SaaS-ish Identity Management

Matt P wonders about the security and reliability of having identity managed as a service. The more I think about IdM as a service, the more I like it. A company might tell you that they are concerned about the security of having their critical IdM systems hosted by (or managed by) someone other than their own trusted "Active Directory guy". But, that same company probably wouldn't think twice about bringing in consultants to help out (who easily have access to plant code, create back doors, enable bad accounts, etc.).

I think most companies are already outsourcing IdM – they just do it on a project basis and therefore have the associated personnel continuity, troubleshooting, and learning curve issues. Not to mention customized hardware and software combinations that nobody has documented or even understands. Wouldn't it be better if the consultants that designed and implemented the IdM solution did it in a repeatable way that is easily understood, managed, and configurable or extensible to adapt to future requirements? And they just continue to manage it taking the burden off of you?

This model also helps with infrastructure reliability due to economies of scale and the value of having a known environment. Yes, the Internet could go down. But, the internal network could go down too. Or the server. Or the database. With a managed solution, someone else will have the economies of scale to ensure a higher up time probability and a quicker response time (if they do it right).

I don't think security or reliability is a good argument against buying into IdM as a service. Data can be encrypted. Admin activity can be monitored. Redundancy can be built-in.

I agree with Matt that "only firms that specialize in the IdM space will be able to be successful hosts." I'd rather see an IdM service company try to move to the SaaS model rather than a SaaS provider try to create an IdM offering. But the complexity, repeatability, and value of IdM seem to make it ripe for a service-based delivery model. What do you think?

The Bear Story

from this article:

...hikers walking in the back country of British Columbia round a corner and suddenly confront a 1,000-pound grizzly bear standing 8 feet tall in front of them. The hikers drop their packs and take off back down the trail running for their lives. One of the hikers says, “[pant, pant] This is crazy! [pant, pant] We can’t outrun a grizzly bear! [pant, pant] They can run 25 miles per hour and they can climb trees!” The other hiker responds, “[pant, pant] I don’t have to outrun the grizzly bear. [pant, pant] I just have to outrun [pant, pant] YOU.”

The point of the article is to get you thinking about security and why you should avoid being the low-hanging fruit for attackers.

It reinforced something I've been thinking about, which is base lining of security activity for companies. It would be cool to understand how your company matches up against others. I wonder if that could be useful input to compliance audits?

Value Adding Security to the ROI of Identity Management

Two months ago, I posted about the prospect of extending the ROI on provisioning. The post was inspired by conversations with many smart people and led to additional conversations (like this one) that helped formulate the ideas presented in an article that was published today at eBizQ titled Value Adding Security to the ROI of Identity Management.

The initial draft had a number of quotes, but the quotes didn't read well according to the editor who was concerned that a quote by anyone less famous than Gartner could appear biased. I see his point, but apologies to those who I had requested permission to quote and who might have been expecting to be a part of the article.

I hope the article clarifies what I meant by extending the ROI of provisioning. I led a round table discussion at a CSO conference recently on the topic and I'm not sure that the idea resonated immediately. The bottom line is that provisioning solutions can be augmented to become a true (secure) funnel for account management rather than just the preferred avenue.