Manage Learn to apply best practices and optimize your operations.

What are the benefits of identity managed as a service?

How do Software as a Service (SaaS) and IAM interact? Identity and access management expert Joel Dubin weighs in on how to approach the integration of the two.

What are the benefits of identity managed as a service? When should enterprises give the service a serious look?
Let's start with software as a service (SaaS) in general, and then discuss it's applicability to identity and access management (IAM).

SaaS is an IT trend that can't be ignored. Also called "cloud computing" -- a reference to the cloud often drawn...

on IT architecture diagrams to represent the Internet or other external networks -- it's being offered for more applications, all of which will need remote authentication to be reached. As a result, IAM will become intertwined with SaaS as the technology evolves.

There are two schools of thought on SaaS. One is that by outsourcing applications, a company can save the costs of development, installation and maintenance of traditional software. This is the pro. The con is that by putting software on someone's system, the company is at the mercy of the SaaS service provider. In terms of security, precious data is sitting on someone else's network, at the mercy of their security controls.

Using SaaS for IAM can seem even scarier. Putting authentication credentials on a third-party's server would likely make any IT security manager cringe. Then there's the issue of reliability. If the third party goes down, are enterprise users locked out of the systems?

Despite this resistance, there has been some support for hosted identity and access management recently in blogs devoted to IAM. Those in favor argue that many companies are already outsourcing their IAM work, particularly for large projects like deployment of IAM suites, and the security danger isn't any greater than with other outsourced development or IT projects.

IAM experts, however, recommend SaaS offerings from existing IAM providers, rather than contracting IAM services from a vendor specializing in hosted software. IAM vendors have the specific expertise in securing IAM systems to make the idea more palatable to nervous security managers. Vendors offering SaaS for other IT services may already have some security savvy, but if IAM isn't their specialty or part of their offerings, they might miss a step or two.

When should an enterprise consider IAM SaaS offerings? Today the market is in its infancy. SAP AG began offering a service in 2007, and Symplified Inc., a SaaS provider whose whole business is devoted to IAM, just opened its doors in June of this year. SAP's service is geared toward larger companies, while Symplified bills itself as a mid-market vendor.

Since the field is so new and the offerings still so few, it's important to carefully evaluate any new vendor. Make sure to do a thorough review of its security and references before making any commitments.

More information:

  • Learn more about platform-as-a-service and whether it puts data at risk.
  • LDAP and IAM: Read more about directory management.

This was last published in August 2008

Dig Deeper on Password management and policy