Identity management tools are essential in today's mobile and cloudy world, and the concern over using third-party cloud-based tools shouldn't stop you from using IDaaS.
One of the most exciting aspects of the rapid evolution of enterprise mobility management has been the rise of identity management, or the set of properties that defines what groups of users with certain devices can and can't do on the corporate network. The application of identity management, however, doesn't mean that IT needs to purchase additional servers and software.
The outsourcing of such a critical element as identity management seems ill-advised or perhaps even downright foolish (at least at first glance), but there is no conflict between using Identity as a Service (IDaaS) and meeting both operational and security objectives. In fact, using IDaaS may become the norm over the next few years, driven by the need for simplified operations, the economics of outsourcing and a competitive marketplace for IDaaS and other cloud-based IT services.
Understanding IDaaS starts with knowing the capabilities of identity management as a whole. Identity management is the mapping of network capabilities to specific combinations of users and devices. When the users and devices are wireless or mobile, you can also add geographic restrictions to what actions are permissible. Think of identity management as the contemporary implementation of authentication, authorization and entitlement with respect to capabilities in the IT domain.
Because identity management is largely an administrative and data-driven task, there's no reason why databases and their associated administrative tools can't be provisioned as a cloud-based service, even by a third party.
When it comes to choosing a third-party IDaaS tool, consider the vendor's reputation, the service's ease of use, how well you'll be able to address the need for additions to and modifications of users' capabilities, and whether the service provides automated device and user onboarding. Also look into whether the service offers easy de-provisioning of users and devices -- including the ability to temporarily lock users and devices as required -- as well as logging, reporting and permission verification.
Find out whether you can establish group permissions by role, department, devices and other parameters as you see fit and learn how well you'll be able to handle specific organizational needs. Interaction with the service should happen over authenticated and encrypted channels, and you should ensure that all your organization's data is also encrypted at all times. Have frank discussions about capabilities and operations with potential IDaaS suppliers.
The chief argument against IDaaS remains the security and integrity of cloud-based services. But we all depend on the Web and Internet access today, and as long as we insist on (and our suppliers understand) the need for reliability, integrity, fault-tolerance and continuity, the application of IDaaS involves no more risk than any other cloud-based IT function.
This was first published in September 2013