Strong identity and access management procedures are critical as regulatory compliance rules and data fraud incidents persist. Yet, implementing and maintaining world-class IAM practices can be challenging as an organization's data management needs increase in complexity.
Security leaders said it becomes more challenging to maintain a strong IAM program as the complexity of the organization grows, including when an organization adds more cloud-based apps to existing legacy systems or increases the number and type of endpoints -- from mobile devices to IoT sensors -- accessing systems.
Security experts and advisors suggested that organizations can turn to identity as a service (IDaaS) adoption to help them create a better IAM program.
In its December 2019 report, "The State of Identity: How Security Teams are Addressing Risk," the Identity Defined Security Alliance found only 24% of the 500-plus responding IT security decision-makers rate their security teams' awareness of IAM as "excellent," despite all respondents believing a lack of strong IAM practices introduces security risk.
Such statistics aren't surprising, experts said, because it can be challenging to implement and advance a comprehensive IAM program even if it is a foundational element of the enterprise security portfolio.
"Identity and access management is too important to grow your own, so I think the business and risk case for moving to IDaaS is clear," said Steve Wilson, vice president and principal analyst with Constellation Research.
The case for IDaaS adoption
Organizations that use IDaaS outsource the technical portion of their IAM process, shifting to a cloud-based single sign-on (SSO) built, hosted and managed by a third-party provider. Indeed, IDaaS adoption is trending up: Research from MarketsandMarkets shows demand for IDaaS growing from $2.5 billion in 2019 to $6.5 billion by 2024.
"It makes sense in most cases to have someone run this as a service; otherwise, you have to have a department to do it yourself, and for most, that's not cost-effective," said Tony Velleca, CISO of UST Global, an IT services and solutions provider, and CEO of managed service provider CyberProof, a UST Global company.
Velleca added that small to midsize companies are more likely to adopt IDaaS, as they're less likely than larger companies (including his own) to have the resources necessary to implement advanced IAM practices. Smaller companies are also less likely to have complex infrastructure that could make IDaaS adoption more complicated.
Rex ThextonManaging director and global practice lead, Accenture's Global Digital Identity
How IDaaS improves security
Rex Thexton, managing director and global practice lead for Accenture's Global Digital Identity business, said IDaaS can help an enterprise security team deliver a stronger IAM program to the entire organization in several ways.
IDaaS adoption can help organizations implement advanced IAM practices, such as multifactor authentication, which can be difficult for many enterprise security teams to develop and deploy on their own, Thexton said. Moving to IDaaS also helps organizations modernize by delivering SSO across all cloud-based applications -- and quickly as new cloud-based apps are added. It also frees up security resources previously tied up on tedious commodity IAM tasks to focus on higher-value work and unique organizational projects that cannot be outsourced.
"With IDaaS, you don't have to run and operate the technology; all you have to focus on is the business problem," Thexton said.
Shifting to IDaaS also helps organizations stay current with IAM advances, Thexton added.
"You're able to keep up with innovations in the market," he said. "That's the biggest plus of IDaaS, because [the vendors] are constantly innovating; they're doing all the heavy lifting."
Challenges to make the most of IDaaS
IDaaS adoption does not absolve organizations of the governance and policy work involved in IAM, experts said. As Thexton put it: "The client owns the supporting business processes and the controls. They're only using the IDaaS tools to enable it."
As such, enterprise security teams that don't do well at this critical work won't enjoy the improved security posture that IDaaS can deliver. "That's all about risk management, and you can't outsource that responsibility," Wilson added.
Organizations need to be diligent about vendor selection -- as with any third-party provider -- and their contract terms to ensure that there's a clear understanding of where the IDaaS vendor's work ends and their own begins so no security gaps are created, Wilson said.
Advisors noted when considering IDaaS adoption, security leaders need to be mindful of the limits of IDaaS, just as they should any other technology. Leaders need to be clear on where the platform may not work well or need customized integration -- this is more prevalent in very large, complex organizations that use a lot of legacy applications.
"If you have complex patterns or a lot of complex and legacy infrastructure, then you'll have more integration challenges with IDaaS," Thexton said. "You can still reap the benefits of IDaaS, but it will be more of a struggle."