Ms. Misaki Nakamura, a manager at Yamato System Development, tested exactly what can be done with the basic and optional functions of IIJ ID Service. “The admin settings are simple and easy to understand, and IIJ ID Service seems to be very user-friendly. In addition, IIJ respond quickly to our technical inquiries, which makes us feel that IIJ is a very reliable partner in building and operating the system,” commented Ms. Nakamura.

What IIJ ID Service achieved

IIJ ID Service boosts user convenience and enhances security

Yamato Holdings initially limited use to within the holding company only, and started operation with around 200 users.

“The SSO mechanism allows users to seamlessly access several SaaS as long as they remember just one password,” Ms. Takei said. “Users appreciate the fact that there are fewer login actions and much easier operation.”

The company linked the identity authentication management system for SaaS with IIJ ID Service. “If the HR department updates a human resources master file as employees join and leave the company, then the change will automatically be reflected in IIJ ID Service, eliminating any concerns that unused accounts may remain.”

After confirming the value of the service, the company began rolling out IIJ ID Service to Group companies in October 2019. By March 2020, about 40 SaaS are expected to be linked, and around 3,000 accounts will be registered. “We will continue to roll out IIJ ID Service to approximately 200 types of SaaS that have already been certified,” Ms. Nakamura says. “Considering the fact that the number of users of SaaS groupware will increase to more than 30,000 in the future, there is a good chance that our use of IIJ ID Service will grow even further. IIJ ID Service realizes flexible scale-out and scale-down, which is a huge advantage in a situation in which it’s difficult to predict the volume of future use.” she said in a statement.

In the multi-cloud era, it is essential to build IT systems that realize convenience and security, and to continually review and update them. “We will continue to further strengthen the security of the IT environment,” says Mr. Shibata. IIJ ID Service is expected to play an increasingly important role in these efforts.