Background - IAM
Identity and access management encompasses a wide range of solutions, including smart cards, biometrics, network access control devices, directories, software to manage users and entitlements both inside an organization (business-to-employee) and externally (government-to-citizen, business-to-business, business-to-customer, etc.), enterprise single sign-on, web single sign-on, federation, authorization engines and more.
This document's primary focus is on systems that create, manage and deactivate the access of internal users to systems and applications in medium to large organizations (1,000 to 300,000 users). This includes user provisioning, access certification, password management and single sign-on applications designed for deployments in the "business to employee" pattern.
This document also covers design considerations for federated access management systems that are deployed to corporate users in the same organizations.
Organizations deploy IAM systems in order to achieve a number of benefits, including:
- To comply with a variety of regulations, which call for
strong internal controls. Internal controls depend on IT security,
which in turn depends on trustworthy user onboarding and deactivation
processes, reliable authentication, appropriate security entitlements
and detailed audit logs.
- To lower IT operating expense, in particular relating to help
desk services (reduce password reset call volume) and security
administration (automate access setup and tear-down).
- To improve user service, through more user friendly and efficient change management, fewer passwords for users to remember and streamlined application logins.
Background - SaaS
Software as a service (SaaS) is both a business model and a technology deployment pattern. The business model is one where an organization defers to a third party to install, configure and operate an application on its behalf. The technology deployment pattern is to move the application from its traditional location in the organization's private data center to an instance hosted by the SaaS vendor and accessed by users over the Internet.
SaaS is one form of "cloud computing," the others being infrastructure as a service (IaaS) where organizations can add and remove virtual servers on a cloud service provider (CSP)'s network on demand and platform as a service (PaaS) where organizations write and deploy applications using a CSP's proprietary application runtime environment. Examples of IaaS include Amazon EC2 and RackSpace.com. Examples of PaaS include Force.com and Microsoft Azure. Examples of SaaS include Salesforce.com, Google Applications and WebEx.
Organizations may be motivated to move applications from a traditional model where software is installed on physical servers in a private data center to SaaS for a number of reasons, including:
- Data center capacity -- i.e., limited space, power or cooling capacity in their own data center.
- Changing the cost structure from capital expense to operating expense (OpEx replaces CapEx).
- Lower cost of operations, especially if demand is variable, by paying for utilization rather than capacity.
- Lower cost due to more efficient operations at the SaaS provider than in the organization's own IT organization.
- Access to application-specific expertise, which may lower deployment cost or risk and improve the value of the application.