What Is Identity Management (IDM)
The explosive growth of the cloud and, in particular, Software-as-a-Service (SaaS) applications, like those becoming popular in the collaboration or project management space, has changed the way companies do business. Deploying software as a managed service delivered via the cloud means lower maintenance costs, increased uptime, faster feature rollout, and the reduced need for on-site hardware. Those are just some of the reasons why cloud-based SaaS solutions are making deep and fast inroads to tasks that were formerly dominated solely by in-house IT staff.
But to fully realize the savings offered by SaaS apps, businesses need a way to easily create and manage users (aka, identities) across their entire portfolio of cloud apps—portfolios that usually span multiple platforms and can change often. IT administrators need to give users Single Sign-On (SSO) capability across the organization’s entire portfolio of apps, but that’s only part of the problem. Controlling the depth of access in SaaS apps is just as important as it is for on-premises apps and even local network resources. So not just who gets access to the app, but exactly what they can access once they’re using that app. This can be critical in many business apps, as is defining the user’s role, cross-app authentication, and more advanced security measures such as multi-factor authentication (MFA), which refers to building authentication mechanisms that require more than just a single step, like entering a user name and password, but also require additional steps, such as a physical token of some kind (a smart card or USB stick, for example) or a biometric measure (a fingerprint scan, for instance).
Equally as important is the management of existing Identity Providers (IDPs) such as Microsoft Active Directory (AD) or human resources (HR) software. In many cases, identity information may be sourced from multiple repositories, requiring a system to not only manage identities in different systems but also be able to synchronize information between these systems, and provide a single source of truth when required. That’s especially important now that the Internet of Things (IoT) is really starting to grow. An ever-broader array of IoT devices means not only more traffic, but also more requests for authorized access in both directions. That’s likely the reason that identity and security has become one of the key growth factors in IoT over the last few years, as shown in this chart from market research firm, Statista.
Size of IoT Application Market, 2020 (Billions Euros)
To make all of this happen, admins need the ability to manage users in a fast-changing environment without having to manually perform actions that for decades have been distilled down to simple changes to a user’s group membership properties in Microsoft AD. Having to manually adjust permissions, access, and control properties across dozens, hundreds, or even thousands of users every time a new SaaS service is made available can be prohibitively cumbersome, even if IT takes advantage of automation technologies such as scripting. Identity-Management-as-a-Service (IDaaS) solutions are rapidly becoming a critical aspect of the corporate infrastructure, for a myriad of reasons we’ll detail through the course of this article. Ironically, perhaps the ideal answer to this problem, at least in part, is to dip into the SaaS well again and use an IDaaS provider.
Connecting Identities in the Cloud
Most IDaaS providers use a common method to handle authentication by using identities contained in your organization’s existing network directory. The most prevalent option is to have a piece of software installed on your local network, known as an agent, which allows the IDaaS provider to communicate with your directory. That way, admins can keep using the same directory tools they always have, yet seamlessly access apps and resources outside the company network.
This communication is typically a combination of synchronization (where directory users and groups are pulled up to the service) and on-demand communication (known as federation) in order to perform authentication requests back against the directory. Most IDaaS solutions offer the ability to customize the synchronization process, particularly which user attributes are allowed to be synchronized. A couple of reasons why you would customize attribute synchronization are either security- or privacy-related (e.g., in case you have attributes that may contain confidential data) or due to functionality (e.g., if you need to make custom attributes available to the IDaaS provider in order to use them within the service).
Another common method of connecting your on-premises directory with an IDaaS solution is to expose a standard directory protocol or authentication provider to the IDaaS. Some examples of this are the Lightweight Directory Access Protocol (LDAP), an open standard, or Active Directory Federation Services (ADFS), a popular but proprietary technology available from Microsoft and popular due to its easy integration with Microsoft’s very popular Active Directory. LDAP is a standards-based method of communicating with a directory (either AD or one of several alternatives) while ADFS is a role in Windows Server tailored more towards allowing web apps to glean specific information from AD. Not all IDaaS providers support these options and, in most cases, these options require a high level of configuration, including firewall rules.
But these options may be a better solution for some business cases. For example, organizations with increased security requirements or privacy regulations may need to limit the software installed on domain controllers or have increased control over what data is available to an external IDaaS solution that is essentially running on someone else’s servers.
