Is the technology available?
- Recently Simeio Solutions launched their new version of DirectAXs software-as-a-service (SaaS) suite.
- In 2007, Oracle & Wipro announced Managed Identity Service
- If you do a Google search there is a seemingly endless list of options including startups looking to change the game such as “Symplified”
So why is it desirable?
- Pricing/Packaging - Pay-as-you-go or subscription pricing allows organizations to measure the direct ROI on an quarterly basis plus delivers lower upfront costs and assured service levels
- Deployment - Historically IAM implementations have been labor-intensive and create organizational headaches with change control and process engineering which can be costly.
- Integration - Disjointed products from multiple vendors, suites, or coming into an Enterprise through various acquisitions create incompatibilities but can be challenging to unwire/replace or merge.
- Governance - Provides an immediate/direct combination of identity and access management (IAM) with governance, risk and compliance (GRC) capabilities
- Hosting - Solutions can be fully hosted and remotely managed or on premise and managed externally managed
- Administration – Provides a centralized/unified management of IAM and GRC capabilities for a streamlined user experience with integrated reporting
So what is the problem?
- Multi-tenancy – Existing solutions/architectures require enhanced features for multiple customers to access the same console, provide for data partitioning, and filtering to prevent unauthorized data access.
- Converging Suites - As Identity Management becomes increasingly application centric the drive is towards suites that weave IAM into the fabric of the application framework as Oracle and SAP are moving towards
- Security Concerns - Heightened compliance and security regulations make identity and access management a critical component of today's enterprise, too sensitive to manage externally
- 1-Cloud-to-many-Applications - Enterprise deployments require 20-100 applications to be individually integrated into the IAM suite, connecting user provisioning, single sign on, role management and compliance to the single point of the cloud, across the web with each application creates throttling, latency, and SLA-priority challenges and diminishes the performance of the underlying applications and users.
The march towards dynamic, composite applications architectures is definite but the rate is uncertain and the challenges and risks for the early adopters are high.
Interesting. I'm not sure I buy the point about IAM suites becoming more application-centric. I actually believe IAM is becoming more recognized as a separate layer of the IT Architecture stack between Security and the Application layers. In the enterprise perspective, IAM should be and has been externalized AWAY from the applications themselves. Move the discussion to The Cloud and the natural progression is IAMaaS. It will be it's own service and it will still serve as the critical bridge between network/platform security (or the security layer in IaaS) and applications (SaaS).
ReplyDeleteSo, hierarchically:
SaaS
IAMaaS
IaaS
I think you'll also find that IAMaaS solutions like Symplified and PingConnect are truly multi-tenant.
As for IAMaaS being "too sensitive to manage externally" I have to disagree...with an important caveat. It is very important here to separate the data (enterprise user stores, such as LDAP, AD, databases, etc.) from the services managing and/or depending on that data (IAMaaS). It is entirely possible to design IAMaaS solutions which are multi-tenant and which provide secure remote connections (e.g., via secure Web Service interface; etc.) to the sensitive data stores, still locked behind the enterprise walls, and the IAMaaS, which negotiates Authentication; Authorization; etc. on behalf of the enterprise to access SaaS hosted in The Cloud.
I absolutely believe IAMaaS is here and evolving and I agree completely that it provides a very critical building block for addressing major security concerns with Cloud Computing. Here in these Early Adopter days, while the focus is too much on virtualization and not enough on security and identity, the emergence of concepts like IAMaaS will be vital to the maturation of the entire industry.
I agree with the comment that IAM is evolving further towards abstracting away from applications and that the architectural evolution is evolving towards a service model, Oracle's approach is much along those lines as depicted by Marc Chanliau. http://blogs.oracle.com/infrastructuresecurity/
ReplyDeleteBut IAM is becoming more application centric as it is becoming more aware of the applications and their context and becoming less of its own silo or bottleneck for integrations for the applications.
With the IMaaS question it probably makes sense to separate a SOA model of deployment/integration and IMaaS as an independent business model, very different questions.