Harnessing the power of identity management (IDaaS) in the cloud
Sometimes, consumers have it easy.
Take, for example, when they accidentally lock themselves out of their personal email. Their solution? Reset the password. With one click, they’re able to change their old, complicated password with a new, more memorable one.
Self-service password reset is awesome like this. For users on a business network, it’s not so simple. That is, unless they’re using identity-as-a-service (IDaaS).
What is IDaaS?
IDaaS—pronounced “ay-das”—stands for identity-as-a-service. Essentially, it is identity and access management (IAM)—pronounced “I-am”—deployed from the cloud.
Organizations use IAM technology to make sure their employees, customers, contractors, and partners are who they say they are. Once confirmed via certain methods of authentication, the IDaaS system provides access rights to resources and systems based on permissions granted. And because it’s deployed through the cloud, business entities can request access securely wherever they are and whatever device they’re using.
Giving its own users self-service access to portals is just one of the ways an IDaaS system can provide support for businesses. In fact, the need to better engage with customers while securing their data and conforming to established standards has become the main driving force behind the move to IDaaS.
IDaaS vs. traditional IAM
While traditional, on-premise identity management systems offer levels of self-serve access for employees at the office, their benefits are limited in comparison to cloud-based options. This is because IAMs are:
- Expensive to create and maintain. It costs more if the organization supports global users due to complexity of infrastructure. IAMs can also be unsustainable overall as the business grows. Both cost and infrastructure complexity increases, making IAMs more difficult to support.
- Inefficiently managed, security-wise. IAMs that must be placed on legacy systems, for example, put organizations at risk because patching these systems is a challenge, leaving the door open for vulnerabilities at access points.
- Time-consuming. Upgrading IAM hardware is time-consuming. Sometimes, the upgrade doesn’t happen if it means long downtimes and lost productivity. Also, IT teams are faced with significant time-consuming (and patience-testing) tasks, from password resetting to user provisioning.
- Not future-proofed. Although some traditional IAMs can provide limited cloud support, they’re essentially designed to handle on-premise resources. Since IAMs inherently lack support for modern-day tech (mobile devices, IoT) and business disruptors (Big Data, digital transformation), they don’t address what current users need and want.
Benefits of IDaaS
Businesses can benefit from IDaaS in so many ways. For the sake of brevity, keep in mind these three main drivers for adapting IDaaS: new capabilities, speed of implementation, and innovation. Not only would these make them more attractive to potential customers, but also helps to retain current ones.
New capabilities, such as single sign-on (SSO), gives business customers the ease and convenience of accessing multiple resources using only a single login instance. Logging in once creates a token, which the IDaaS system then shares with other applications on behalf of the customer, so they would not need to keep logging in.
SSO also removes the burden of remembering multiple login credentials from users, which usually drives them to create memorable but also easily breakable passwords. Needless to say, SSO—and other protocols like Security Assertion Markup Language (SAML), OAuth (pronounced “oh-auth”), and OpenID Connect (OIDC)—will greatly enhance an organization’s security.
Since IDaaS is cloud-based, implementing it in your organization is a lot quicker. For one thing, hardware provisioning is already with the IDaaS provider. What usually takes a couple of years to realize will only take several months—sometimes even a few weeks.
Organizations that are still unsure of whether they want to fully embrace IDaaS but are curious to try it out can temporarily use the solution as a subset of their applications. Should they change their minds, they can pull back just as easily as they pushed on.
And finally, IDaaS removes the barriers that inhibits organizations from moving forward on innovation. Understaffed IT teams, the mounting costs surrounding IT infrastructure that only gets more complicated over time, and insufficient support for modern technologies are just a few of problems that hold modern businesses back from innovating in their own workforce processes, product offerings, and marketing and sales techniques.
Business leaders need to get themselves “unstuck” from these problems by outsourcing their needs to a trusted provider. Not only will doing so be lighter on their pockets, but they can also customize IDaaS’s inherent capabilities to fit their business needs and improve their customer engagement. It’s a win-win for all.
Note, however, that a pure IDaaS implementation may not be for every organization. Some organizations are simply not ready for it. In fact, the majority of enterprises today use hybrid environments—a combination of on-premise and cloud-based applications. This is because some organizations believe that there are some resources best kept on-premise. And when it comes to IDaaS adoption, utilizing the best of both worlds is increasingly becoming the norm.
My organization is small. Is IDaaS still necessary?
Absolutely. Small- and medium-sized businesses experience many of the same IAM issues enterprise organizations face. Every employee maintains a set of credentials they use to access several business applications to do their jobs. An SSO feature in IDaaS will significantly cut back on the number of login instances they have to face when switching from one app to another.
It’s a good question to ask if your business needs IDaaS. But perhaps the better—or bigger—question is whether your business is compliant enough to established security and privacy standards. Thankfully, having IDaaS will help with that issue as well. The caveat is that organizations, regardless of size, must evaluate potential IDaaS providers based on their maturity and their capability to offer a great solution. No two IDaaS offerings are the same.
Mike Wessler and Sean Brown, authors of the e-book “Cloud Identity for Dummies”, propose some questions to consider when deciding:
- Are they a new company on a shoe-string budget catering to lower-end clients with cost as the primary driver?
- Are they relatively new in either the cloud or IAM field where they gained those capabilities via recent acquisitions and are simply rebranding someone else’s products and services?
- Do they have legitimate experience and expertise in cloud and IAM services where offering IDaaS is a logical progression?
What are the possible security problems?
Despite the good that IDaaS could bring to your organization, it is no cure-all. In fact, some security researchers have already noted concerns on some of its key capabilities. Using our previous example, which is the SSO, it is argued that this has become a “single point of failure” should the authentication server fails. Or it can also act as a “single breach point,” waiting to be compromised.
The cybersecurity sector has a dizzyingly long laundry list of use cases where organizations are breached due to compromised credentials. Australia’s Early Warning Network, which was compromised a year ago, was caused by the misuse of stolen credentials. And there are many ways credentials can be leaked or stolen. Organizations can thwart this by requiring the use of multi-factor authentication (MFA).
The bottom line is this: IDaaS or no, businesses still have to adopt and practice safe computing habits to minimize their attack surface.
If you’d like a more in-depth reading on IDaaS, please visit the following:
- Top 8 identity and access management challenges with your SaaS application
- Have you found the real cost of IDaaS?
Stay safe!
The post Harnessing the power of identity management (IDaaS) in the cloud appeared first on Malwarebytes Labs.