Managing Users With Identity Management (IDM)
The explosive growth of the cloud and, in particular, Software-as-a-Service (SaaS) applications like those becoming popular in the collaboration or project management has changed the way companies do business. Deploying software as a managed service delivered via the cloud means lower maintenance costs, increased uptime, faster feature rollout, and the reduced need for on-site hardware. Those are just some of the reasons why cloud-based SaaS solutions are making deep and fast inroads to tasks that were formerly dominated solely by in-house IT staff.
But to fully realize the savings offered by SaaS apps, businesses need a way to easily create and manage users (aka, identities) across their entire portfolio of cloud apps—portfolios that usually span multiple platforms and can change often. IT administrators need to give users single sign-on (SSO) capability across the organization's entire portfolio of apps, but that's only part of the problem. Controlling the depth of access in SaaS apps is just as important as it is for on-premises apps. So not just who gets access to the app, but exactly what they can access once they're using that app. This can be critical in many business apps, as is defining the user's role, cross-app authentication, and more advanced security measures such as multifactor authentication (MFA), which refers to building authentication mechanisms that require more than just a single step, like entering a user name and password, but also require additional steps, such as a physical token of some kind (a smart card or USB stick, for example) or a biometric measure (a fingerprint scan, for instance).
Equally as important is the management of existing Identity Providers (IDPs) such as Microsoft Active Directory (AD) or human resources (HR) software. In many cases, identity information may be sourced from multiple repositories, requiring a system to not only manage identities in different systems but also be able to synchronize information between these systems, and provide a single source of truth when required.
To make all of this happen, admins need the ability to manage users in a fast-changing environment without having to manually perform actions that for decades have been distilled down to simple changes to a user's group membership properties in Microsoft AD. Having to manually adjust permissions, access, and control properties across dozens, hundreds, or even thousands of users every time a new SaaS service is made available can be prohibitively cumbersome, even if IT takes advantage of automation technologies such as scripting. Identity Management-as-a-Service (IDaaS) solutions are rapidly becoming a critical aspect of the corporate infrastructure, for a myriad of reasons we'll detail through the course of this article. Ironically, perhaps the ideal answer to this problem, at least in part, is to dip into the SaaS well again and use an IDaaS provider.
Connecting Identities in the Cloud
Most IDaaS providers use a common method to handle authentication by using identities contained in your organization's existing network directory. The most prevalent option is to have a piece of software installed on your local network, known as an agent, which allows the IDaaS provider to communicate with your directory. That way, admins can keep using the same directory tools they always have, yet seamlessly access apps and resources outside the company network.
This communication is typically a combination of synchronization (where directory users and groups are pulled up to the service) and on-demand communication (known as federation) in order to perform authentication requests back against the directory. Most IDaaS solutions offer the ability to customize the synchronization process, particularly which user attributes are allowed to be synchronized. A couple of reasons why you would customize attribute synchronization are either security- or privacy-related (e.g., in case you have attributes that may contain confidential data) or due to functionality (e.g., if you need to make custom attributes available to the IDaaS provider in order to use them within the service).
Another common method of connecting your on-premises directory with an IDaaS solution is to expose a standard directory protocol or authentication provider to the IDaaS. Some examples of this are the Lightweight Directory Access Protocol (LDAP), an open standard, or Active Directory Federation Services (ADFS), a popular but proprietary technology available from Microsoft and popular due to its easy integration with Microsoft's very popular Active Directory. LDAP is a standards-based method of communicating with a directory (either AD or one of several alternatives) while ADFS is a role in Windows Server tailored more towards allowing web apps to glean specific information from AD. Not all IDaaS providers support these options and, in most cases, these options require a high level of configuration, including firewall rules.
But these options may be a better solution for some business cases. For example, organizations with increased security requirements or privacy regulations may need to limit the software installed on domain controllers or have increased control over what data is available to an external IDaaS solution that is essentially running on someone else's servers.
