1 Introduction
The IDaaS market has evolved over the past few years and is still growing, both in size and in the number of vendors. However, under the umbrella term of IDaaS, we find a variety of offerings. IDaaS in general provides Identity & Access Management and Access Governance capabilities as a service, ranging from Single Sign-On to full Identity Provisioning and Access Governance for both on-premise and cloud solutions. These solutions vary in their support for different groups of users - such as employees, business partners, and customers - their support for mobile users, and their integration capabilities back to on-premise environments.
For that purpose, we have distinguished the IDaaS market into three distinct market segments. Some vendors serve two or all three segments with their IDaaS services, while others focus on a single segment. The three IDaaS market segments in the KuppingerCole definition are
IDaaS SSO: IDaaS focused on providing a Single Sign-On experience to users. While the primary focus is on providing access for employees to cloud services, we also look for support of other groups of users such as business partners and customers, for mobile users, and for downstream SSO back to on-premise applications.
IDaaS B2E: IDaaS focused on providing Identity Provisioning and Access Governance for on-premise environments, complemented by Identity Federation capabilities and, based on these, at least baseline support for Single Sign-On to cloud services. B2E stands for Business-to-Employee, providing functionality focused on employee-centric IAM, but delivered from the cloud. Formerly, we referred to this market segment as “Cloud IAM & IAG”.
IDaaS Digital: This is a rather new segment, with “Digital” standing for solutions that support the emerging requirements organizations are facing in the Digital Transformation. Such solutions must provide support for both customers and business partners and have more complex functionality.
Many organizations today utilize a mix of on-premises IAM systems, IDaaS, and CIAM (Consumer IAM) solutions. Insufficiently protected digital identity can often be a vector for data breaches and fraud.
IAM/IDaaS/CIAM administrators need services that can help reduce the risk of fraud and data breaches. Some vendors in the IDaaS Digital segment offer services that:
- perform varying degrees of identity vetting
- retrieve authoritative attributes
- examine runtime environmental factors such as relating to user devices and locations
- collect identity analytics
- receive and process cyber threat / fraud / compromised credential intelligence
- conduct thorough risk analysis on all factors
- evaluate attributes and environmental data in accordance with dynamic policies
- output risk scores via APIs to adaptive authentication engines to consume
Each of the functions listed above can be utilized to increase identity and authentication assurance levels and thereby decrease the risk of fraud and data breaches.
Some vendors specialize by offering one or more of these services. For example, there are companies that operate regionally or within certain countries, and provide identity vetting services that call government-provided APIs to validate citizen attributes for specific use cases. Another example is an identity attribute brokering service that does transaction-time lookups of financial records at banks or credit rating agencies. Other companies collect and aggregate cyber threat intelligence, and package it into feeds for other vendors and end-user organizations to evaluate. Still other vendors collect, parse, clean, and disseminate information about known compromised credentials to other vendors or end-user organizations.
The common denominator here is the use of APIs, generally REST-based, and increasingly standardized. Each service provider therefore must make these services consumable over APIs. Not only do these services reduce the risk of fraud, but in some cases, they are mandated. In Europe, PSD2 will require banks and other financial “third party providers” (TPPs) to perform transaction risk analysis on almost every transaction above €30. Banks and TPPs will benefit from using IDaaS Digital services such as those described above.
The ThreatMetrix Digital Identity Network utilizes their own threat intelligence capabilities to deliver high quality IDaaS digital services, and they offer the information as a service to clients and other IDaaS vendors. In addition to threat intelligence, the ThreatMetrix platform benefits from crowdsourced information from across their digital identity network that helps businesses make better authentication and transaction authorization decisions, which ultimately reduces fraud for their customers and provides a better user experience for their customers‘ consumers. The services that ThreatMetrix provides are cloud-based. ThreatMetrix was recently acquired by LexisNexis Risk Solutions, a RELX group company. ThreatMetrix was formerly headquartered in San Jose, California. The home office of RELX is in London. ThreatMetrix is well-known for its threat intelligence capabilities, which cover device, domain, email, IP address, and network reputation data.