The technology of the cloud makes it possible to vastly expand the reach and capabilities of individuals and organizations – through its ability to boost computing and storage capacity through the use of multiple remote servers, the potential to combine infrastructure, software, and services, and the power to provide access to potentially global pools of talent, money, and resources.
This has given rise to an entire economy of cloud-based and hosted infrastructure, assets, and tools often referred to as XaaS or “[Anything you want = X] as a Service.”
One of the common elements of all commodities in the “as a Service” sector is the ability to pass the bulk of the work for managing and administering resources and services to a remote host or service provider, allowing individuals and enterprises to exercise fine-grained control via a web-based portal, mobile app, or control console.
Since access control, identity management, and authentication often impose excessive demands on in-house IT, network administration, and security teams, it’s little wonder there’s an XaaS option for these functions, as well. It’s known as IDaaS, or Identity as a Service.
IDaaS in a Nutshell
Identity as a Service or IDaaS is typically packaged as a subscription-based and remotely managed service, with an infrastructure that’s hosted and maintained by a third-party service provider in the cloud.
The service itself offers authentication, user validation, oversight, and management of user privileges and access controls for corporate systems. The cloud provider may also offer to host software applications on a subscription basis, and to allow subscribers access to specific applications or virtual desktops, based on their job titles and access rights within a company’s network hierarchy.
All of the services provided within an IDaaS subscription may be accessed and managed through a secure portal, which may be distributed to the enterprise in the form of a web application, client program, or mobile app.
Types of IDaaS
Gregg Kreizman, the research vice president of Gartner, Inc., categorizes IDaaS offerings in two ways:
- Web access software for cloud-based applications like Software as a Service (SaaS) and applications specifically written for the web.
- Cloud-delivered management services for (generally in-house) legacy identity management systems.
The more web-centric Identity as a Service packages tend to gain higher adoption and acceptance from corporations which have already made some moves to relocate enterprise data and resources to the cloud.
Shifting legacy identity management to a cloud-based mode of delivery can introduce complications, as these older systems may not be compatible with some of the more advanced features offered by more recent platforms and software. The range of SaaS applications to which they are or may be connected can also be limited.
Adaptive Multi-factor Authentication
Adaptive multi-factor authentication is a validation mechanism which requires users to submit multiple identifiers (such as passwords, PIN numbers, smart cards, digital tokens, or biometric characteristics), before they can gain access to a system or network. Multi-factor authentication is generally accepted as being more secure than systems which rely on a single identifier, such as a password or PIN.
IDaaS solutions enable adaptive multi-factor authentication to be conducted “on the fly”, with access granted dynamically in response to the level of risk associated with each user.
Single Sign-on (SSO)
Single sign-on (SSO) is an identification mechanism which many organizations put in place, for convenience and efficiency. It requires users to sign in only once, at the network perimeter / first login stage. If they’re successfully validated by the system, they can then go on to have access to whichever of the enterprise resources, applications, and network privileges that they’ve been authorized to use.
In general, Identity as a Service improves access times, with faster login and validation procedures, and the need for fewer password resets.
To improve the security of single sign-on regimes, IDaaS providers also offer the option for Access Security. This is a system of access management which is based on a security policy that specifies user rights and risk levels associated with enterprise applications, network resources, and Application Programming Interfaces (APIs).
IDaaS and Issues of Trust
As with other areas of enterprise cloud adoption, there are some doubts and issues raised with IDaaS, over having to trust corporate data as sensitive as user credentials and account activities to a third party.
Specific concerns are typically raised over the IDaaS provider’s storage and handling of their subscribers’ information – including any obligation they may have to submit the data they hold for scrutiny by government agencies, law enforcement, or regulatory authorities. This emphasizes the need for contract conditions and Service Level Agreements to be thoroughly vetted and spelled out before subscriptions are finalized.
Questions may also be raised over the conduct of the staff and supply chain partners of an Identity as a Service provider – and what measures the provider has in place to ensure the confidentiality and safety of enterprise data at all points along the line.
IDaaS and Regulatory Compliance Issues
Disclosure of information by Identity as a Service providers also has the potential to damage an organization’s regulatory compliance status – especially under regimes that have strict conditions attached to auditing, data-handling, and the safeguarding of customer information.
IDaaS – Taking a Hybrid Approach
IDaaS is still an emerging market, and as has been the case with previous cloud phenomena, it’s seeing enterprise adoption in a piecemeal or hybrid fashion.
Organizations are typically weighing up the potential risks to their security before fully committing to IDaaS, then taking a phased approach whereby only certain (lower risk) identities are migrated to the cloud for management and authentication.
Share this Post