Monday, June 30

SaaS-ish Identity Management

Matt P wonders about the security and reliability of having identity managed as a service. The more I think about IdM as a service, the more I like it. A company might tell you that they are concerned about the security of having their critical IdM systems hosted by (or managed by) someone other than their own trusted "Active Directory guy". But, that same company probably wouldn't think twice about bringing in consultants to help out (who easily have access to plant code, create back doors, enable bad accounts, etc.).

I think most companies are already outsourcing IdM – they just do it on a project basis and therefore have the associated personnel continuity, troubleshooting, and learning curve issues. Not to mention customized hardware and software combinations that nobody has documented or even understands. Wouldn't it be better if the consultants that designed and implemented the IdM solution did it in a repeatable way that is easily understood, managed, and configurable or extensible to adapt to future requirements? And they just continue to manage it taking the burden off of you?

This model also helps with infrastructure reliability due to economies of scale and the value of having a known environment. Yes, the Internet could go down. But, the internal network could go down too. Or the server. Or the database. With a managed solution, someone else will have the economies of scale to ensure a higher up time probability and a quicker response time (if they do it right).

I don't think security or reliability is a good argument against buying into IdM as a service. Data can be encrypted. Admin activity can be monitored. Redundancy can be built-in.

I agree with Matt that "only firms that specialize in the IdM space will be able to be successful hosts." I'd rather see an IdM service company try to move to the SaaS model rather than a SaaS provider try to create an IdM offering. But the complexity, repeatability, and value of IdM seem to make it ripe for a service-based delivery model. What do you think?

2 comments:

Landon Hoover said...

Security in the SaaS space has already been an issue of contention...the initial aversion to Identity Managment as a services would be tremendous; however, I agree with you that Idm as a service has a great potential to alleviate many pain points for companies currently outsourcing on a per job basis. My questions are, how will the necessary security be developed? And, how will that technology be communicated to comfort corporations?

I know that there are currently many resources for SaaS providers on the topics of monetization, metering, billing, etc. (for example, eVapt is a company that helps SaaS providers with solutions in these areas), but what are the resources or entities supporting SaaS on a security side? Are there companies like eVapt that specialize in security?

Matt Flynn said...

Landon, I think the security will need to be baked into to the solution. If it's a true in-the-cloud type SaaS for IdM, it'll probably need to have its own infrastructure design rather than simply leveraging shared hosting or something like that. I expect many of the initial solutions to be delivered via an on-premise appliance (again with security baked-in) and just managed remotely.