Motivation to consume IAM as a service
Organizations increasingly have a mandate to consume new applications and migrate existing ones to a cloud-hosted/vendor-managed delivery model: software as a service (SaaS). Identity and access management systems are a part of this trend.
Some applications are easier to move to a SaaS model than others:
- Few or no integrations with on-premises applications.
- Standard, simple business processes.
These simplifying assumptions are a good fit for relatively self-contained applications, such as messaging (e.g., Office 365 and Google Apps), CRM (e.g., Salesforce.com) and HR (e.g., WorkDay). They fit nicely with single sign-on services too.
The motivation to move applications to SaaS is independent of these simplifying assumptions, however. Organizations prefer SaaS to traditional, on-premises software deployments for a number of reasons, including:
- Applications are managed professionally by someone else's workforce. Many organizations struggle to recruit, train and retain skilled staff to manage their applications -- this problem becomes more acute with complex applications.
- There are more frequent version upgrades which enable new features and updated user interfaces.
- SaaS applications typically have more modern user interfaces which are usually either mobile-friendly on the web or available via apps on smart phones.
- The cost of SaaS is a lease/expense which can be written off immediately, rather than an investment/capital expense which can only be depreciated over time.
- It's easier to scale up applications without having to deploy additional physical infrastructure such as incremental on-premises hypervisor capacity.
- End user devices are typically just web browsers -- which are inexpensive to deploy and maintain.
- Applications are typically available from any location, without need for a VPN.
In short, organizations want to move their IAM infrastructure to SaaS despite (or perhaps because of) its intrinsic complexity.
IDaaS or IAMaaS?
To minimize deployment complexity and integration between on-premises and cloud-hosted systems, most "identity as a service" products and implementations to-date have in reality been federated single sign-on and strong authentication services. In other words, popular "IDaaS" platforms are really more accurately described as "SSOaaS" and/or "MFAaaS" rather than "IAMaaS."
In contrast, fully-featured identity and access management systems often involve:
- Multiple integrations with both on-premises and SaaS systems and
- On-premises: directories, CRM and ERP applications, legacy midrange and mainframe systems, etc.
- SaaS: messaging, calendars, web conferencing, CRM, HR, expense management, etc.
- Each integration supports many operations, such as creating, deleting, enabling and deleting accounts and groups, assigning and revoking entitlements, reading and writing identity attributes, moving and renaming objects in a directory and more.
- Client software deployments (for example, to facilitate self-service password reset).
- Complex, customer-specific business processes and policies.
IAMaaS means moving the core IAM infrastructure to a cloud-hosted, vendor-managed delivery model while continuing to offer all of the above capabilities.