Connecting With Customers and Partners
A business isn't worth much without relationships to partners, and more importantly, customers. In this age of technology and instant gratification, the ability to collaborate with partners or provide customers access to their information, while simultaneously respecting their privacy and security, is a critical aspect of doing business. Many of the IDaaS solutions we've reviewed offer the ability to provide business partners SSO access to apps through a portal functionally identical to the one available to normal corporate users. This allows your business to foster business relationships without having to automatically provide partners direct access to your corporate network or even standing up a new app specifically for partner access.
Customer management is another area in which IDaaS solutions can offer value. Most customers already have one or more identities established on social media or other popular websites. Many of the solutions we've reviewed offer a consumer IDaaS aspect, which is typically licensed separately from the core IDaaS product due to the potential for a high volume of authentications. Typically, a consumer IDaaS will allow a user to register by using an account they already own, such as a Facebook or Google account, which will then provide them access to the resources you authorize. Depending on your corporate use case, this authentication process could allow users access to a custom web app designed to provide information specific to them, or users could be redirected to the customer area of a customer relationship management (CRM) solution. In most cases, the IDaaS platform gives you options over how the authentication request is processed, which allows you to use a standard protocol or provide an application programming interface (API) for developers to access through custom code.
Augmenting Existing Infrastructure
In many cases, an IDaaS solution can provide significant benefits to your existing infrastructure over and above the inherent benefits offered by using cloud apps. One major benefit is an obvious one: managing identities. The larger a business, the more identities there are to manage, and often, these identities begin to reside in multiple places. Frequently, there are software apps that manage employees, their pay, and their organizational structure. Likewise, one or more corporate directories often contain similar information. Companies with multiple business interests or branches can often require separate identity stores; likewise, businesses (such as hospitals or industrial complexes) can often also require segregation of network resources for compliance or safety reasons.
An IDaaS solution can ease the management of these identities in multiple source locations, including providing self-service capabilities, delegation, approval workflows, and automation. Each of these features can also provide a logging element for reporting and compliance audit purposes. In many cases, the IDaaS app can also provide synchronization or translation capabilities with automation, which allows you to manage an identity once and have those changes flow to other systems where appropriate.
Another way IDaaS solutions can help with your existing infrastructure are with apps that are hosted within the local network. In many cases, these apps are core to the company business, and providing access to off-site users requires either exposing the app to the internet with a firewall rule or first requiring the user connect to a virtual private network (VPN) tunnel. While either of these scenarios have their place and are perfectly suitable for many situations, some IDaaS tools offer another option. By using a software-based agent installed inside the corporate network, an app can be accessed through an IDaaS SSO portal in the same way you would a SaaS app hosted in the cloud. Most of the heavy lifting in this scenario is handled by an encrypted tunnel between the IDaaS provider and the software agent installed on your network.
Security Considerations
Clearly, there are a number of security concerns for IT shops looking into using SaaS apps and IDaaS solutions. In some situations, avoiding the use of SaaS apps is next to impossible, so finding the best method to manage and secure the accounts needed to use these apps is imperative. Other organizations may not be considering SaaS apps out of necessity, so security concerns must be weighed against convenience and efficiencies.
Overall, there are four core areas of security to consider when evaluating IDaaS providers. The connection method used to integrate an existing corporate directory is the first area to consider. Software-based synchronization agents support a secure connection between your directory and the IDaaS provider but many IT shops will (rightly) have hesitations about installing an agent on their domain controllers. Considering an IDaaS solution that supports an authentication standard such as LDAP or ADFS might be a better option as they offer increased control over authentication and security.
The second area of concern for corporations looking into any kind of cloud service is the data stored within the service which, in the case of an IDaaS solution, will be corporate users and groups. In general, IDaaS solutions don't sync and store password hashes from your users; however, several IDaaS providers do offer this as an option in order to maintain the same passwords between multiple accounts (local directory, IDaaS, and even SaaS apps). These options should be carefully evaluated from security and legal points of view. Additionally, each of the IDaaS providers does have to store passwords related to SaaS apps in order to perform SSO functionality.
