In my last blog, I observed that the market for identity-as-a-service (IDaaS) is showing signs of immaturity. For a variety of reasons, vendors, analysts, and even enterprises are focusing on one corner of IDaaS – access management – at the expense of the bigger picture, which is solving some real business needs and with cloud-based IAM.
Without a doubt, many companies need a solution that allows users to quickly and conveniently login to SaaS applications – hence the focus on single sign-on (SSO) solutions. However, as history has taught us, just solving tactical IAM problems will not ensure that security, compliance and business enablement goals are met. I’ve been speaking with companies who addressed end user frustrations with SSO only to realize they have to re-evaluate SSO capabilities as part of their IAM strategy, sometimes resulting in wasted time and resources.
These organizations aren’t alone. In fact, for most organizations who need a strategic IAM program, SSO will prove itself to not be the most effective starting point for IDaaS. It’s easy to understand why organizations think they can address SSO quickly and move on to more strategic efforts – but this path is a reactionary, tactical solution to a pain point versus a long-term, strategic solution.
Instead, organizations must consider the big picture and take a more strategic approach to IAM. I suggest that every organization ask these three questions as a key part of planning an IDaaS strategy (which, not surprisingly, are the same questions to ask if you’re planning an IAM strategy deployed on-premises):
- Where do we start to build an effective IAM program, balancing the need to enable users and to meet our security and compliance needs?
- Which solutions are capable of managing our entire IT environment, spanning cloud systems and SaaS applications, on-premises systems and applications, and
- What approach will ensure a straightforward deployment and be easier for our business and technical staff to use?
In my opinion, this is why companies need to start their IDaaS journey with identity governance. Identity governance is the foundation on which to build out all components of IAM, providing control over “who has access to what?” and ensuring the appropriate and efficient granting and revoking of that access based on business needs. Beginning an IDaaS project with a platform that provides well-governed identities will underpin and strengthen all IAM solution components as you deploy them – access management, password management, provisioning and compliance – aligning all to optimize security and convenience.
Another big lesson learned is that you don’t want to create “silos” of identity management – where you use one solution to govern one set of applications and another solution to manage a different set. (We learned that back in the migration from mainframe to client server era!) Centralizing management of users and applications across ALL IT environments: legacy, on-prem, private and public cloud, and SaaS is absolutely necessary in providing you a complete view of your identity environment. You just can’t get the visibility required to secure the organization if your IDaaS solution only covers SaaS applications and Active Directory. That’s not the enterprise reality we are dealing with today.
I don’t think any of us want to repeat the struggles of our early IAM history with IDaaS. Those days were fraught with disparate point solutions, overly complex and expensive solution deployments, and perhaps worst of all, poor visibility that led to security and compliance vulnerabilities. Let’s move forward with the collective knowledge we’ve acquired – we don’t have to repeat the past.