 |
As many enterprise decisions makers would like to leverage the cloud as much and as quickly possible, we must face the reality that we live in a world where most organizations will continue to have some applications and resources that require more capabilities than the cloud can offer them. So I believe we will continue to live in a world where our employees use a combination of cloud apps and enterprise-hosted applications – at least for foreseeable future. As enterprises evaluate IDaaS offerings it is important for them to keep this fact in mind. There is good reason for people to want to benefit from the efficiencies that the cloud provides. But smart enterprises aren’t diving in blindly – instead they have criteria for whether a cloud approach is appropriate for a given application. Those enterprises recognize that there are certain types of applications that cannot be outsourced to the cloud. For example, enterprises are often reluctant to use a third-party service for applications that enable/implement some aspect of their competitive advantage. In some cases, an application isn’t cloud-delivered because it is already deployed locally and is reliant on legacy on premises systems. In other cases the enterprise needs to have greater control over security, privacy and availability than a cloud provider is capable of delivering. I believe these are a few of the reasons that fully cloud delivered IDaaS is predicted to capture only 20% of the over all IAM market by 2018 in their research note called “Understanding Modern Federation Trends and their Influence on Identity and Access Architecture” released by Gartner earlier this year. What this means is that enterprise identity infrastructure must be flexible enough to handle a bunch of different application deployment models as seamlessly as is possible. We must make it easy for people to leverage a single login to get to all of their application resources from all of their devices. If we don’t do that we are missing an important opportunity to have control and visibility of application usage. If we don’t offer our lines of business a unified login across all of their applications – whether they are home-grown or cloud-delivered – we are implicitly encouraging them to build more ‘shadow IT’ by creating their own relationships with SaaS vendors independent of IT. In this hybrid world – where our employees are using applications and portals that their company provides for them as well as applications that are provided by third parties (as well as approaches that combine the two) – we need an IAM capability that is delivered in a hybrid way. One that enables us to keep certain critical data and runtime processing within the physical control of our enterprise while still benefiting from cloud capabilities where it makes sense. IAM capabilities should be delivered in such a way that the customer has the option to deploy them within their own network or at the customer’s hosting provider, or be hosted by the IAM/IDaaS provider directly for that to be possible. It should be noted that some capabilities are deployed on premises by IDaaS providers in almost all scenarios – because those IDaaS systems need to interact with existing on premises systems – for example to validate a password against Active Directory or to interact with a Windows Primary Domain Controller to enable SSO from the desktop to the web. So it’s not a question of whether there is an on-premises component as part of an IDaaS solution (it is), but rather a question of how much capability that on premises component provides and how much work the customer has to do to maintain it. IDaaS vendors should offer on-premises deployment models that require as little customer administration as possible, delivering them as managed virtual devices. This way vendors can provide the security and privacy associated with on premises IAM deployment, while still providing the greatly reduced cost structure of a managed service. In an upcoming blog entry I will take a deeper look at the individual components that make up an IAM solution (User Store, PDP, PEP, PAP) and some of the factors that influence whether it makes sense to run those components locally or in the cloud. Bottom line – it depends on the sensitivity of the applications you are providing to your employees and the privacy/security requirements of your enterprise. You will likely need a flexible IAM platform that enables you to move these workflows to and from the cloud for specific applications as your enterprise‘s needs for scalability, security, and privacy evolve. The post IDaaS in a Hybrid Computing World – Deployment Flexibility Required!! appeared first on Speaking of Security - The RSA Blog and Podcast. |
