IDaaS: The changing World of IAM

by [Published on 22 Oct. 2015 / Last Updated on 22 Oct. 2015]

In this article we consider how Identity and Access Management is changing through the emerging cloud-based alternative IDaaS.

Introduction

Beginning 2014 Gartner addressed a magic quadrant for the cloud-based service, Identity and Access Management as a Service also referred to as IDaaS. Fast-forward a year and a bit and IDaaS continues to be an emerging market. It is predicted that by 2019 at least 25% of Identity and Access Management (IAM) will utilise the IDaaS cloud model. The IDaaS market is an encouraging emerging market that has gained the interest of major companies who now offer mature IDaaS offerings, Microsoft one such company with their Azure Active Directory solution.

The PaaS market will notably be able to take greater advantage of the emerging trend for Identity and access management by incorporating the IDaaS functionality into their PaaS offering. It’s suggested that, as a result, by 2019 40% IDaaS proceeds will amass to PaaS providers. As more businesses adopt PaaS and SaaS solutions the requirement for IDaaS is growing and vendors are realising and taking advantage of this trend.

How should businesses be addressing the changing world of IAM? What does this mean for traditional IAM? How can businesses benefit from the utilisation of IDaaS cloud-based?

Traditional IAM vs. IDaaS

Identity and Access management is a pressing focus within organisations and the IT realm, especially as the importance of data and data associated value continues to increase. The more value placed on data the more drive for those with malicious intent to get hold of and utilise it for monetary gain, resulting in lasting ramifications for the organisation involved. Breaches are a common occurrence and as long as organisations have something of value the offender will find a way to get it. Organisations are required to protect their data and the necessity is becoming more and more pronounced. Although outside threats are prevalent, the potential threat from within must not be ignored (deliberate or not).

Adding to the complexity of controlling access to resources is the evolution of IT in business functioning. Organisations now commonly utilise a very mixed IT infrastructure and it is common to have environments facilitated by a diverse range of devices, both company owned and employee owned. Cloud computing, mobile applications and the increasingly mobile workforce also complicate things. The emerging market of The Internet of Things brings another identity management tangent to the mix. For the smooth flow and security of data and resources within the organisation, to keep business functioning efficiently, proper Identity and Access Management is crucial.

One of the corner stones of data security is through implementing solutions that effectively manage and control authorised access to the organisations network, machines, devices, applications, resources and data. However this is becoming more and more complicated to manage as the above mentioned is no longer bound to one place but dispersed within the heterogeneous environment, on premise and in the cloud.

IAM is a security discipline, whereby the access is managed through on premise authentication solutions, enabling the right individuals to access the right resources for the appropriate reasons. In contrast IDaaS is an Identity and Access Management offering whereby the authentication infrastructure utilised, resides in the cloud and provides IAM functionalities to address both on-premise and cloud-based systems. The short of it is, IDaaS takes access management and authentication to the cloud.

IDaaS addresses the need to ensure appropriate access to resources across increasingly mixed technology environments and to assist in meeting the related compliance requirements.

Thus both IAM and IDaaS aim to address the criteria, however work under different conditions each with its own limitations, risks and benefits. IDaaS may be beneficial for some organisations depending on their IT environment conditions.

Why use IDaaS

IDaaS brings the functionality of IAM to all organisations no matter how small. Those small businesses that previously would not have been able to take advantage of a comprehensive and current IAM (for whatever reasons) are now able to. This is based on the IDaaS being a cloud service and as with all other cloud services the benefit of not having to build, maintain and manage the infrastructure yet still utilise the pool of resources, makes this possible and available to everyone.

The changing IT environment and way in which businesses function is more convoluted to manage and secure. Multiple Identities are being utilised for each individual on multiple devices across multiple platforms, on premise and in the cloud. This also requires users to remember multiple username and password combinations and when an employee leaves the company all their associated accounts must be disabled. To manage access and Identity in such an environment using traditional IAM is becoming challenging, more time consuming than before and costly. IDaaS functions to better support this diverse and challenging IT environment.

Business function is becoming increasingly mobile and IDaaS functionality is supportive of this change.

