Although cloud-based “identity as a service” offers reduced costs, higher scalability and other advantages, it also carries some risks. […]
It is often said that identity is the new frontier in the world of cloud-native ecosystems and zero trust. Identity is undeniably at the heart of all activity in modern systems and is the key to enabling zero trust architectures and proper access control. Nevertheless, operating identity and access management (IAM) on a large scale can be a daunting task, which is why more and more companies are using identity-as-a-Service (IDaaS) solutions.
IDaaS has its advantages and disadvantages, but first let’s clarify what IDaaS actually is.
What is IDaaS?
IDaaS is a cloud-based usage model for IAM. Like everything else in today’s modern technology ecosystem, IAM can also be offered as a service. Although there are some exceptions, IDaaS is usually deployed over the cloud and can be offered as a multi-tenant offering or as a dedicated deployment model, depending on the organizational requirements and capabilities of the respective provider.
Gartner predicts that by the end of 2022, 40% of medium and large enterprises will use an IDaaS offering instead of the traditional IAM. Several factors are contributing to this growth, such as the continued adoption of the cloud, the mobile workforce, and the realization by companies that they can consume IAM instead of hosting and exclusively managing it, which frees up time to focus more on their core competencies, namely providing value to customers.
Advantages of IDaaS
The advantages of IDaaS offers include the possibility to use IAM instead of hosting it and to transfer part of the administrative burden associated with IAM to an external provider. Other advantages are feature-rich offerings that make your IAM implementations more robust and secure in many cases. Most IDaaS providers offer native and integrated features such as single sign-on (SSO) and multi-factor authentication (MFA).
IDaaS providers also boast of being cloud-native and inherently easier to integrate into robust cloud ecosystems. This means that protocols such as OIDC and SAML are used to integrate with the company’s most extensive portfolio of SaaS applications to ensure a unified identity solution and enterprise-wide IAM governance. Even organizations as complex and large as the state have issued entire playbooks and guides to help federal government contractors adapt their IAM services to a cloud operating model, with IDaaS at the heart of the playbook.
The above table from the already mentioned Federal Playbook excellently summarizes some of the most important differences between traditional IAM solutions and IDaaS. Similar to the cloud in general, IDaaS in the cloud offers many of the same important advantages. Companies no longer have to be limited by the scalability of their IAM infrastructure, as it is consumed and thus flexible.
Companies can be billed according to consumption and no longer need to physically own and host the IAM infrastructure, as it is hosted by the service provider. Companies also no longer have to physically deploy and manage the fault tolerance of their IAM infrastructure, as IDaaS providers offer a globally available infrastructure that can be fault tolerant and allows companies to achieve their disaster recovery and business continuity (DR/BC) goals, and probably at a much lower price.
Disadvantages and considerations about IDaaS
However, IDaaS is not just a piece of cake, and companies must take into account some important aspects when evaluating it. If identity is really the new security frontier, the introduction of IDaaS gives a certain amount of control over your security frontier to an IDaaS service provider. This is similar to the concept of shared responsibility in cloud computing, but will be extended further upwards, not only to the infrastructure, but also to critical things such as identities, permissions and access control.
Some of the advantages mentioned in the table above can now become a disadvantage or a point of contention, depending on your organizational requirements and your sensitivity to security. Since you are using the application and system that are connected to IAM, you are now limited to the permissions that the provider’s offer includes, and you probably have limited opportunities to change the way the offer works. This is due to the fact that the IDaaS provider offers its interface / application to many customers and can only make a limited number of adjustments without losing the opportunity to have a standardized offer. As for the measured services, due to poor or naive decisions of their administrators, they may be faced with surprising costs that may exceed their originally planned budget.
Aside from these concerns, some of the biggest security concerns come from IDaaS’ resource pooling and wide network access. Depending on the nature of your activity, the idea of a joint tenancy with other customers may be questionable, since a security incident in one of your logical environments could potentially allow lateral access to your environment and thus to your entire IT ecosystem.
The global availability of IDaaS is a convincing advantage, especially considering how expensive it would be to guarantee this level of fault tolerance yourself. However, the legal requirements must also be observed. Some organizations are geographically restricted when it comes to where they can keep their systems/data, such as GDPR or national security, for example, if they work on the front line of the Ministry of Defense. You may be able to work with the IDaaS provider to ensure that your data stays within a specific region, but it is certainly an issue that you should consider and address if geographical restrictions apply to you.
Some of these concerns are also not unfounded. Just a few months ago, Okta, one of the largest IDaaS providers, suffered a security breach that affected two corporate customers. In this case, the security breach may have originated from a subprocessor of Okta, which justifies a whole discussion about cybersecurity Supply Chain Risk Management (C-SCRM). If an IDaaS provider is compromised by an attacker, this could have devastating consequences for your entire company or possibly for the entire industry, as many IDaaS providers deal with hundreds or thousands of critical IAM data of their customers.
Rate IDaaS carefully
So it is clear why many companies use IDaaS offers. With the ubiquity of the cloud, organizations often need dynamic and robust IAM options that support their various ecosystems. For many companies, IDaaS providers can offer IAM capabilities at a fraction of the cost that a company would have to spend on hosting and administration itself. They do this to an extent that is enormous due to their customer portfolio.
By using IDaaS, companies can often focus on their core competencies, which is usually not IAM, and instead focus on their customers and stakeholders. As with any technology and as-a-service offering, there are critical factors to consider, and companies should not adopt IDaaS without thinking them through clearly.
*Chris Hughes writes for our US sister publication CSO Online.