5 IDaaS Questions Answered
December 02, 2013
As we start to see more and more potential Identity as a Service (IDaaS) opportunities appear, we’re being asked about IDaaS and its viability. This post will address some of those basic questions we’re getting and share what we’re seeing and hearing from customers and vendors today.
1. What is IDaaS?
IDaaS stands for Identity as a Service. By definition it is meant to be a cloud or SaaS-based Identity & Access Management (IAM) offering with services or functionality that can be consumed by an organization in a modularized fashion for a subscription fee.
For example, if an organization only wants its users to be able to use the Password Management functionality offered by an IDaaS vendor, it might pay for only that particular service and only for the users who will actually be using it. IDaaS solutions have either no on-prem infrastructure or minimal – like a virtual appliance or gateway for secure communication.
IDaaS IAM functions currently available from IAM vendors include, but are not limited to:
- Cloud SSO
- Password Management
- Access Governance
“If I’ve been hosting my stuff at for years, I’m already taking advantage of IDaaS, right?”
Please note that there is a difference between hosting an instance of the vendor’s on-prem IAM solution and a true IDaaS solution.
Hosting itself has been around for years, and companies such as Rackspace, HP, and AT&T have been available to alleviate operational and IT resourcing concerns for customers by providing their data centers and monitoring services for a fee (usually a monthly invoice with a line item or six).
While there are multiple definitions of IDaaS today, the purest ones seek to provide a comparative lower cost to hosting by limiting infrastructure and operational costs AS WELL AS reducing implementation costs. The majority of thought leaders in the IAM space are suggesting that IDaaS should take advantage of configuration rather than customization and should be simplistic by design (and as a result, limit implementation costs by being rigid on what can and can’t be customized). Because of that inflexibility, IDaaS likely isn’t for everybody…yet.
2. What does IDaaS really mean for most customers right now?
For many organizations at the enterprise-level, probably not much. There are undoubtedly a number of benefits (and risks) with IDaaS as we know it today, but many organizations are not ready to begin buying and configuring an IDaaS solution for more than a few use cases and not on an enterprise level.
Some smaller, less IT mature or security-concerned organizations have taken the leap and become early adopters of IDaaS. Some complex or multinational organizations have individual business units who have decided to invest in IDaaS thru functions like Cloud SSO (workforce to SaaS), Password Management or SaaS provisioning, but not at a true enterprise level and not with legacy, on-prem applications.
To date, we haven’t seen many organizations build and act upon an enterprise-wide, all -encompassing IAM roadmap that focuses on only IDaaS. We see “cloud interested” customers, but not necessarily “cloud buying” customers. And we see hybrid solutions.
However, there are customers fitting a certain profile (see below) that are adopting IDaaS, and there are IDaaS pure play companies focused on delivering IDaaS. IDaaS will only continue to grow in adoption.
3. What type of customer is a good fit for IDaaS?
As of now, the ideal customer for a cloud-based IAM offering has been in the Small & Medium Business market (SMB). SMB typically represents customers with limited IT resources, a limited focus on security and security-related investment and limited IT and IAM spend.
The historic perpetual IAM licensing model is often one that has made IAM adoption more difficult in SMB. However, we are starting to see the “cloud interested” audience become more diverse. Currently, our “cloud interested” customers span manufacturing, food service, education and healthcare. Within those verticals, these customers fit a pretty consistent profile:
- Simple user lifecycle processes or ability to make existing processes simpler
- Limited legacy IT Applications (i.e. mainframe)
- More focus on ease of end user experience than on IT controls
- Less concern around off-prem data storage
- Not afraid to address business needs as new IDaaS functionality is rolled out
- Not afraid to be an early adopter
The reality is that many customers who invest in IDaaS will need to follow a hybrid IT model for the foreseeable future and as a result will need an IDaaS solution that can handle IAM functions for SaaS AND on-prem legacy applications like mainframe, AS400, UNIX, etc.
4. When will those “cloud interested” customers become “cloud buyers”?
As many of these customers begin to build IDaaS-focused IAM roadmaps and move from legacy IT to a hybrid IT model, we’ll begin to see more IDaaS investment. A few key IDaaS vendor thought leaders have emerged in the space and are focused on offering a full “suite” of IAM functions as a service, pushing forward support and adoption of new and emerging standards like SCIM.
In the meantime, customers don’t have to wait. If they aren’t ready to fully go down the IDaaS road for certain key functions like access governance or provisioning, the same key IDaaS vendors have options that allow them to show value to the business via end user-friendly IDaaS functions like cloud SSO, without having to pay for other functions. Subsequent functionality can be added in a modularized fashion as desired and available.
If customers aren’t ready to go down the IDaaS road at all but remain “cloud interested,” at least one strong IAM vendor offers migration strategies that will allow them to move from a controlled, simplistic on-prem IAM tool deployment to their IDaaS offering when they’re ready.
Hosting that simplistic on-prem IAM deployment as a managed service is another pre-migration step you can take as you prepare the organization for life without infrastructure on-prem.
5. What should I look for in an IDaaS solution?
In our opinion, there are a few key things to look for when evaluating an IDaaS solution. As the solutions themselves evolve, so will the viability and adoption of IDaaS as a whole.
- Vendor sustainability – Is it a startup, an established IDaaS pure play, a Managed Service provided offering an IAM “service,” a legacy IAM vendor with an IDaaS offering or a non-IAM vendor expanding into IAM?
Forecasts show that cloud investment will only increase in the next couple of years, but it’s important to know that building an IDaaS offering from scratch requires a large amount of R&D. Building a company entirely around IDaaS requires multiple rounds of funding. In an uber-competitive market like IAM, there is no guarantee the company itself will survive, especially as legacy IAM vendors turn their attention toward IDaaS and enter the fray.
- Product Roadmap – Multiple IDaaS vendors offer solutions today that deal with cloud SSO, SaaS provisioning (with some Active Directory and LDAP capabilities) and Password Management. However, a focus on SaaS integration and management does not mean that it’s a viable solution for the enterprise. Customers should investigate IDaaS solutions that allow for integration and management of on-prem applications as well those offerings that cover or will cover business needs ranging from SSO to access governance to provisioning (and everything in between) – not just pieces that require multiple interfaces and integration points, multiple vendors and multiple sources of IAM spend.
IDaaS vendors should also be focused on emerging standards (OAuth, OpenID, SCIM, etc.) and support for those standards now and in the future. They should continue to innovate through such concepts as risk-based authN, social log on and next-generation WAM.
- Pricing Model – Does the vendor offer a subscription model for their IDaaS offering? Are there discounts for volume, functionally used, length of contract? How is maintenance and support factored in? What do “implementation” costs to setup IDaaS truly look like?
- Data Security – This may be the most important thing that potential IDaaS customers are concerned about today. As a customer, you need to be aware of how and where your data is stored. Is it encrypted at rest and in motion? How do you transmit your data, and where are you transmitting it to? Where and how are passwords stored in the cloud? Does the IDaaS provider own the data centers where your data will reside or do they use a third party? What sort of monitoring do they have in place? Are they SOC II compliant?
IDaaS is here to stay. In the near future we’ll continue to see more and increasingly diverse companies offer quality IDaaS options and more customers move from being “cloud interested” to being “cloud buyers.” We’ll continue to see the industry standardize around those key emerging standards and the emerging IDaaS thought leaders push the whole group forward. And someday we might even see IAM become more of a commodity.
But for those that aren’t ready to take the plunge or can’t due to the type of organizational makeup or history of their organization, there are still steps you can take in that direction – hybrid IAM, managed services offerings and long term IDaaS migration strategies.