I saw your piece on identity as a service (IDaaS) from a while back. After successfully moving several of our key applications to the cloud, we're considering IDaaS as a lower-cost way to manage access to cloud and on-premise services. Is this a viable scenario? Also, following our
To give a short answer: Yes, IDaaS is slowly getting there, but it still falls short of where it needs to be.
Until IDaaS vendors... provide guarantees at a level that will make their clients feel comfortable with handing over this data to them, the IDaaS marketplace will continue to be stunted.
As mentioned in several Ask the Expert questions in the past few months, there are more than a few commercial IDaaS vendors out there, such as Google, but they're focused on specific market sectors and partnerships. On the other end of the spectrum, we have the National Strategy for Trusted Identities in Cyberspace -- administered by the U.S. National Institute for Standards and Technologies -- in the initial stages of creating strong private-sector identities for the general public to be used for private business and government identity services. So depending on what market your company is in, there may be an IDaaS offering for you. Even if there is, however, it will be limited in its scope and offerings.
Integration with Active Directory will also depend on the specific IDaaS offering you may be considering. With the expansion of several identity federation protocols such as OAuth, SAML and others, the ability to loosely integrate third-party identity repositories with an enterprise directory has become commonplace. If this is a requirement to implement an IDaaS or cloud identity management service, formally communicate to the vendors under consideration that it is a mandatory requirement to ensure that they have this capability.
Ask the Expert!
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
XACML, on the other hand, is a standardized authorization service. IDaaS vendors provide standardized authentication services, so XACML shouldn't be a requirement unless the third party will also be managing the entitlements for the organization.
Finally, the part of the IDaaS services model that's still in its infancy is the contractual language for engaging an IDaaS vendor. As I mentioned in my previous article concerning the NSTIC identity plan, IDaaS vendors are still struggling with how much responsibility they are legally willing to take on for the protection and possible loss of identities under their control. Most, if not all, vendors still have recovery assurances that don't reflect the true cost of a lost or stolen identity. Until IDaaS vendors stand up and accept the true monetary value that identities represent to their clients, and until they provide guarantees at a level that will make their clients feel comfortable with handing over this data to them, the IDaaS marketplace will continue to be stunted.
This was first published in August 2012