In previous installments of this series, we discussed the emergence of Identity as a Service (IDaaS) and the benefits it offers. We also cleared up some of the most common misconceptions surrounding IDaaS. Now that you have a better understanding of the technology and its potential, let’s examine the most common IDaaS models, so that you can choose the right one for your organization.
Web-centric single sign-on with password reset capabilities
Though considered by most (including Gartner, Inc.) to be one of the two basic flavors of IDaaS, Web-centric single sign-on (SSO) is more accurately described as “Access Management as a Service.” Primarily multi-tenant solutions hosted and managed by the vendor, these purpose-built SSO portals provide cloud federation, Web authentication, and self-service password management.
While quick to deploy, Web-centric SSO solutions labor under some strict limitations. Generally, these services offer provisioning to a predefined, limited catalog of Web-based and Software-as-a-Service applications, which all must support SAML. You cannot integrate legacy applications or those developed in-house. Web-centric SSO solutions also lack automated user lifecycle management or governance and access certification features. Meanwhile, customization options are either minimal or prohibitively expensive due to the need for additional consulting or professional services.
Ultimately, unless your organization is all-in on the cloud and only looking for federation or is a startup or otherwise lacking in IT staff to support technical infrastructure, Web-centric SSO is likely too limited to integrate with your current application stack or to grow with the needs of your organization over time.
Full identity and access management in a dedicated cloud
On the other side of the spectrum is a more or less full-featured identity and access management (IAM) software stack that is hosted in a dedicated cloud and accessed through a secure channel, with no shared infrastructure. While you should ask vendors if their dedicated cloud offerings provide the same features on-premises and in their dedicated cloud, some vendors, like RapidIdentity, do provide 100 percent feature parity.
This feature parity means that your organization can enjoy the benefits of the cloud services model’s high availability and elasticity, without sacrificing advanced IAM features like automated user lifecycle management, roles and group management, custom workflows, access and lifecycle management for external users, and robust governance and access certification. These full-featured, dedicated cloud IDaaS solutions even offer granular control over software upgrades and patches, as well as password and access policies and even integration capabilities that span both Web-based and on-premises applications, including legacy applications.
The customization and configuration options that distinguish dedicated IDaaS from Web-centric SSO IDaaS require a professional services engagement, making dedicated IDaaS much less of a “turnkey” solution than Web-centric SSO IDaaS, but the robustness of the features makes dedicated IDaaS a much more comprehensive and future-proofed option for the vast majority of organizations.
Cloud IAM platform for a large, decentralized organization
In between Web-centric SSO and dedicated IDaaS are two other flavors of IDaaS of which you should be aware. With the first, the vendor hosts and manages an IAM solution that is designed and operated by the customer organization’s IT department and that is accessible only to that organization. The vendor makes this solution available for use by the customer’s numerous member organizations, entities, offices, districts, or constituents.
The economies of scale and deep controllability of the solution may appeal to you if you work in a centralized IT team, supporting a large number of independent offices, subsidiaries, franchises, or other disparate entities. This model also works particularly well for local and state government and bureaucracies. But, this type of cloud IAM platform limits organizational departments to compliance with policies defined by the central IT department. The inability of individual departments to buy and implement their own solutions and develop and enforce their own policies is significantly more expensive and difficult to manage.
Multi-tenant, full-featured public cloud IAM
This last one is the unicorn because it simply doesn’t exist at this time—but familiarizing yourself with the idea of it will help you more quickly identify its inevitable emergence in the future.
Presently, full-featured IAM cannot be delivered in a multi-tenant manner with complete feature parity to on-premises or dedicated cloud deployments. Today’s advanced IAM systems are too complex and company-specific to be offered as turnkey solutions; deployment requires you to engage professional services. However, making these solutions turnkey is the goal.
Vendors are working to standardize connections and integrations and to make interfaces more flexible and powerful, yet easier for non-technical users to handle. Keep your eyes open for new product announcements because IAM vendors are moving closer to this goal.
Choosing the right IDaaS version right out of the gate is critical if you want to save your organization significant time and money, but with IDaaS now involving much more than SSO, the choice isn’t always obvious. You must make sure you understand your needs not only today, but for the future. For most companies, dedicated cloud IDaaS will provide the right balance of functionality in the cloud, at least until vendors reach 100 percent feature parity in multi-tenant hosting. Learn if it’s the right choice for you by requesting a demo today.