Identity and access management-as-a-service, also known as IDaaS or cloud identity and access management (IAM), has become a hot topic among CISOs over the past few years. Alas, confusion about the cloud-based service still exists; even the most basic question is left unanswered or answered incorrectly.
With so much uncertainty and inaccuracy existing around the definition of IDaaS, it seemed fitting to tap into the expertise of a security thought leader and early adopter of IAM-as-a-service. I interviewed Joseph Burkard, a CISO for a global health care organization, to get a complete definition of IDaaS and discuss how his choice of a cloud IAM vendor reflects this definition.
Question: In your own words, please define cloud IAM.
Burkard: Well, let’s first define IAM. When I first came into a security role, identity management was thought to be Active Directory, pure and simple AD. While Active Directory is great for authentication, we now know this is only a piece of the IAM ecosystem.
To demonstrate this, I led an exercise in 2010 to assess our identity management capabilities. We created a reference architecture based on our existing capabilities and injected future considerations. That assessment revealed a lot of gaps. Although Active Directory was at the center of our identity universe, we had limited single sign-on (SSO) functionality and weren’t provisioning and deprovisioning access very well. So this reference architecture yielded our first complete picture of what IAM should be, including authentication, authorization and accountability.
The confusion back then about identity management reminds me of the confusion today around IDaaS. Just as identity management is more than Active Directory, cloud IAM or IDaaS is much more than SSO. In fact, the other components of IDaaS — provisioning and deprovisioning — are more important than SSO because they address authorization and accountability, which is how we protect identities and information.
So when you ask “What is IDaaS?” or “What is cloud IAM?” the answer is always more than SSO from the cloud. The way I define IDaaS is the accelerated use of cloud infrastructure for modernizing IAM to include identity federation, access provisioning and deprovisioning.
Can you please touch on why you believe there is confusion around cloud IAM?
I see two main reasons why some limit the discussion of cloud IAM to SSO. First, there are a lot of vendors or cloud-based providers offering federation and SSO via the cloud. This is their primary feature set, and while successful with federation and SSO, their limited functionality is unable to displace on-premises infrastructure with full identity management capabilities. As a result, their marketing and presentations focus on what they can provide.
The second likely reason for confusion has to do with end user experience and familiarity. No one wants to deal with multiple accounts and passwords, and this further degrades security because people just write username and password combinations on sticky notes. Because of scenarios like this, people — most people — can readily appreciate the benefit of SSO. SSO implies “I use one identity to access multiple applications.”
Nevertheless, as easy as this component of IAM is to understand and implement, it is incomplete and should not be how CISOs are defining IDaaS.
How did your definition of cloud-based identity and access management affect your choice in an IDaaS provider?
Well, with the definition of IDaaS we just discussed, there were several selection criteria we used to assess and select a cloud IAM vendor.
Our first consideration was system functionality. We definitely wanted SSO for our end users to minimize the number of accounts, passwords, etc. Additionally, we wanted to make sure provisioning and deprovisioning was integrated into our identity management process and performed promptly.
As I mentioned already, there are a lot of players in the SSO category and still others that specialize in provisioning and deprovisioning, but very few that offer a completely integrated solution. We wanted the benefits of a truly robust, integrated and complete enterprise-grade IAM solution [without] having to integrate multiple identity and access management products.
As a result, our first requirement for a new IAM solution was that it had to facilitate both SSO and provisioning and deprovisioning.
Our second consideration was to find a hosted solution for the integrated IAM solution. The business drivers for this criteria were to effectively manage risk and spend. IT risk management is ultimately my accountability and that risk increases exponentially when managing external identities. We didn’t want to take on the risk of hosting customer identities in an on-premises solution, so leveraging an external, mature and secure third-party platform was a priority for us.
I was also concerned with the cost of building out extensive on-premises infrastructure to support our identity management platform. I researched this with the likes of Gartner and Forrester, and they were predicting IDaaS to be rapidly advancing and outpacing on-premises installations. That meant attaining enterprise-grade IAM from the cloud was not only a possibility, but a reality. This new configuration, coupled with the acceleration and modernization of IDaaS, appealed to us.
Essentially, our objectives involved minimizing our infrastructure investment and immediately tapping into the innovative capabilities of a major security player.
Our final criterion involved organizational responsibility and skilled resources. Responsibility for identity management has been somewhat decentralized by application portfolio, but IT maintains the centralized identity management platform for the organization. Our organization, like most, is resource-constrained, especially in IT security, with a shortage of skilled resources, so increasing responsibility for both internal and external identities would be challenging.
Our preference, therefore, was to leverage the same third-party provider to host the platform and provide integration and operational support.
Any final thoughts?
The bottom line is that, for our organization, we wanted one provider and one integrated solution to provide comprehensive IAM functionality, meeting all our support requirements and hosted in a secure cloud.
Doing so not only means that we save money, but we continue supporting our legacy applications and can respond to business requests to onboard new SaaS applications in minutes, not months. We also have full confidence the environment is mature, secure and compliant, with audit capabilities over access management, federation and identity governance from a single console.
Finally, we are able to engage appropriate resources to provide integration assistance and support without staffing an army of experts. For us, the choice was clear and represents strategic investment with a proven partner to provide enterprise and global IAM functionality from the cloud.