Is Identity Management as a Service (IDaaS) a good idea?

BROWSE BY TAG Identity Management and Access Control,   Application and Platform Security,   Secure SaaS: Cloud services and systems,   Enterprise User Provisioning Tools,   Enterprise Identity and Access Management,   Identity Management Technology and Strategy,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Does password sharing in international branches violate SOX? Secure SaaS: Cloud services and systems How to justify information security spending on cloud computing Cloud computing data security starts with internal strategy, experts say Network security expert urges hardening of cloud protocols Security challenges with cloud computing services Burton Group warns of cloud computing risks Researchers say search, seizure protection may not apply to SaaS data McAfee to acquire email SaaS vendor MX Logic How secure is 'Platform as a Service (PaaS)?' When to use the service features of the Metasploit hacking tool Cloud-based security services should start private Enterprise User Provisioning Tools Quiz: Compliance-driven role management Identity lifecycle management for security and compliance Content-aware IAM: Uniting user access and data rights Top tactics for endpoint security How to edit group policy objects to give a user local admin rights Privileged account management critical to data security Making the case for enterprise IAM centralized access control Lesson 3: How to implement secure access Best practices for a privileged access policy to secure user accounts Risk management must include physical-logical security convergence

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) logon  (SearchSecurity.com) onboarding and offboarding  (SearchSecurity.com) password synchronization  (SearchSecurity.com) RADIUS  (SearchSecurity.com) role mining  (SearchSecurity.com) role-based access control (RBAC)  (SearchSecurity.com) user profile  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Identity Management as a Service (IDaaS) could provide a level of benefit to an organization when it comes to things like account management for an enterprise's SaaS partners, but in the short-term, identity management services are still best when managed internally. Why? It really comes down to two factors: Identity management represents the keys to the kingdom, so to speak, and IDaaS vendors don't take on the risk associated with losing crucial identity information.

Identity management is a control function at heart; whether managing short-term access to applications and services or long-term lifecycle management of user identities, you're implementing a double deployment scheme. You're integrating a number of identity management tool sets (i.e. provisioning systems, meta-directories, Web access management systems, repositories, etc.) from several vendors -- not to be confused with an integrated set of tools such as an identity management product suite from a single vendor (which isn't implemented often because there isn't a single vendor whose entire suite of products is considered best-in-class) -- and then integrating these into your business systems.

This integration not only requires ongoing and intimate knowledge of the computing environment, but it also requires a large amount of political collateral to ensure that business managers trust you to manage a key function of their systems. While some SaaS services, like external mail providers, can integrate their authentication services with your enterprise directory, they don't have the ability, or desire, to be responsible for managing this information for the rest of your applications. In addition, it's known that years ago, when IAM expertise was still hard to find, many enterprises that contracted out their identity management systems pulled them back in when they realized the companies they outsourced to had obtained the authority to issue accounts for the enterprise's sensitive business systems. Suddenly a strategy that was meant to increase efficiency became a compromise of security.

But regardless, if you're still considering IDaaS, you should ask the following questions:

What is the third party's ability to support your workflow and process needs? Can it meet your assurance and audit requirements? How agile is it when it comes to scalability and adding new functionality? Does its contract's terms and conditions meet your needs, or will you be taking on additional risk? What does it monitor and report to you? What are its mitigation and notification processes in the unlikely event that it has a breach or an incident while handling your information? If and when you decide to disengage from this third party, what are its procedures for disengagement, and what does it do with your company's backups and stored data that it has on its systems?

Moving the support for identity management out of your domain requires a lot of planning, architecture and bravery. Ensure you have all three before bringing an IDaaS vendor through the door.

For more information: