Wednesday, August 11

Identity as a Platform

I was asked for my thoughts on an article titled Hosters Need to Think about Identity as a Platform Play. When I clicked to read the article, I was happy to see it was written by Novell's Dale Olds who always has interesting and informed things to say.

I agree with Olds' assessment. SaaS platform vendors (hosters) should really get on the ball with offering identity services as part of their hosting packages. They should do similar with data encryption as well (both to the endpoint and in storage). Security is complicated -- extremely important and extremely easy to get wrong. It only takes a small oversight somewhere along the line to break the chain. SaaS application vendors would be wise to leverage proven, trusted solutions for access management rather than trying to create their own.

I think Olds overstated how simple it would be for applications to switch platforms. It seems to me that it's pretty complicated even in the case of moving a simple PHP website to another host. And most SaaS applications will be much more complicated than that. And the other part of that thought was that providing identity services would tie-in the application provider to that platform. I would recommend to hosting providers that they make it easier rather than harder to move. That'll be a key differentiator and ultimately drive more business/revenue to your brand. (I'm not saying that Dale was recommending to purposely make it complicated - it's just how it is.) BUT - there's still a business driver to build identity into the platform. Removing the complexities of security from the application development process could save 30% of time and resources in standing up a new application versus having to build it all from scratch.

And to Steve (from Axciom)'s point (in the comments), yes! Ideally, Platform as a Service vendors will provide more than authentication. Baked in security could incorporate firewalls, authentication, multi-factor authentication (& transaction-based), authorization, encryption (in-motion and at-rest), activity and access audit, SoD monitoring, and more.

We're obviously very early in this whole process. I think we're moving in the right direction, but it'll take time to get it all right.