1 Introduction
Most organizations now have a hybrid IT environment and a cloud first approach to choosing new applications. While this provides many benefits it also creates challenges around management, security and administration. Managing identity and access in a consistent manner across all IT services, irrespective of how they are delivered, is key to meeting these challenges.
Cloud services together with mobile communications provide rapid access to the latest data and applications from any device and from any location. It has become easy to try a new service before widely deploying it and this improves business agility while reducing risks. The cloud service provider becomes responsible for managing many of the time-consuming tasks involved in delivering the service and this frees IT resources to concentrate on delivering business value. However, the customer remains responsible for their data, wherever it resides, and however it is processed.
The cost of failing to adequately protect data can be very high. New regulations across the world are increasing the penalties for failure to protect personal data. For example, the EU GDPR (General Data Protection Regulation) sets the penalties for failure to protect the privacy of the personal data of EU residents at up to 2% or 4% of the organization’s global turnover depending upon the nature of the breach.
The responsibility for security in the hybrid IT environment is shared between the customer and the service provider. Where an organization has a hybrid IT environment with IT services from multiple cloud vendors as well as on premises how these responsibilities are shared can be very complex. Most cloud service providers implement very strong security controls for the services they provide and consequently many security breaches originate from failures by the customer. Most involve a failure to properly set or protect access controls or credentials. Since cloud services are inherently open to access from the internet, incorrect or missing access controls and poorly protected credentials are a major risk. Managing these risks effectively is essential.
The hybrid multi-cloud IT environment creates new identity and access management challenges. When IT was delivered on premises, identity and access management could be centralized and controlled in one place. This supported standard workflows for on-boarding and off-boarding employees as well as job changes and for the auditing and governance of activities and access rights. However, the tools providing these capabilities for on premises IT services do not usually cover the cloud.
Employees can decide to use cloud services without any controls - creating the problems of unsanctioned access. Cloud Access Security Brokers (CASB) provide a partial solution to this but are not enough. To manage access to sanctioned cloud services the organization must set controls within each service and how this is done should be integrated with the existing on premises processes, workflows and tools. Furthermore, cloud services from different vendors provide different controls, tools and interfaces increasing the complexity of this management.
In order to meet these problems, organizations need a more effective way to manage identities, implement access controls and govern access rights. This must provide a consistent approach to support the processes and workflows involved, irrespective of the service being used while also being scalable to meet the challenges of digital transformation. It must also coexist and integrate with existing on premises Identity and Access Management (IAM) processes and tools since it is not practical to rip and replace these.
Identity as a Service (IDaaS) provides a solution to these challenges by delivering traditional IAM services as a cloud service. IDaaS solutions offer cloud-ready integrations to extend an organization’s IAM controls to meet the security requirements of their SaaS portfolio. From a business perspective, IDaaS enables organizations to manage and control access to a diverse range of cloud services in a consistent manner, securely and with lower costs.
From a user perspective, IDaaS makes it easier to get access to the data and applications that they need from whatever device they are using and wherever they happen to be. By providing single sign-on they don’t need to remember multiple account credentials. Common policies and administration help to limit risks from excessive privileges or outdated access rights to applications.
IDaaS vendors originate from different backgrounds and their abilities to support different IDaaS use-cases can vary significantly. The capabilities served by most IDaaS vendors can largely be grouped into three categories. Identity Administration - the capabilities required by organizations to administer the lifecycle of identities. Access Management – capabilities ranging from authentication, authorization, single sign-on and identity federation for both on-premises and SaaS applications delivered as a cloud service. Access Governance – capabilities for auditing and enforcing compliant access entitlement are the least mature and largely absent from the portfolio of most IDaaS vendors.
As well as replacing traditional on-premises deployments for workforce IAM, IDaaS is becoming an enabler of Consumer Identity and Access Management (CIAM) by offering the required availability and scalability. With IDaaS now dominating new IAM purchases many use-cases across the industry verticals, traditional IAM vendors are gearing up to deliver more cohesive IDaaS capabilities as part of their security services, including tighter integrations with Cloud Access Security Broker (CASB), Enterprise Mobility Management (EMM) and User Behaviour Analytics (UBA).