We are entering a time where the identity of things is as important as the identity of people. We now need to ensure that we can properly manage and secure The Internet of Things as well. The Internet of Things has potential to be a large area of susceptibility and an additional entry node for those with malicious intent. This is another area where IDaaS should be able to better secure and manage access to these devices and the related data.

Even for organisations that may not yet face all the above-mentioned challenges, this is the direction in which we are heading and is something all businesses should be ready for and capable to address.

The risk involved

When utilising IDaaS, like with any other cloud service, there is an element of risk. The organisation is outsourcing a critical function. The organisations identities are most important and it is important that they are properly managed and secured. Standards continue to develop in this area and it is your responsibility to ensure regulation and compliance is upheld with respect to your identities and data access.

It is recommended that care be taken with regard to the identities you choose to hand over. The management afforded to the identity should always equal the data value. Depending on the type of date and the type of organisation/business you are, some identities will incur more risk than others. Know your risk threshold and do not approach this haphazardly. IDaaS should assist to better support the Identity and Access Management of resources but if approached incorrectly can place the organisation in a vulnerable position.

Benefits of IDaaS

  • Effectively addressees Identity and Access Management for small, medium and large organisations (Businesses of all sizes)
  • Small and medium sized organisations can benefit from the same solutions otherwise only afforded by large enterprises
  • Benefits attributed to cloud services are also attributed to IDaaS: cost savings, scalability, pay for what you use etc.
  • Saves on time
  • Improved scalability
  • Alleviation of apprehension of a depreciating IAM technology and having to maintain it
  • No requirement for building, maintaining, managing or operating the infrastructure
  • No need to customise the IAM to integrate with products
  • Stay abreast of the changing security environment, the security achievable from the service should always be current, improving your security posture and reducing the potential security risk
  • Achieve an Identity and Access Management solution of elevated quality that exceeds that which you would be able to achieve and afford if done in-house
  • Obtaining a skill set and expert level of knowledge in the area
  • Improves customer confidence, knowing that their data is properly secured
  • Provides across platform Identity Management accommodating all positions, devices and environments (cloud, mobile, on-premise etc.)
  • Effectively used with cloud-based applications and on-premise applications
  • Control of data: know where the data is, who has access to it, when it is being accessed and how it is being used
  • Improved compliance and reduces the chance of falling out of compliance due to employee error
  • Improved password management and authentication: automation, cloud single sign-on functionality across platforms, multi-factor authentication etc.
  • Improved provisioning and access governance
  • Improved comprehensive management and control

What to look for when deciding on an IDaaS provider

Some important areas of focus when choosing a suitable IDaaS provider include the sustainability of the provider of the service, the solution offered and the security delivered.

Sustainability

It is important to do the necessary research regarding the vendors. A lot of the legacy IAM vendors may evolve to supply IDaaS but new vendors focusing solely on IDaaS offering may also enter the market. It is important to be sure that the vendor you choose is sustainable as the competition will be rife.

Solution

The solution offered by one vendor may differ to that offered by another, be sure of what you want to achieve from the solution and make sure the vendors offering encompasses your requirements and meets your business objectives. Generally, most solutions offer cloud single sign-on, SaaS provisioning, password management and access governance.

Investigate the solution and be sure that it suits your environments appropriately. The solution should also effectively accommodate on-premise applications for both integration and management. Be sure that the solution and vendors support existing standards as well as emerging ones. Functionalities are broadening however there remains variation among solutions and this should be carefully noted.

Security

This is an important focus point as this is one of the main reasons for employing the solution. Security of data is dependant on a broad range of fundamentals. Ensure that focus is placed on where the data resides, how the data is transferred, who owns the data centres, whether the data is encrypted and when encryption is utilised, where the passwords are stored and how they are protected, how monitoring is undertaken and the involvement, if any, of third parties. These are some of the questions you must have the answers to and must ensure that all of the above is undertaken in a manner that supports the security of your data and identities best.

Conclusion

Majority of solutions are finding their way to the cloud. IAM is no different. IDaaS helps to support the challenging IT environments businesses must manage presently. As technologies develop and new ones get added to the mix this will only become more challenging and scalability for IAM will be necessary. To ensure proper Identity and Access Management in these diverse environments we will need to change the way we approach IAM. IDaaS helps tackle this and will help grow the adoption.

See Also


The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.