Connecting With Customers and Partners
A business isn’t worth much without relationships to partners, and more importantly, customers. In this age of technology and instant gratification, the ability to collaborate with partners or provide customers access to their information, while simultaneously respecting their privacy and security, is a critical aspect of doing business. Many of the IDaaS solutions we’ve reviewed offer the ability to provide business partners SSO access to apps through a portal functionally identical to the one available to normal corporate users. This allows your business to foster business relationships without having to automatically provide partners direct access to your corporate network or even standing up a new app specifically for partner access.
Customer management is another area in which IDaaS solutions can offer value. Most customers already have one or more identities established on social media or other popular websites. Many of the solutions we’ve reviewed offer a consumer IDaaS aspect, which is typically licensed separately from the core IDaaS product due to the potential for a high volume of authentications. Typically, a consumer IDaaS will allow a user to register by using an account they already own, such as a Facebook or Google account, which will then provide them access to the resources you authorize. Depending on your corporate use case, this authentication process could allow users access to a custom web app designed to provide information specific to them, or users could be redirected to the customer area of a customer relationship management (CRM) solution. In most cases, the IDaaS platform gives you options over how the authentication request is processed, which allows you to use a standard protocol or provide an application programming interface (API) for developers to access through custom code.
Augmenting Existing Infrastructure
In many cases, an IDaaS solution can provide significant benefits to your existing infrastructure over and above the inherent benefits offered by using cloud apps. One major benefit is an obvious one: managing identities. The larger a business, the more identities there are to manage, and often, these identities begin to reside in multiple places. Frequently, there are software apps that manage employees, their pay, and their organizational structure. Likewise, one or more corporate directories often contain similar information. Companies with multiple business interests or branches can often require separate identity stores; likewise, businesses (such as hospitals or industrial complexes) can often also require segregation of network resources for compliance or safety reasons.
An IDaaS solution can ease the management of these identities in multiple source locations, including providing self-service capabilities, delegation, approval workflows, and automation. Each of these features can also provide a logging element for reporting and compliance audit purposes. In many cases, the IDaaS app can also provide synchronization or translation capabilities with automation, which lets you manage an identity once and have those changes flow to other systems where appropriate.
Another way IDaaS solutions can help with your existing infrastructure are with apps that are hosted within the local network. In many cases, these apps are core to the company business, and providing access to off-site users requires either exposing the app to the internet with a firewall rule or first requiring the user connect to a virtual private network (VPN) tunnel. While either of these scenarios have their place and are perfectly suitable for many situations, some IDaaS tools offer another option. By using a software-based agent installed inside the corporate network, an app can be accessed through an IDaaS SSO portal in the same way you would a SaaS app hosted in the cloud. Most of the heavy lifting in this scenario is handled by an encrypted tunnel between the IDaaS provider and the software agent installed on your network.
IDM Security Considerations
Clearly, there are a number of security concerns for IT shops looking into using SaaS apps and IDaaS solutions. In some situations, avoiding the use of SaaS apps is next to impossible, so finding the best method to manage and secure the accounts needed to use these apps is imperative. Other organizations may not be considering SaaS apps out of necessity, so security concerns must be weighed against convenience and efficiencies.
Overall, there are four core areas of security to consider when evaluating IDaaS providers. The connection method used to integrate an existing corporate directory is the first area to consider. Software-based synchronization agents support a secure connection between your directory and the IDaaS provider but many IT shops will (rightly) have hesitations about installing an agent on their domain controllers. Considering an IDaaS solution that supports an authentication standard such as LDAP or ADFS might be a better option as they offer increased control over authentication and security.
The second area of concern for corporations looking into any kind of cloud service is the data stored within the service which, in the case of an IDaaS solution, will be corporate users and groups. In general, IDaaS solutions don’t sync and store password hashes from your users; however, several IDaaS providers do offer this as an option in order to maintain the same passwords between multiple accounts (local directory, IDaaS, and even SaaS apps). These options should be carefully evaluated from security and legal points of view. Additionally, each of the IDaaS providers does have to store passwords related to SaaS apps in order to perform SSO functionality.
