« Previous 1 2
Identity Management from the cloud
Under a Dark Cloud
IDaaS Integration
The variety of approaches to IDaaS makes it clear that the market is still not mature. Among the many approaches and ideas, new products, and numerous value propositions, no solution has yet proven its worth and established itself. The IT manager therefore has to think carefully about what kind of IDaaS fits – if any at all.
Some IAM areas are scarcely addressed at all at present. For example, privilege management has hardly any cloud solutions, which is not surprising, because it requires deep technical integration with target systems and because the security requirements for providing one-time passwords for accessing sensitive servers are high. Monitoring administrative sessions can also only be solved for some use cases as a cloud service.
Another example is entitlement and access governance (EAG), sometimes referred to as data governance, which involves analyzing and managing authorizations at the system level (e.g., in file server infrastructures or in SharePoint instances). Because many of these instances are now used as cloud services, differentiated management of file servers is less suitable. Other areas that require deep integration into system environments, such as solutions for managing authorizations in SAP (systems, applications, and products) environments, are rarely available as cloud services today.
From a technical point of view, the connection back to the on-premises infrastructure is undoubtedly the most important at the moment. It is a trivial thing to convert SSO to a cloud service. Federation standards such as SAML or OAuth can often help. In contrast, the connection to a mainframe in the corporate environment is far more complex. However, the IT reality in most companies today, and for a long time to come, is the existence of many locally operated applications. Therefore, support for these environments is essential. Solutions that only make it easier to manage new cloud services while ignoring the existing IT infrastructure don't help much.
The management of cloud services has not yet been conclusively resolved, either. Again, SSO is the simple part; the challenge is the provisioning of users in cloud services, their deprovisioning, and managing permissions. Above all, it requires precise control over which users have which authorizations. For example, groups, roles, or profiles that are required in authorization management must also be set up. However, support for these extended functions is largely lacking, partly because of a lack of interfaces for cloud services, partly because of limited standards, and partly simply because of a lack of implementation of such complex functions in IDaaS services. Simple functions like single sign-on can be implemented quickly, even if they only solve a small part of the customer's problem.
More critically, IT managers must also question the possibilities of customizing IDaaS, as well as the scope of predefined functionality. IDaaS services should be easy to customize without programming but still offer a high degree of flexibility. On the other hand, it is also important that as many functions as possible are predefined. Standardized, comprehensive process frameworks for the management of users and their authorizations are hardly available on the market at present, though.
The Right Strategy
The first step is, as always, to identify your specific requirements. In particular, you need to analyze whether and to what extent the requirements of the existing on-premises environments are supported. The trend is toward IDaaS, but in many cases local or hybrid IAM infrastructures are the better option. The goal must be an integrated IAM, not a patchwork of disparate IDaaS solutions and on-premises IAM.
Today your IAM road map also has to take into account the future role of IDaaS. However, whether and to what extent you already want to use IDaaS is something you should consider carefully. In some areas, IDaaS is the obvious solution, such as IAM for customers (CIAM) and tasks for which such services are not yet useful. If you decide to set IDaaS at least in some areas, you should also have a migration strategy. Both the provider landscape and the functionality of the services offered are still fluctuating. You should therefore plan to switch to other providers as a possible route.
Conclusions
Of the many IDaaS offers on the market now, most (1) are specific solutions for isolated tasks and have many functional areas that are not or are insufficiently supported and (2) are still far from reaching the maturity level of on-premises alternatives. In these cases, you might need to consider whether you want to risk taking the plunge. That said, in areas such as identity federation or CIAM, the offers are genuine options.
Despite the skepticism for cloud IAM or IDaaS, in the future, more and more IAM services will come from the cloud, which will also reduce the complexity of projects. However, cloud services will not be able to address all challenges, especially the integration of many back-end services. Cloud IAM is the future, but it will not be as rosy as many vendors are promising.
« Previous 1 2
Buy this article as PDF
(incl. VAT)