We recently caught up with Scott Carlson, a thought leader and user expert of identity and access management-as-a-service (IDaaS), also known as cloud IAM. Based on the security leadership positions he has held at PayPal, Charles Schwab and Apollo, Carlson shared his experiences in adopting cloud for identity and access management (IAM).
Life Before IDaaS
Question: Let’s start from the beginning, Scott. What was your life and the lives of your peers like before IDaaS?
Carlson: The largest challenge during my career with traditional IAM solutions is that they required significant funding and very specific expertise in order to keep the infrastructure working, the software stable and then even more people to build roles, modify code and deploy related features. Almost every IAM solution has an authentication provider such as Active Directory or LDAP — software that provides a directory of roles. And everything lives on middleware to tie it all together.
Of course, there are a number of headaches associated with doing this all internally. First, you need very specific skills in the infrastructure all the way through the application stack. Also, the cycle of upgrades lags behind because you have to version-control every piece of the infrastructure to ensure that it is functioning across all dependencies.
Lastly, it’s expensive, and management loses focus a few years into the project because everyone is past the point of excitement about there being a new way to manage privileges. You’re simply into the work part of the cycle. I’ve seen very few interested in continuous investment to keep an on-premises IAM environment upgraded and stable.
Life With Cloud IAM
Thanks for outlining specific headaches security professionals face without an IDaaS solution. Now, can you please share with us how cloud IAM makes those headaches go away?
For the vast majority of companies, there is no need to customize the environment to such a point where a whole IAM team is required to be within the organization. Additionally, with all the in-house and SaaS-type tools, which most companies use, building a network that allows access to those external things can be eliminated with enterprise cloud IAM solutions. This allows in-house experts to interact with the IAM solution in a way that drives business value out of your applications rather than babysitting infrastructure.
Since the costs of IDaaS are known ahead of time, you can plan on a consistent road map of features and upgrades against your business applications. Moreover, you can let the IDaaS vendor worry about the dependencies of the interworkings of the tool, meaning there will never be a huge uptick in cost to build out an entire infrastructure. Because you don’t have to buy, build and then deploy, cloud IAM allows for faster adoption of the methodologies and the technologies. You can just deploy.
Minimizing the Risks With Cloud IAM Adoption
Scott, before we wrap, can you share some advice to CISOs and other security executives who are considering IDaaS?
Security experts reside in most companies that provide IDaaS and other cloud-based IAM solutions. It’s accurate to say they are “better experts” than you and your company. Rely on these best-of-breed cloud IAM solutions and hold them accountable to providing world class security.
Often, your being able to do identity and access management partially right on site is far worse than relying on an expert who does it for a living, building a solution to the highest level required by any customer.