Third, consider the communication between your IDaaS provider and your entire portfolio of SaaS apps. Without exception, the IDaaS options tested here use a combination of Security Assertion Markup Language (SAML) and password vaulting. SAML is an extensible markup language (XML)-based authentication standard by which the identity provider and SaaS app can handle authentication, without requiring interaction from a user or the population of a web form. The ability for an IDaaS provider to authenticate your users to their SaaS apps is dependent upon the SaaS app to support the SAML standard for authentication. In cases in which SAML isn’t supported by a SaaS app, most IDaaS providers will revert back to password vaulting, which essentially handles the process of completing and submitting a login form on a webpage.
In terms of security, SAML can offer increased security in the form of a mutually authenticated connection through the use of SSL certificates tying the two services together. As with SAML itself, these additional security features are dependent upon support from both the SaaS and IDaaS provider. For my part, I tag SAML as the preferred authentication method for SSO from an IDaaS provider; in fact, I’d say you probably shouldn’t even consider a solution that doesn’t leverage that standard.
The last critical aspect to the IDaaS security picture is locking down the sign-on process for users. One feature that is common among all of the IDaaS players is support for MFA, which helps prevent security breaches due to a compromised password by requiring a second form (multiple factors) of authentication such as a randomly generated password or a hardware key.
Another common scenario is to require different levels of security based on the user’s network location (typically handled based on IP address), such as allowing a basic username or password login when connecting through the corporate network but requiring MFA when using another connection. In general, both MFA and IP address restrictions are handled by using security policies, which is another must-have feature for an IDaaS provider. In fact, you probably want to look for an option that lets you configure multiple policies as not all apps or users have the same security needs.
From a users perspective, the primary purpose of having an IDaaS solution is to make signing into web apps easier. A user portal that provides quick SSO access to SaaS apps is a feature in the majority of IDaaS options. Most solutions also offer plug-ins for the major web browsers as well as mobile apps that mirror the functionality of the SSO portal.
In most cases, the user portal is presented as a grid or list of icons indicating the apps available to a user. This list is populated based on the SaaS apps assigned to the user by the IDaaS admins, either manually or through automated means such as membership in an AD group. The ideal provisioning method in terms of efficiency is based on the System for Cross-domain Identity Management (SCIM), a set of standards-based interfaces that allow for user provisioning within SaaS apps, though many IDaaS providers will make use of app-specific application programming interfaces (APIs) to handle provisioning. If supported by both the IDaaS and SaaS provider, then users can be automatically provisioned in the SaaS app based on conditions you define in the IDaaS solution. Often, this condition is simply membership in an AD group or based on an attribute of your choosing.
Big Data, Compliance, and Reporting
Let’s face it: Many companies aren’t going to invest in a tool just because it makes life easier for corporate users. But, if there’s a security benefit or if the solution can help satisfy compliance requirements, then that’s a different story.
Consider a scenario in which an IT admin team has to not only manage users in several SaaS apps, but must also provide detailed reports containing usage information, user login history, security changes, and other potential audit factors. Trying to gather this sort of information from multiple different locations is going to be a significant task. The ideal solution to gather and provide these audit artifacts is to use IDM to track each factor across multiple apps automatically. Many of the offerings we’ve reviewed offer comprehensive reporting solutions that get into detail on authentication events, even down to the user’s geographic location and what sort of device he or she used. Often, these reports can be exported to Microsoft Excel or some other reporting or business intelligence (BI) tool where you can perform further analysis or get the numbers properly organized for an audit.
Some of the solutions we reviewed will even proactively monitor your identities exposure to current security breaches, such as credentials for sale on the internet or monitor for things such as simultaneous logins from opposite ends of the globe. These solutions can use this sort of advanced analytics and machine learning to impact the security score for your identities. This gives you the power to require increased authentication security such as MFA or use of a registered device.
Don’t Let The Cloud Ex-SaaS-perate You
SaaS apps simply offer too many benefits in terms of cost-savings and ease of use for any business to ignore the trend. But, without proper user and resource organizations, a SaaS portfolio can quickly sprawl and degenerate into a chaotic mess. Understanding IDaaS solutions and what they can offer is a big first step toward gaining the full benefits of moving key workloads to SaaS, rather than taking on the burden of managing separate identities for every user across a half dozen cloud apps scattered across the web. If SaaS is on your horizon (or already on your users’ desktops in quickly growing numbers as it is in most organizations), then do yourself a favor and learn the pros and cons of cloud-based identities.