PDF

swipe to navigate

Motivation to consume IAM as a service

Organizations increasingly have a mandate to consume new applications and migrate existing ones to a cloud-hosted/vendor-managed delivery model: software as a service (SaaS). Identity and access management systems are a part of this trend.

Some applications are easier to move to a SaaS model than others:

  1. Few or no integrations with on-premises applications.
  2. Standard, simple business processes.

These simplifying assumptions are a good fit for relatively self-contained applications, such as messaging (e.g., Office 365 and Google Apps), CRM (e.g., Salesforce.com) and HR (e.g., WorkDay). They fit nicely with single sign-on services too.

The motivation to move applications to SaaS is independent of these simplifying assumptions, however. Organizations prefer SaaS to traditional, on-premises software deployments for a number of reasons, including:

  • Applications are managed professionally by someone else's workforce. Many organizations struggle to recruit, train and retain skilled staff to manage their applications -- this problem becomes more acute with complex applications.
  • There are more frequent version upgrades which enable new features and updated user interfaces.
  • SaaS applications typically have more modern user interfaces which are usually either mobile-friendly on the web or available via apps on smart phones.
  • The cost of SaaS is a lease/expense which can be written off immediately, rather than an investment/capital expense which can only be depreciated over time.
  • It's easier to scale up applications without having to deploy additional physical infrastructure such as incremental on-premises hypervisor capacity.
  • End user devices are typically just web browsers -- which are inexpensive to deploy and maintain.
  • Applications are typically available from any location, without need for a VPN.

In short, organizations want to move their IAM infrastructure to SaaS despite (or perhaps because of) its intrinsic complexity.

IDaaS or IAMaaS?

To minimize deployment complexity and integration between on-premises and cloud-hosted systems, most "identity as a service" products and implementations to-date have in reality been federated single sign-on and strong authentication services. In other words, popular "IDaaS" platforms are really more accurately described as "SSOaaS" and/or "MFAaaS" rather than "IAMaaS."

In contrast, fully-featured identity and access management systems often involve:

  • Multiple integrations with both on-premises and SaaS systems and applications:
    • On-premises: directories, CRM and ERP applications, legacy midrange and mainframe systems, etc.
    • SaaS: messaging, calendars, web conferencing, CRM, HR, expense management, etc.
  • Each integration supports many operations, such as creating, deleting, enabling and deleting accounts and groups, assigning and revoking entitlements, reading and writing identity attributes, moving and renaming objects in a directory and more.
  • Client software deployments (for example, to facilitate self-service password reset).
  • Complex, customer-specific business processes and policies.

IAMaaS means moving the core IAM infrastructure to a cloud-hosted, vendor-managed delivery model while continuing to offer all of the above capabilities.

PDF

Comment via LinkedIn