Managed Identity Services: the next generation of IDaaS
In my last post, I discussed how the “Service” part of “Identity as a Service” (IDaaS) can mean very different things to different IDaaS companies.
To us, the “Service” part means “full service.” This stands in contrast to most other IDaaS firms where the “Service” part means only that they host and maintain the Identity and Access Management (IAM) software for you “in the cloud.” You, however, are still required to operate it. It’s the typical “Software as a Service” model, where the cloud is just a new way to license and deliver their proprietary IAM software.
We differ from these first-gen IDaaS providers in that we offer Managed Identity Services. Put simply, it means that we don’t just host and maintain your IAM infrastructure, we operate it, too. We’re focused on meeting your IAM needs instead of just delivering software, providing solutions instead of just tools. It is an outsourcing model for security management, which is an essential component in secure business resilience and agility.
The model itself isn’t new. Businesses routinely rely on independently operated Security Operations Centers (SOCs), which combine highly skilled professionals with industry-leading processes and technologies to detect, analyze and prevent network security incidents.
But the model is just starting to take hold for IAM. We’ve reached a tipping point in the maturity of IDaaS, which has given rise to Managed Identity Services. This evolution is being fueled by organizations that now have greater expectations of their IDaaS providers and a growing list of demands:
For many years, IAM and IDaaS vendors have offered a myriad of security tools to give employees easy access to the resources they need while keeping the “bad guys” out. In 2002 with Sarbanes Oxley, the focus shifted to governance and compliance, and businesses asked for solutions to help identify and mitigate insider threats.
Now, nearly a decade and half after Sarbanes Oxley, businesses have realized that these costly compliance controls haven’t really mitigated the threat – they’re simply a drag on business that adds no value. As a result, they have serious compliance fatigue.
IAM is now ready for its next evolution, and analytics will take us there.
Today, IDaaS solutions need to provide organizations with a level of analytics that enables them to better understand risk and to address it up front – as well as to identify opportunities to add value.
As organizations have become more risk focused, the emphasis in IAM is shifting to the user experience. Businesses are demanding value from their IAM solutions instead of simply checking the box on compliance mandates. Smart businesses know that the flip side of risk is opportunity. So the goal isn’t just to reduce risk; it’s to understand and manage it to gain an advantage – identifying an opportunity to lower costs or to improve the customer experience, for example.
That’s what threat and risk analytics are designed to do. They offer insights into patterns of usage to protect corporate resources and information, and then leverage that information to deliver actionable business intelligence.
Even within the SOC space, we are seeing the rise of “Intelligent SOCs” that give security analysts the tools to do more than just event monitoring. Chief information security officers (CISOs) are looking for IAM companies to help them with operational intelligence, to be able to not just identify potential threats but to be prescriptive and recommend corrective actions, and to provide insights that can exploited to enhance the business.
2. Flexibility and agility
Companies are no longer interested in a one-size-fits-all IDaaS model, especially where they are expecting IDaaS solutions to do more than simple tasks such as employee login and provisioning.
Where IAM is being used to fuel the Digital Business, improve customer engagement or manage threats, companies are looking for IDaaS vendors to provide them with the flexibility and agility they need to meet their business goals. For the next generation IDaaS company, this means providing a single tenant or multi-tenant solution, hosted or on-premise, with fixed monthly pricing or transaction-based pricing.
Service flexibility goes a long way to reduce risk and to allow businesses to quickly seize fleeting opportunities. In an IDaaS or SaaS model, the vendor is responsible for governance, operations, security, compliance, etc. So IDaaS vendors must be flexible enough to provide custom-tailored security controls and SLAs that are negotiated into contracts, including service levels, privacy and compliance controls.
3. Single Sourcing
Any company with well-defined enterprise security risk management must view each SaaS provider as a supply chain security issue. This is especially true in the case of IDaaS.
Each provider has to be carefully examined – what are their incident management and disaster recovery processes, how do they backup my data, are they ISO 27001 compliant, do they perform background checks, who has access to my data, what are their access controls, etc.? It’s not surprising that companies demand in-person site inspections of their IDaaS suppliers.
Introducing multiple IDaaS companies in the supplier chain exponentially increases business risk, and often reduces the economic benefit that could have been gained due to efficiencies derived from an IDaaS resource in the first place. If a customer is expected to use one IDaaS company for single sign-on, another for privileged access management and another for access governance (and the list of diverse options goes on), then they are left at the center of a storm.
You shouldn’t have to tradeoff between convenience and security!
IAM is a complicated discipline that requires rare and deep expertise that lies outside the typical company’s core competency.
With the rapidly expanding array of network services from legacy systems to new SaaS offerings, combined with the mushrooming demand for access to these services from increasingly diverse stakeholders, you can either scale up your IT organization and infrastructure and get into the IAM business, or turn to the experts.
Yet first-gen IDaaS companies seem oblivious to this reality. A well-known IDaaS company, for example, frequently hosts technical workshops on “How to Integrate Office 365 for Single Sign-On” – you may have seen their emails. But has anybody stopped to ask, in an as-a-Service arrangement, why is the business customer expected to learn how to do this? How are they expected to deal with complex scenarios or custom integrations? Is “IDaaS” in this situation just hosted software that the customer has to figure out how to operate? Is the customer expected to recruit and retain permanently trained experts on staff?
Managed Identity Services companies, on the other hand, will handle all this complexity for you – and get you out of the IAM business so you can focus on your own.
Something that is not spoken about enough when it comes to IAM is inter-operability and portability. This is becoming increasingly important as companies have had, for one reason or another, to change part of their underlying technology stack or switch IDaaS vendors entirely.
The issue with most IDaaS companies today is they are not built to integrate with each other (their competitors). When a business places all their security, compliance and reporting into the custody of such a provider that has proprietary standards (or lack of APIs), they are introducing risk, which will result in higher fees down the road.
In my next post, I’ll discuss how Simeio, as a Managed Identity Services provider, is responding to these new demands.
Vice President of Product Management