Third, consider the communication between your IDaaS provider and your entire portfolio of SaaS apps. Without exception, the IDaaS options tested here use a combination of Security Assertion Markup Language (SAML) and password vaulting. SAML is an extensible markup language (XML)-based authentication standard by which the identity provider and SaaS app can handle authentication, without requiring interaction from a user or the population of a web form. The ability for an IDaaS provider to authenticate your users to their SaaS apps is dependent upon the SaaS app to support the SAML standard for authentication. In cases in which SAML isn't supported by a SaaS app, most IDaaS providers will revert back to password vaulting, which essentially handles the process of completing and submitting a login form on a webpage.
In terms of security, SAML can offer increased security in the form of a mutually authenticated connection through the use of SSL certificates tying the two services together. As with SAML itself, these additional security features are dependent upon support from both the SaaS and IDaaS provider. For my part, I tag SAML as the preferred authentication method for SSO from an IDaaS provider; in fact, I'd say you probably shouldn't even consider a solution that doesn't leverage that standard.
The last critical aspect to the IDaaS security picture is locking down the sign-on process for users. One feature that is common among all of the IDaaS players is support for MFA, which helps prevent security breaches due to a compromised password by requiring a second form (multiple factors) of authentication such as a randomly generated password or a hardware key.
Another common scenario is to require different levels of security based on the user's network location (typically handled based on IP address), such as allowing a basic username or password login when connecting through the corporate network but requiring MFA when using another connection. In general, both MFA and IP address restrictions are handled by using security policies, which is another must-have feature for an IDaaS provider. In fact, you probably want to look for an option that lets you configure multiple policies as not all apps or users have the same security needs.
Single Sign-On
From a users perspective, the primary purpose of having an IDaaS solution is to make signing into web apps easier. A user portal that provides quick SSO access to SaaS apps is a feature in the majority of IDaaS options. Most solutions also offer plug-ins for the major web browsers as well as mobile apps that mirror the functionality of the SSO portal.
In most cases, the user portal is presented as a grid or list of icons indicating the apps available to a user. This list is populated based on the SaaS apps assigned to the user by the IDaaS admins, either manually or through automated means such as membership in an AD group. The ideal provisioning method in terms of efficiency is based on the System for Cross-domain Identity Management (SCIM), a set of standards-based interfaces that allow for user provisioning within SaaS apps, though many IDaaS providers will make use of app-specific application programming interfaces (APIs) to handle provisioning. If supported by both the IDaaS and SaaS provider, then users can be automatically provisioned in the SaaS app based on conditions you define in the IDaaS solution. Often, this condition is simply membership in an AD group or based on an attribute of your choosing.
Big Data, Compliance, and Reporting
Let's face it: Many companies aren't going to invest in a tool just because it makes life easier for corporate users. But, if there's a security benefit or if the solution can help satisfy compliance requirements, then that's a different story.
Consider a scenario in which an IT admin team has to not only manage users in several SaaS apps, but must also provide detailed reports containing usage information, user login history, security changes, and other potential audit factors. Trying to gather this sort of information from multiple different locations is going to be a significant task. The ideal solution to gather and provide these audit artifacts is to use an IDM solution that tracks each of these factors across multiple apps for you. Many of the offerings we've reviewed offer comprehensive reporting solutions that get into detail on authentication events, even down to details such as the user's location and what sort of device he or she used. Often, these reports can be exported to Microsoft Excel for further analysis in the event that you need to actually investigate or troubleshoot something rather than simply comply with an audit.
Some of the solutions we reviewed will even proactively monitor your identities exposure to current security breaches, such as credentials for sale on the internet or monitor for things such as simultaneous logins from opposite ends of the globe. These solutions can use this sort of advanced analytics and machine learning to impact the security score for your identities. This gives you the power to require increased authentication security such as MFA or use of a registered device.
Don't Let The Cloud Ex-SaaS-perate You
The potential for efficiency and functionality gains make the adoption of SaaS apps inevitable for many businesses. But, without proper user and resource organizations, a SaaS portfolio can quickly sprawl and degenerate into a chaotic mess. Understanding IDaaS solutions and what they can offer is a big first step toward gaining the full benefits and efficiencies of SaaS, rather than shifting your workload into managing users and permissions into half a dozen cloud apps scattered across the web. If SaaS is on your horizon (or already on your users' desktops in quickly growing numbers), then do yourself a favor and learn the pros and cons of cloud-based identities.
