It is often said that identity is a new dimension in the world of cloud-native ecosystems and zero faith. Identity is undoubtedly at the heart of everything we do in the modern system and it is the key to zero trust architecture and the convenience of proper access control. That said, running on the Identity and Access Management (IAM) scale can be a daunting task, which is why more companies are adopting Identity-in-Service (IDaaS) solutions.
IDaaS has advantages and disadvantages, but first let’s explain what IDAS is.
What is IDaaS?
IDaaS is a cloud-based cost model for IAM. Like everything else in today’s modern technology ecosystem, IAM can be offered as a service. Although there are some exceptions, IDaaS is usually distributed through the cloud and can be offered as a multitenant offer or dedicated delivery model depending on the organizational requirements and the ability of the provider in question.
Gartner Prophecy By the end of 2022, 40% of medium-sized and large companies will accept an IDaaS offer instead of the traditional IAM. With continued cloud adoption, remote workforce and companies realizing that they can use IAM instead of hosting and fully managing it, contributing to a number of factors contributing to the growth of free time to focus more on their core pricing capabilities to customers.
Some of the benefits associated with IDaaS offers include the ability to use IAM instead of hosting and offload some management overhead related to IAM to an external provider. Other benefits include feature-rich offers that make your IAM implementation more robust and secure in many ways. Most IDaaS providers offer native and integrated capabilities such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA).
IDaaS providers also pride themselves on being cloud-native and integrating more easily with powerful cloud ecosystems by nature. This means integrating SaaS applications with a potentially wide portfolio of organizations to ensure a unified identity solution and enterprise wide IAM governance using protocols such as OIDC and SAML. Even complex and large-scale agencies like the federal government have published Complete playbook And a guide for federal agencies to help government contractors align their IAM services with a cloud operating model, where IDaaS is at the heart of the playbook.
The above table from the aforementioned Federal Playbook does an excellent job of summarizing some of the key differences between the legacy IAM solution and IDaaS. Much more broadly than the cloud, cloud-enabled IDaaS offers many of the same basic benefits. Companies no longer need to be limited by their ability to scale IAM infrastructure because it is being used and resilient.
Companies can be billed based on cost and they offer the physical ownership and hosting requirements of the IAM infrastructure as it is hosted by the service provider. Companies no longer need to physically regulate and manage the error tolerance of their IAM infrastructure because IDaaS providers offer globally available infrastructure that can be error tolerant and enable organizations to meet their Disaster Recovery and Business Sustainability (DR / BC) goals. Probably a much lower price point.
IDaaS Cons and Considerations
Although IDaaS is not all sunlight and rainbow, companies pay a lot more attention to some key considerations when evaluating it. If the identity is really a new perimeter, then accepting IDaaS gives an IDaaS service provider some level of control over your perimeter. This is similar to the concept of shared responsibility model in cloud computing, but not only from the infrastructure but also on the important issues like identity, permissions and access control.
Depending on your organizational needs and security sensitivities some of the benefits cited in the table above may now potentially be a vice or subject of debate. Because you are using applications and systems associated with IAM, you are now limited in the permissions offered by the provider and the possibility to change the way of the offer functions is limited. This is due to the fact that IDaaS providers offer their interfaces / applications to many customers and can only do so much customization without losing the ability to get a standard offer. On the front of measured services, you may be surprised by weak or naive choices from your administrators that may exceed your original planned budget.
Aside from these concerns, some of the biggest security concerns come from IDAS’s resource pooling and extensive network access. Depending on the nature of the type of work you do, the idea of having shared tenancy with other clients may be, as a security incident in their logical environment could potentially provide lateral access to your environment and consequently your entire IT ecosystem.
The globally available nature of IDaaS is a mandatory advantage, especially considering how expensive it would be to provide that level of fault tolerance. That said, there are also regulatory requirements for remembering. Some organizations are geographically limited where they may have systems / data, such as GDPR or national security if you are working, for example, on the Department of Defense (DoD) front. You may be able to work with IDaaS providers to ensure that your data is within a specific region, but this must be considered and resolved if geographic restrictions apply to you.
These concerns are not without some qualifications. Just a few months ago, Okta, one of the largest IDaaS providers, suffered a security breach that affected two corporate customers. The security breach in this case could have been caused by a sub-processor from Okta, which guarantees a full conversation. Cyber Security Supply Chain Risk Management (C-SCRM). If an IDaaS provider compromises with a malicious actor, it can have devastating consequences for your entire organization or potentially the entire industry, as many IDaaS providers are dealing with critical IAM information from hundreds or thousands of customers.
Carefully evaluate IDaaS
That said, it’s clear why many companies are accepting IDaaS offers. With the ubiquity of the cloud, organizations often need dynamic and robust IAM alternatives that support their diverse ecosystems. For many organizations, IDaaS providers can provide IAM capability at a fraction of the cost of organizing and managing an organization. They do this on a scale that is huge because of their customer portfolio.
Using IDaaS often allows companies to focus on their core competencies, which are not typically IAMs, and instead focus on their customers and stakeholders. Like any technology and a service offer, there are important reasons to consider and companies should not accept IDaaS without explicit consideration.
Copyright © 2022 IDG Communications, Inc.