SaaS is an IT trend that can't be ignored. Also called "cloud computing" -- a reference to the cloud often drawn...
on IT architecture diagrams to represent the Internet or other external networks -- it's being offered for more applications, all of which will need remote authentication to be reached. As a result, IAM will become intertwined with SaaS as the technology evolves.
There are two schools of thought on SaaS. One is that by outsourcing applications, a company can save the costs of development, installation and maintenance of traditional software. This is the pro. The con is that by putting software on someone's system, the company is at the mercy of the SaaS service provider. In terms of security, precious data is sitting on someone else's network, at the mercy of their security controls.
Using SaaS for IAM can seem even scarier. Putting authentication credentials on a third-party's server would likely make any IT security manager cringe. Then there's the issue of reliability. If the third party goes down, are enterprise users locked out of the systems?
Despite this resistance, there has been some support for hosted identity and access management recently in blogs devoted to IAM. Those in favor argue that many companies are already outsourcing their IAM work, particularly for large projects like deployment of IAM suites, and the security danger isn't any greater than with other outsourced development or IT projects.
IAM experts, however, recommend SaaS offerings from existing IAM providers, rather than contracting IAM services from a vendor specializing in hosted software. IAM vendors have the specific expertise in securing IAM systems to make the idea more palatable to nervous security managers. Vendors offering SaaS for other IT services may already have some security savvy, but if IAM isn't their specialty or part of their offerings, they might miss a step or two.
When should an enterprise consider IAM SaaS offerings? Today the market is in its infancy. SAP AG began offering a service in 2007, and Symplified Inc., a SaaS provider whose whole business is devoted to IAM, just opened its doors in June of this year. SAP's service is geared toward larger companies, while Symplified bills itself as a mid-market vendor.
Since the field is so new and the offerings still so few, it's important to carefully evaluate any new vendor. Make sure to do a thorough review of its security and references before making any commitments.
- Learn more about platform-as-a-service and whether it puts data at risk.
- LDAP and IAM: Read more about directory management.
Dig Deeper on Password management and policy
Related Q&A from Joel Dubin
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures ... Continue Reading
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading