We recently caught up with Scott Carlson, a thought leader and user expert of identity and access management-as-a-service (IDaaS), also known as cloud IAM. Based on the security leadership positions he has held at PayPal, Charles Schwab and Apollo, Carlson shared his experiences in adopting cloud for identity and access management (IAM).

Life Before IDaaS

Question: Let’s start from the beginning, Scott. What was your life and the lives of your peers like before IDaaS?

Carlson: The largest challenge during my career with traditional IAM solutions is that they required significant funding and very specific expertise in order to keep the infrastructure working, the software stable and then even more people to build roles, modify code and deploy related features. Almost every IAM solution has an authentication provider such as Active Directory or LDAP — software that provides a directory of roles. And everything lives on middleware to tie it all together.

Of course, there are a number of headaches associated with doing this all internally. First, you need very specific skills in the infrastructure all the way through the application stack. Also, the cycle of upgrades lags behind because you have to version-control every piece of the infrastructure to ensure that it is functioning across all dependencies.

Lastly, it’s expensive, and management loses focus a few years into the project because everyone is past the point of excitement about there being a new way to manage privileges. You’re simply into the work part of the cycle. I’ve seen very few interested in continuous investment to keep an on-premises IAM environment upgraded and stable.

Get My Cloud TCO Assessment Now

Life With Cloud IAM

Thanks for outlining specific headaches security professionals face without an IDaaS solution. Now, can you please share with us how cloud IAM makes those headaches go away?

For the vast majority of companies, there is no need to customize the environment to such a point where a whole IAM team is required to be within the organization. Additionally, with all the in-house and SaaS-type tools, which most companies use, building a network that allows access to those external things can be eliminated with enterprise cloud IAM solutions. This allows in-house experts to interact with the IAM solution in a way that drives business value out of your applications rather than babysitting infrastructure.

Since the costs of IDaaS are known ahead of time, you can plan on a consistent road map of features and upgrades against your business applications. Moreover, you can let the IDaaS vendor worry about the dependencies of the interworkings of the tool, meaning there will never be a huge uptick in cost to build out an entire infrastructure. Because you don’t have to buy, build and then deploy, cloud IAM allows for faster adoption of the methodologies and the technologies. You can just deploy.

Minimizing the Risks With Cloud IAM Adoption

Scott, before we wrap, can you share some advice to CISOs and other security executives who are considering IDaaS?

Security experts reside in most companies that provide IDaaS and other cloud-based IAM solutions. It’s accurate to say they are “better experts” than you and your company. Rely on these best-of-breed cloud IAM solutions and hold them accountable to providing world class security.

Often, your being able to do identity and access management partially right on site is far worse than relying on an expert who does it for a living, building a solution to the highest level required by any customer.

More from Cloud Security

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

AI-driven compliance: The key to cloud security

3 min read - The growth of cloud computing continues unabated, but it has also created security challenges. The acceleration of cloud adoption has created greater complexity, with limited cloud technical expertise available in the market, an explosion in connected and Internet of Things (IoT) devices and a growing need for multi-cloud environments. When organizations migrate to the cloud, there is a likelihood of data security problems given that many applications are not secure by design. When these applications migrate to cloud-native systems, mistakes in configuration…

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today