Biotechnology company Genomic Health Inc. grew to 600 employees before its lack of a single system for handling workers' access to its various information systems became unwieldy.
It didn't help that, over the past five years, the Redwood City, Calif.-based company added a score of cloud services. The human resources department led the exodus to the cloud, moving a handful of applications, such as performance management, a payroll system, and benefits management to the cloud. Other systems included project management and expense reporting. When new employees would start at the company, they would get an account on each of the 20 systems and a different password with every account.
The company had to continually deal with forgotten passwords and complaints, said Ken Stineman, senior director of enterprise architecture and security at Genomic Health. Many workers were not regularly using the systems because accessing the online services was too difficult.
"We had all these cloud solutions, so we asked, 'Can we find a cloud provider to manage identity?'" he said. The company wanted to find a way to facilitate the accessibility the cloud services were designed to provide, he said.
The company brought in cloud identity and access management provider Okta Inc., allowing workers to sign into to a single account to access any service. Now, Genomic Health sets up an account with the access management service, and an on-premise employee only needs to log in to Okta’s service to use every provisioned system. For offsite workers, the service acts as a password store, making it easy to log in to other cloud services. When the IT group announced the transition at a sales meeting, the reaction was intensely positive, Stineman said.
"We got a standing ovation," he said. "What we learned was a lot of people were not using these resources in the cloud; they were not filing their expenses on time because they could not remember their passwords."
Cloud identity and access management benefits
Genomic Health is not alone. Because identity and access management systems are difficult to maintain and hard to integrate with other applications and services, companies stand to save 30% to 50% on support costs by moving such systems to the cloud, said Andras Cser, principal analyst with Forrester Research.
"Cloud providers have the benefit of repeatability," Cser said. "There is a pretty good chance that the cloud provider has already done work in your vertical, so they have efficiencies, such as templates."
In addition, companies that use cloud service providers don't have to worry about upgrades and benefit from the providers' efforts to integrate with other cloud services and, potentially, on-premise applications.
Also, different size companies derive different benefits, said Eric Olden, CEO of Symplified Inc., a cloud-based IAM service provider. Large companies tend to have a number of systems making their access and authentication infrastructure complex; small- and medium-sized business are different, he said.
"They tend to take a very cloud-first approach," Olden said. "Their notion is no data center, no servers -- we want everything running in the cloud. They don't even think about Microsoft Exchange because they are Gmail users."
Typically, companies focus on three use cases when adopting cloud IAM. In general, companies authenticate to the cloud, in the cloud or from the cloud. When the companies’ services are "in the cloud," like Genomic Health, then using cloud identity and access management is a no-brainer, said Mark Diodati, research vice president with Gartner. Enterprises that focus on "to the cloud" want to extend their user identity information out to the cloud to enable single sign-on to other cloud applications.
"The first thing you need to do is get the identity information out to the cloud and the second is share authentication details with other cloud services through federation," Diodati said.
Finally, companies with a significant on-premise infrastructure that want to move just the management of identity to the cloud create a "from the cloud" infrastructure. However, putting provisioning tools in the cloud and making them authoritative for all users is a scary proposition for most companies, he said
"That's the area where a lot of people have a huge amount of reservations," Diodati said.
Due diligence required
Putting any identity information in the cloud is a big step for most companies, Forrester's Cser said. Companies have to be diligent in reviewing their cloud provider's policies.
"You need to find out how secure your data is, and who is getting access to the crown jewels and what happens if the cloud provider goes out of business," he said.
Genomic Health's Stineman agrees. The company did its due diligence with Okta to make sure it stored information securely.
"We did a lot of research on the company's policies," he said. "We are definitely trusting them with some critical information."
About the author:
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for 15 years. He currently writes for several publications focused on information security issues.