Featured Identity Management Software Reviews:
Microsoft Azure Active Directory Review
$0.50 MSRP
%displayPrice% at %seller% Microsoft's Azure Active Directory (AD) gets a leg up on its Identity-Management-as-a-Service (IDaaS) competition due to tight integration with Windows Server Active Directory and Office 365. Azure AD also offers the lowest entry-level pricing for handling multi-factor authentication, and offers advanced toolsets for managing identities and the cloud apps used by your organization. Read the full review-
Okta Identity Management Review
$2.00 MSRP
%displayPrice% at %seller% It's no surprise that Okta Identity Management is so well-respected in the Identity-Management-as-a-Service (IDaaS) arena. Having both a features list that includes security policies that support MDM and geolocation, the ability to integrate multiple sources of identity data, and all packaged in a solution that is relatively easy to use, makes Okta Identity Management one of the top IDaaS solutions on the market. Read the full review -
EmpowerID Review
$1.70 MSRP
%displayPrice% at %seller% EmpowerID offers a comprehensive Identity-Management-as-a-Service (IDaaS) solution both for managing identities online and within your existing corporate directory, but at a significant increase in both initial setup complexity and ongoing maintenance requirements. Read the full review -
OneLogin Review
$2.00 MSRP
%displayPrice% at %seller% OneLogin's free, entry-level pricing makes it a great choice for small businesses, and its robust directory integration features and mappings make them a strong option for the enterprise. Overall, OneLogin is one of our top choices in the Identity-Management-as-a-Service (IDaaS) space. Read the full review -
Optimal IdM Review
$25000.00 MSRP
%displayPrice% at %seller% Optimal IdM checks all the major boxes needed in an Identity-Management-as-a-Service (IDaaS) solution, but at a serious premium. With monthly costs easily running in the $25,000-$30,000 range, most businesses are going to compare the cost of Optimal IdM to competitors such as Microsoft Azure Active Directory and Okta Identity Management plus one or two full-time employees. Read the full review -
Bitium Review
$2.00 MSRP
%displayPrice% at %seller% Bitium is an interesting IDaaS product. However, innovative features like cost monitoring and bookmarks don't make up for lackluster core functionality, like Active Directory integration and limited multi-factor authentication support. Read the full review -
Centrify Identity Service Review
$4.00 MSRP
%displayPrice% at %seller% Centrify Identity Service allows corporations to leverage on-premises applications in their identity management suite, but may require extra work or business process adaptations in order to accommodate the user provisioning workflow. Read the full review -
Ping Identity PingOne Review
$2.00 MSRP
%displayPrice% at %seller% Ping Identity has been a major name in the Identity-Management-as-a-Service (IDaaS) arena for a number of years, but its PingOne solution is sorely behind the curve in some key categories. User provisioning into SaaS apps is the most glaring weak spot, though not a complete absence. Read the full review -
LastPass Enterprise Review
$24.00 MSRP
%displayPrice% at %seller% Overall, LastPass Enterprise is weak compared to the rest of our Identity-Management-as-a-Service (IDaaS) contenders, especially in staple areas such as Software-as-a-Service (SaaS) provisioning and the single sign-on (SSO) portal. Read the full review -
PortalGuard Review
$455.00 MSRP
%displayPrice% at %seller% Provisioning to Software-as-a-Service (SaaS) apps, a key component of modern Identity-Management-as-a-Service (IDaaS) solutions, is missing from current builds of PortalGuard. Pricing for large businesses is competitive and may make PortalGuard worth a look for enterprises that don't necessarily need SaaS provisioning from their IDaaS solution. Read the full review -
Identacor Review
$1.00 MSRP
%displayPrice% at %seller% Identacor is missing too many features for us to consider it a prime contender in the Identity-Management-as-a-Service (IDaaS) space. Dynamic groups are the most glaring omission, but a lack of options for multi-factor authentication and even support for third-party LDAP directories are other notable areas in need of work. Read the full review