What is Identity-as-a-Service (IDaaS)?
Identity-as-a-Service (IDaaS) is a cloud-based service in a multi-tenant or dedicated and hosted delivery model that brokers a set of functionalities across multiple IAM functions to target systems on customer’s premises and in the cloud. Functions include:
- Identity Governance and Administration (“IGA”)
- Access Enforcement
- Intelligence and Analytic functions
The Evolution of Identity and Access Management
With the rapid rise of cloud technologies and growing mobile workforces, traditional IAM solutions no longer meet the needs required to secure on-premises, mobile and cloud applications. Identity as a service providers emerged to help enterprises secure access to cloud technologies. Identity as a service providers focus on centralizing authentication and authorization decisions of multiple cloud, mobile and on-premises applications to a central directory service(s). The directory can be an existing on-premises directory maintained by the enterprise, such as Active Directory, or a cloud based directory that the identity as a service provider offers. Centralized authentication and authorization comes with many benefits that include a single username and password for every user (single sign-on), a centralized directory of user data and access policy that is in the control of IT and most importantly, reducing security risks due to password sprawl.
IDaaS is More Than Just SSO
Until recently, IDaaS providers have only been associated with single sign-on to cloud applications. However, with compromised credentials becoming the top vector of attack in data breaches, IDaaS providers have evolved to protect cloud, mobile and on-premises applications beyond single sign-on. IDaaS providers complement single sign-on with adaptive multifactor authentication (MFA), risk-based access controls, provisioning automation with self-service, and enterprise mobility management capabilities to promote identity assurance to cloud applications.
Adaptive and Risk-based Multi-factor Authentication (MFA)
Where traditional IAM solutions secure access to on-premises applications protected behind a corporate network, cloud applications present new challenges because they are accessible anywhere, anytime and on any device. IDaaS providers address these challenges with advanced access control that intelligently balance security with end user productivity. While the ability to enforce multi-factor authentication in front of every application is an option, IDaaS providers also layer in “adaptive” access controls. As an example, the ability to provide single sign-on access to an application when the user is on the corporate network and using a corporate issued workstation, the ability to challenge a user with multi-factor authentication based on a login during non-business hours or restrict application access to trusted BYOD devices only while blocking application access from all other devices. Additionally, some IDaaS vendors have begun to offer risk-based access controls that factor risky behavior by using analytics and the power of machine learning to formulate a normal baseline for each user. The risk of every authentication attempt against that user’s baseline is then used to determine whether to allow access or prompt for additional factors of authentication. Factoring user behavior is critical because abnormal authentication activity, such as a login from New York then San Francisco a few minutes apart may be deemed as high-risk that blocks application access for that user immediately, while notifying IT for further investigation.
User Provisioning Automation + Self-Service
User provisioning is granting, modifying and disabling a user’s access to one or more applications. User provisioning/deprovisioning is typically a very manual and error prone task because IT must grant an average of 20 application accounts for every user. Add every employee and every application used in the enterprise, include all the changes in role or employment, and you can quickly see how user administration can be one of the most time-consuming tasks of IT. IDaaS providers offer automatic user provisioning capabilities where a simple role assignment (e.g. Marketing, Finance, HR) will create a user account and assign the appropriate level of access in every application required for the employee to perform their job. When access is no longer needed, IT can disable the access from a single user directory while the IDaaS provider automatically disables all application access and reclaims any licenses previously used. In addition to auto user provisioning, identity as a service providers offer a range of self-service features such as application access request, password reset, account unlock, the ability to update personal information and the ability to locate and manage their own devices which improves overall productivity and reduces helpdesk burden.
Enterprise Mobility Management (EMM)
Modern applications make it easy for mobile workforces to access apps from any device. There are challenges when it comes to mobility — diminished productivity from users constantly entering a username and password to log into every application, the ability to restrict application access to trusted devices only and the ability to secure devices that sensitive applications and data are accessed from to meet corporate security policies. Many IDaaS providers recognize the convergence of identity and mobility and therefore, weave in mobile device management (MDM) to lock down and secure mobile devices, mobile application management (MAM) to govern which applications users can access on their mobile device and mobile information management (MIM) to restrict applications that can access or transmit corporate data (e.g. email). IDaaS providers also incorporate device posture with application access policy to minimize risk of lost or stolen devices.
IDaaS is Here to Stay
While traditional enterprises continue to displace legacy applications with cloud applications and newer enterprises born in the cloud, IDaaS providers will serve a vital role in providing identity assurance and protecting enterprises from the top attack vector and leading cause of data breaches — compromised credentials. Gartner estimates that “by 2021, identity as a service providers will be the majority access management delivery model for new purchase.” The benefit of IDaaS providers is rapid deployment with cloud ready identity and access management capabilities designed to secure the modern hybrid enterprise, reduced cost and maintenance from using an as-a-service solution. To learn more about how Centrify protects against breaches that target applications or start on endpoint devices, contact us.