In the not-so-distant past, identity and access management (IAM) was another entry on the long list of functions handled internally with on-premise technology. But the world of identity management no longer exists only behind the firewall, and the adoption of cloud applications and services has led some enterprises to consider IAM as a service, or cloud-based IAM, as an answer to their security challenges.
According to analysts, the market for cloud IAM is starting to gain the attention of enterprises. In a report released in April, Gregg Kreizman, a research director at Gartner Inc., projected IAM as a service could account for 20% of all new IAM sales by the end of 2012, up from less than 5% in 2011. Inside this market are a mix of vendors, he said. Some are focused on community federation support, while others offer traditional IAM functionality from the cloud for Web and legacy applications inside the perimeter. Another vendor subset focuses on IAM for Web applications, both inside and outside the firewall.
Among the technology’s early adopters is Enterasys Networks. According to Ben Doyle, director of IT applications at Enterasys, the company turned to the cloud for identity management as the security challenges it faced while adopting more and more cloud technologies became apparent.
“We built a homegrown Web service integration with Salesforce.com so users could log into Salesforce using single sign-on using their email address and domain password,” he explained. “This homegrown Web service that we built, we had stability issues [and] it just wasn’t what I would call enterprise class…as we looked into other applications, we said, ‘Geez, we don’t really want to have to replicate this every time we deploy a new cloud application, and it doesn’t really give us any management or visibility into how authentication works.’ So that’s what really set us down the path of looking for something a little more elegant.”
The company eventually settled on San Francisco-based Okta Inc. in order to solve their issues. Okta is just one of several vendors playing in a space that includes vendors such as Symplified Inc., Ping Identity Corp. and CA Technologies.
Organizations that have already taken the leap by putting sensitive legacy applications in the cloud are more open to the idea of having their IAM infrastructure in the cloud from a security perspective, said Nishant Kaushik, chief architect at Identropy, another player in the growing cloud IAM market.
“They definitely want the benefits of a cloud-based service from a run-time operational expense perspective -- and also [like] the idea of having pre-built integration between the cloud-based infrastructure and their SaaS environment,” he said.
Cloud IAM considerations
There are a number of factors companies should consider before moving to a cloud-based identity management service. Step one, numerous sources said, is for organizations to understand the requirements of their environment.
“Know what you're trying to manage with the IAM service,” advised Tim Brown, chief security architect at Islandia, N.Y.-based CA Technologies. “If you have a homegrown application or something that is customized, like a SAP environment, you may want an on-premise solution or a private service solution that can be customized and configured specifically for your business and its application. If you're supporting cloud applications, standard services or particularly something that involves external users, there could be good benefit from cloud IAM because you're managing the identities of a community. You leverage the expertise of the cloud IAM vendor and take advantage of economies of scale.”
Eve Maler, principal analyst at Forrester Research said other considerations include understanding service-level agreements, how many identities are being managed and whether the cloud service will be used as an adjunct to in-house identity management, which would require synchronizing sources.
Cloud IAM and security
The security of placing directory data in the cloud is a factor for some companies as well, but varies according to industry vertical and size, noted Steve Coplan, an analyst with The 451 Group.
“Symplified has had some traction with an encrypted tunnel into a cloud user data store for organizations that are concerned about protecting the enterprise logic residing in the cloud,” he said. “Plenty of mid-sized organizations are more interested in getting better management and agility in place so they can lower costs and get operational improvements.”
According to Coplan, pragmatic organizations realize the level of protection they have in place for securing Active Directory data -- and monitoring AD administrators and changes -- is pretty inadequate as it stands.
“If service providers provide better separation of duties, monitoring and reporting on admin activities, that may even encourage” those organizations, he said. “I think we will see the market sort out these questions over time, with some enterprises willing to pay a premium for more security, other enterprises implementing private directories in the cloud and others still, moving off AD entirely,” he said.
In five years, Forrester’s Maler said she expects the average size of enterprises taking advantage of cloud-based IAM to grow. “A lot of the smaller companies that started with no on-premise infrastructure will grow up never strictly needing to add any….We might see10,000, 20,000, 50,000-employee enterprises finding it pretty easy to manage identities on a cloud basis.”
About the author:
Brian Prince has been covering the IT security industry for five years. His articles have appeared in a number of publications.