Security is repeatedly cited as the main concern that prevents enterprises from moving to the cloud. And yet, software vendors continue to transition features, functions and data into the cloud -- including users' identities and the authentication process.
A byproduct of that transition is the emergence of identity management as a service (IDaaS), an authentication infrastructure that resides in the cloud. As such, it offers all of cloud's benefits, such as a reduced on-site infrastructure, easier management and a broader range of integration options. But do the risks -- specifically concerns about availability, identity data protection and ultimately trusting a third party with a critical business function -- outweigh the benefits?
Make sure they truly understand the protection of your identities. They are the keys to your kingdom.
information security office, CMA Consulting
Gregg Kreizman, research vice president at Stamford, Conn.-based research firm Gartner Inc., divides IDaaS services into two categories: Web access software for cloud-based applications such as software as a service (SaaS) and Web-architected applications; and cloud-delivered legacy identity management services. With the latter, vendors deliver the traditional identity management software stack from the cloud.
According to Kreizman, his clients are more interested in Web-centric IDaaS. "It seems like that's a piece [of identity and access management] that they can peel off because they are adopting more cloud applications," Kreizman said. "They figure if a vendor has already made connections to the cloud SaaS connections, it makes it easier to just go with that."
Establishing connectors between IDaaS and on-premises applications is similar to doing so with an on-premises identity product, Kreizman said, in that it requires considerable integration work. These services may also work with SaaS, but to a limited degree.
"The vendors who do legacy architecture are likely to have a smaller library of SaaS applications to which they've already connected," he said. "The Web-centric guy -- that's his reason for living."
The Web-centric IDaaS applications, however, do not work with on-premises applications. "They don't have a lot of advanced features found in legacy identity and access management software stacks, like workflow around provisioning or self-service requests," said Kreizman. "They are doing the basic blocking and tackling of moving identity data from an enterprise directory to get an account established in the cloud and do the federated authentication so users have single sign-on and fundamental basic reporting. These are rudimentary services designed to give organizations and their users access to SaaS fairly easily."
Both types of IDaaS -- Web-centric and cloud-based legacy systems -- are subject to the security risks that are common to any SaaS. The difference with IDaaS is that there is no question that the data in the cloud is sensitive.
IDaaS and outsourcing critical functions
Joseph Granneman, a cloud security expert and a contributor to SearchCloudSecurity.com, said it is important to realize that when using IDaaS, processes that were previously behind a firewall and most likely always inside the network become exposed to the Internet.
"You are outsourcing a very critical function of your business to a third party, especially on the provisioning part of it. You have no insight into how those processes work," said Granneman. Additional IDaaS security risks involve personnel (does the provider conduct background checks?), data discovery, operational controls, access to customer data and management of credentials.
There is also the issue of regulatory compliance. "There's a lack of standards and best practices that generally applies to anything that's security related," said Randall Gamby, information security officer at CMA Consulting in Latham, N.Y. "Identity is the first component of regulatory compliance. Before you can ensure the right people have the right access to the right data, you have to make sure you have the right people."
Gamby said moving identity management to the cloud raises a whole host of questions regarding auditing, ensuring compliance of regulations and what happens if disclosures occur.
"There isn't a lot of law around how an identity provider provides assurances against disclosure of information," Gamby said. "The reality is that most of the terms and conditions and SLAs (service-level agreements) from cloud providers are not the equivalent of what you'd have with a corporate, on-premises environment," said Gamby. "It could be a substantial risk increase to go into the cloud from a regulatory compliance perspective."
Services in demand
Despite the risks, some organizations are attracted to the idea of outsourcing identity management to cloud providers. "Even though it's been around for eons, there are still very few people who understand identity management at a high level," said Gamby. "If you're a small organization or a complex organization, and you don't have the expertise in-house, it can be very difficult to have a strong identity architecture. By going into the cloud environment, you're assuming that you're working with experts in the space."
But, Gamby warns: "Make sure they truly understand the protection of your identities. They are the keys to your kingdom."
Experts advise organizations to determine their tolerance for security risk before adopting IDaaS. Of all the SaaS offerings, IDaaS is the least mature, according to Granneman. "It's early and something to kind of watch. For conservative organizations, just keep an eye on it. Dabble with it. Don't go right now," he said.
If your organization is willing to accept some of the risk, think carefully about what identities you can offload. "There are some things that are probably managed better in-house," Gamby said. "In identity management, the identity should match the data's value.
"Depending on the data and identity you're looking at, and your comfort in the security level," Gamby added, "that will determine whether you can go into a cloud environment and that it can address resource issues without making your company more vulnerable to risk."
About the author
Crystal Bedell is a freelance technology writer specializing in information security, cloud computing and networking. She can be reached at firstname.lastname@example.org.
This was first published in November 2012