Defining Identity as a Service
According to the CSA (Cloud Security Alliance), Identity as a Service (IDaaS) refers to the management of identities in the cloud, apart from the applications and providers that use them. IDaaS is an extremely broad term, including services for software, platform and infrastructure services in both the private and public cloud.
There are other definitions of IDaaS as well. Jonathan Penn distinguishes between two different understandings of IDaaS. In the first definition, IDaaS refers to managed identity services (MIS) in which a managed service provider (MSP) provides on- or off-site services to customers. Such services may include provisioning, directory management, or the operation of a single sign-on service (SSO).
In the second definition, IDaaS is a broader term, used to refer to the implementation of identity and access management (IAM) functionality, predominantly as web services, within a service-oriented architecture in an enterprise. These services are often referred to as “IM web services.” For the most part, such products currently lack a cohesive, integrated framework for their services, which may include authentication, authorization, provisioning, entitlements and policy query.
Since IDaaS makes identity management capabilities available through the infrastructure, enterprises can make identity a transparent and ubiquitous part of their applications. At the same time, enterprises can also ensure consistency in authentication, authorization, administration and auditing, which are the central tenets of identity management. Identity management experts point out that the development of IDaaS goes hand in hand with the creation of an enterprise identity layer, which would serve as the platform for all identity-enabled enterprise applications.
Challenges to IDaaS
From an identity management perspective, there are a number of uncertainties that have arisen with the discussion of IDaaS development. Some of them have been outlined below:
- Need a clear definition of what identity services (IDaaS) are and what type of functionality is expected.
- Application developers must be sensitive to service-oriented architecture (SOA) requirements.
- Standards must “catch up” with services offered.
- Interoperability must be satisfied.
- Define an application programming interface (API) model that facilitates development.
The CSA also lists a number of challenges to IDaaS development and implementation, which are discussed below:
- Security – Depending on whether the IDaaS is managed internally or externally to the organization, security challenges may greatly vary. Security also depends on which type of identity is being managed within the cloud.
- With SaaS (Software as a Service) – Customers intending to use IDaaS with SaaS must consider how well the IDaaS provider is able to meet the needs of different types of users, including: a) internal users, such as enterprise employees; b) external users, such as partners and customers; and c) consumers acting on their own behalf.
- With PaaS (Platform as a Service) – Customers intending to use IDaaS with PaaS must consider issues regarding web service interaction between their applications and the IDaaS. Examples of such issues may include: identity provisioning/deprovisioning; storage of identity information; application access to user information; location of authentication; secure transmission; and interactions with IDaaS provider for access control.
- With IaaS (Infrastructure as a Service) – The main challenge for customers intending to use IDaaS with IaaS is the management of privileged access to virtual machines that are being provisioned on an IaaS platform. A key question here is how to link virtual machine authenticity with user identity.
IDaaS Spotlight: Conformity
Conformity is advertised as an “SaaS gateway,” which does not necessarily store identity data, but functions to connect in-house identity stores to other SaaS that users might access. According to Scott Bils, founder of Conformity, the IDaaS service aims to address three major problems that are faced when organizations begin to use SaaS: 1) decentralization; 2) loss of control; and 3) broken integrations. Conformity streamlines SaaS management by offering the following solutions:
- User provisioning
- Role and profile management
- Approval workflows
- Directory integration
- Compliance reporting
- Usage analytics
- Change management
IDaaS Spotlight: Symplified
In February 2011, cloud security service developers Symplified launched the Symplified Suite, the third generation of their services which addresses the complete life cycle of IAM for both private and public cloud applications (i.e. SaaS) and resources (i.e. IDaaS and PaaS). The suite is comprised of:
- Symplified Access Manager
- Symplified Identity Manager
- Symplified Sign-On
These three components offer a wide variety of services, including access management, authentication, user provisioning, user administration, federated SSO and usage auditing.
According to Phil Lieberman, the CEO of Lieberman Software:
"My position has been that in theory IDaaS makes sense. [But] I believe that the IDaaS model breaks down in many areas: first, there is the reality that most IAM [Identity and Access Management] systems have extensive customizations done to them to support the unique business models (unique schemas). Second, most of the IAM systems also have integrations with third party line of business applications, that may or may not be supported in an IDaaS outsourced scenario. Third, and most critical in my mind, the IAM function is the most sensitive function in an organization (holding the keys to the kingdom), so the trust level in the vendor's confidentiality as well as business continuity/longevity issues would need to be brought into focus continuously. As a vendor of privileged identity management solutions, we see that most organizations are extraordinarily risk averse and secretive when it comes to identity management and security."
This article takes a look at identity as a service (IDaaS), a broad term for the management of identities in the cloud. IDaaS include services for software, platform and infrastructure services in both the private and public cloud. The article takes a look at some challenges and issues surrounding IDaaS development and implementation, from an identity management and enterprise perspective. Such challenges differ greatly, depending on the type of users involved, as well as the context in which the IDaaS are applied (whether with SaaS, PaaS or IaaS).
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Cloud Service Models (Domain 1)
- Data Security Lifecycle (Domain 5)
- Key Portability Objectives of S-P-I (Domain 6)
- Differences in S-P-I Models (Domain 10)
- Identity Federation,Authorization, Access Control & Provisioning (Domain 12)