Identity Management from the cloud
Under a Dark Cloud
Identity and access management (IAM) is a core IT discipline located between IT infrastructure, information security, and governance (Figure 1). For example, IAM tools help with the management of users and their access rights across systems and (cloud) services, to provide easy access to applications (preferably with a single sign-on experience), to handle strong authentication, and to protect shared user accounts.
IAM Complexity
IAM projects often prove to be complex. As a cross-system tool, IAM requires a connection to existing systems in many areas and, in particular, to the core area of identity provisioning (i.e., the administration of users and their user accounts on the various target systems). These tools require more than just technical connections: They also must be mapped to the correct internal system user accounts.
Other aspects, such as strong and adaptive authentication, are often complex, not in terms of technical integration with existing systems, but because of the high security requirements of this infrastructure. Systems designed to ensure security must be implemented in a secure manner. Adaptive authentication means supporting different authentication mechanisms, taking into account the location and the device. These factors place demands on the strength of authentication.
Application and approval procedures for authorizations also have to be implemented in the systems. Great effort is required to create and adapt such processes in many projects, partly because they have to be defined first, but partly because of the effort needed to implement such processes, as well.
These points underscore the difficulty of implementing IAM and has prompted many IT managers to head for the cloud. After all, why implement a complex technology internally in long and expensive projects when a cloud service can be used instead?
Cloud IAM Market
In the market for IDaaS or cloud IAM, a rapidly growing number of offers focus on a number of different features. Moreover, these products are not easy to compare. The most important types of cloud IAM services are described here.
Cloud single sign-on (SSO) solutions are probably the best-known services. Their most important feature for users is an SSO to various cloud services. One of the most important value propositions is their predefined integration with hundreds, or even thousands, of different cloud services. Access is typically through a kind of portal that contains the icons of the various connected cloud services.
In the meantime, many of these services also support advanced features, such as the management of mobile devices or two-factor authentication. However, the main focus remains on easy access to cloud services for employees. Other user groups are often insufficiently supported, and access to services within the company's own IT infrastructure is not addressed at all in many of these solutions. More advanced functions, such as provisioning and detailed authorization control in cloud services, are only rudimentarily supported for most of these services.
Federation services positioned in the cloud are similar to cloud SSOs. However, these are aimed at identity federation between back-end systems (e.g., the integration of an internal Active Directory with cloud services or the integration of business partners for access of internal web applications).
Some of the cloud SSO services provide integrated two-factor authentication (2FA) or multifactor authentication (MFA). However, some specialized providers focus on strong authentication as a service. Such solutions can be very useful, especially with regard to the secure integration of mobile users, business partners, and customers. Like the tools mentioned before, however, they are limited to a small sub-area of the large IAM topic.
On the other hand, a growing number of offers provides comprehensive functionality for identity provisioning, access governance, and in most cases, identity federation and SSO as a cloud service. Some of these solutions have been on the market for years, but the number of offers is growing steadily. These solutions take two fundamentally different approaches: services that have been built from scratch as cloud services – generally designed for a high degree of standardization, simple configuration without coding, and multiclient capability – and on-premises solutions, almost all of which are now offered as "cloud services," although in many cases it only means a managed service in which the operator runs each customer instance separately. This approach is the logical consequence of products that were not designed as multitenant-enabled systems for operation in the cloud. Such cloud-based solutions for identity provisioning and access governance often also have special gateways – for example, in the form of software appliances – that are then connected to the target systems in the company's on-premises infrastructure.
Hybrid IAMs
A further development can be observed in recent months: Established providers are expanding their on-premises IAMs and bringing them onto the market as new cloud services. On the one hand, the aim is to ensure that IT organizations can continue to use the existing connectivity of target systems. On the other hand, the goal is to simplify the delivery of new functions, customization, and use through cloud services. The obvious challenge here is that the services are not so easy to implement for companies that do not yet work with the manufacturer's on-premises offers, because besides the cloud component, the local components need to connect the existing on-premises target systems. The architecture, deployment, and operation of hybrid environments are becoming more complex. It looks different if only one gateway component is operated locally as a kind of black box; it is completely managed by the cloud solution and is very easy to deploy as a soft appliance, for example.
In addition to these systems, another market is showing strong growth: customer identity and access management (CIAM). This market segment primarily focuses on managing a large number of identities (millions of customers instead of thousands of employees) to facilitate self-registration, support social logins, and integrate with marketing automation solutions.
These segments cannot be clearly distinguished because some solutions and providers offer functions from different areas. For example, some providers support basic functions for CIAM.
Buy this article as PDF
(incl. VAT)