Identity and access management-as-a-service, also known as IDaaS or cloud identity and access management (IAM), has become a hot topic among CISOs over the past few years. Alas, confusion about the cloud-based service still exists; even the most basic question is left unanswered or answered incorrectly.

With so much uncertainty and inaccuracy existing around the definition of IDaaS, it seemed fitting to tap into the expertise of a security thought leader and early adopter of IAM-as-a-service. I interviewed Joseph Burkard, a CISO for a global health care organization, to get a complete definition of IDaaS and discuss how his choice of a cloud IAM vendor reflects this definition.

What is IDaaS?

Question: In your own words, please define cloud IAM.

Burkard: Well, let’s first define IAM. When I first came into a security role, identity management was thought to be Active Directory, pure and simple AD. While Active Directory is great for authentication, we now know this is only a piece of the IAM ecosystem.

To demonstrate this, I led an exercise in 2010 to assess our identity management capabilities. We created a reference architecture based on our existing capabilities and injected future considerations. That assessment revealed a lot of gaps. Although Active Directory was at the center of our identity universe, we had limited single sign-on (SSO) functionality and weren’t provisioning and deprovisioning access very well. So this reference architecture yielded our first complete picture of what IAM should be, including authentication, authorization and accountability.

The confusion back then about identity management reminds me of the confusion today around IDaaS. Just as identity management is more than Active Directory, cloud IAM or IDaaS is much more than SSO. In fact, the other components of IDaaS — provisioning and deprovisioning — are more important than SSO because they address authorization and accountability, which is how we protect identities and information.

So when you ask “What is IDaaS?” or “What is cloud IAM?” the answer is always more than SSO from the cloud. The way I define IDaaS is the accelerated use of cloud infrastructure for modernizing IAM to include identity federation, access provisioning and deprovisioning.

Can you please touch on why you believe there is confusion around cloud IAM?

I see two main reasons why some limit the discussion of cloud IAM to SSO. First, there are a lot of vendors or cloud-based providers offering federation and SSO via the cloud. This is their primary feature set, and while successful with federation and SSO, their limited functionality is unable to displace on-premises infrastructure with full identity management capabilities. As a result, their marketing and presentations focus on what they can provide.

The second likely reason for confusion has to do with end user experience and familiarity. No one wants to deal with multiple accounts and passwords, and this further degrades security because people just write username and password combinations on sticky notes. Because of scenarios like this, people — most people — can readily appreciate the benefit of SSO. SSO implies “I use one identity to access multiple applications.”

Nevertheless, as easy as this component of IAM is to understand and implement, it is incomplete and should not be how CISOs are defining IDaaS.

How did your definition of cloud-based identity and access management affect your choice in an IDaaS provider?

Well, with the definition of IDaaS we just discussed, there were several selection criteria we used to assess and select a cloud IAM vendor.

Our first consideration was system functionality. We definitely wanted SSO for our end users to minimize the number of accounts, passwords, etc. Additionally, we wanted to make sure provisioning and deprovisioning was integrated into our identity management process and performed promptly.

As I mentioned already, there are a lot of players in the SSO category and still others that specialize in provisioning and deprovisioning, but very few that offer a completely integrated solution. We wanted the benefits of a truly robust, integrated and complete enterprise-grade IAM solution [without] having to integrate multiple identity and access management products.

As a result, our first requirement for a new IAM solution was that it had to facilitate both SSO and provisioning and deprovisioning.

Read the Cloud IAM buyer’s guide to determine Which vendor is right for you

Our second consideration was to find a hosted solution for the integrated IAM solution. The business drivers for this criteria were to effectively manage risk and spend. IT risk management is ultimately my accountability and that risk increases exponentially when managing external identities. We didn’t want to take on the risk of hosting customer identities in an on-premises solution, so leveraging an external, mature and secure third-party platform was a priority for us.

I was also concerned with the cost of building out extensive on-premises infrastructure to support our identity management platform. I researched this with the likes of Gartner and Forrester, and they were predicting IDaaS to be rapidly advancing and outpacing on-premises installations. That meant attaining enterprise-grade IAM from the cloud was not only a possibility, but a reality. This new configuration, coupled with the acceleration and modernization of IDaaS, appealed to us.

Essentially, our objectives involved minimizing our infrastructure investment and immediately tapping into the innovative capabilities of a major security player.

Our final criterion involved organizational responsibility and skilled resources. Responsibility for identity management has been somewhat decentralized by application portfolio, but IT maintains the centralized identity management platform for the organization. Our organization, like most, is resource-constrained, especially in IT security, with a shortage of skilled resources, so increasing responsibility for both internal and external identities would be challenging.

Our preference, therefore, was to leverage the same third-party provider to host the platform and provide integration and operational support.

Any final thoughts?

The bottom line is that, for our organization, we wanted one provider and one integrated solution to provide comprehensive IAM functionality, meeting all our support requirements and hosted in a secure cloud.

Doing so not only means that we save money, but we continue supporting our legacy applications and can respond to business requests to onboard new SaaS applications in minutes, not months. We also have full confidence the environment is mature, secure and compliant, with audit capabilities over access management, federation and identity governance from a single console.

Finally, we are able to engage appropriate resources to provide integration assistance and support without staffing an army of experts. For us, the choice was clear and represents strategic investment with a proven partner to provide enterprise and global IAM functionality from the cloud.

Take the Cloud IAM TCO assessment: How much could you be saving?

More from Cloud Security

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read

Rationalizing Your Hybrid Cloud Security Tools

3 min read - As cyber incidents rise and threat landscapes widen, more security tools have emerged to protect the hybrid cloud ecosystem. As a result, security leaders must rapidly assess their hybrid security tools to move toward a centralized toolset and optimize cost without compromising their security posture. Unfortunately, those same leaders face a variety of challenges. One of these challenges is that many security solutions create confusion and provide a false sense of security. Another is that multiple tools provide duplication coverage…

3 min read

New Generation of Phishing Hides Behind Trusted Services

4 min read - The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible. Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware. SaaS to SaaS Phishing Instead of building…

4 min read

The Importance of Modern-Day Data Security Platforms

4 min read - Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

4 min read