How do you create an identity management cloud? Identity management (IDM) has in the past hovered on the periphery of information security. No longer. As organizations become more aware of the risks of not keeping track of users, what they access, and what privileges they have, identity management is moving to the forefront. And identity management is not just limited to the largest enterprises, since cloud-based identity management systems are opening up the technology for the mid-market, as well.
For many of my consulting firm's large enterprise clients, as well as federal and state government customers, managing the user life cycle is a Sisyphean task. New personnel, whether they are employees, contractors, or business partners, need access credentials, not just for their computers, but also for various applications and systems used in the enterprise. They often have to wait forever to get the access they need to do their jobs, especially for line-of-business applications and systems. When they change roles within the organization, their access and privileges need to change (usually by simply adding the additional rights they need without reviewing or removingexisting privileges). And finally, when employees leave, they leave behind a trail of accounts, user privileges, and other breadcrumbs.
These user accounts are prime targets for attackers. If the organization is subject to mandates that require strict access controls, such as SOX, PCI DSS, GLBA, and FISMA, to name a few, that is a double-whammy, since they can face sanctions and fines.
Many large enterprises historically dealt with the problem by implementing extensive, on-premise identity management solutions which required deep integration with applications, heavy customization, and complex workflows. There are some challenges with this approach: These large enterprise tools require a lot of computing power, must "touch" the apps with which they interact, and of course, cost. I have seen firsthand enterprise identity management projects can easily exceed several million dollars. While large enterprises can usually absorb this kind of cost, there's no way a midmarket enterprise can afford to take on this type of technology, regardless of how much needs the system. So, what is the midmarket organization to do?
Enter the cloud. Over the past five years or so, we've seen a dramatic increase in the number of services—including security and risk functions—that have been ported to PaaS and SaaS cloud environments. The RSA Conference 2014 in San Francisco earlier this year showed that identity management is following the same trend. A plethora of vendors cloud services targeting all aspects of the user lifecycle, most of which require zero footprint inside the enterprise. From authorization, workflow, and provisioning, to entitlement management and periodic recertification of users and their access, the cloud is rapidly transforming identity management. This delivery model makes deployment much more cost effective, allowing smaller enterprises in the midmarket and even the SMB space to gain control over their users and access rights. Cloud vendors have opted not to reinvent the wheel and are instead relying on widely used federated protocols and standards, suc, as SAML and OpenID, to drive compatibility among their products.
Are cloud-based identity-management platforms panacea to solve the identity management problem for every size and type of organization? Not quite. Or at least, not quite yet. There are questions over how "deep" user provisioning and access entitlement workflow can work with cloud identity providers. There are plenty of enterprise applications that don't natively support SAML, OpenID, or etc. In some cases, enterprise applications require an additional on-premise integration layer which "speaks" the language of identity standards.
None of these are shotstoppers. With some refinement and improved tools to integrate standard protocols with applications, a complete, effective, and zero-footprint identity management cloud is on the horizon.