Identity and access management has matured significantly as SaaS applications have gained widespread adoption. However, there are still plenty of organizations with unmanaged user accounts in their SaaS apps -- and even places where sharing accounts and emailing passwords is the norm.
In 2019, identity-as-a-service (IDaaS) offerings are mature and readily available. Just like with enterprise mobility management, organizations that haven't yet adopted IDaaS could get immediate security and employee experience benefits by doing so.
Identity security risks can sneak up
Identity management issues can be hidden in many organizations. For years, on-premises apps simply relied on the Windows domain and Active Directory for identity. External web apps had a smaller role, or were adopted on an ad hoc basis, so they often went unmanaged. But, today, almost every company relies on external web and SaaS apps.
Companies that operate at enterprise scale or in highly regulated industries have generally already tackled identity management for SaaS apps out of necessity. And younger, born-in-the-cloud organizations often have an IDaaS offering as their directory from the beginning.
But, in many industries, there are swaths of midsize organizations that still haven't put together a comprehensive identity strategy. Sure, they may have federated user identities for major apps like CRM or file sync and share, but these are often time-intensive projects, using Microsoft Active Directory Federation Services or other legacy technologies.
Simply put, understanding identity management for SaaS apps can be a big leap. As a result, many other external web and SaaS apps don't get federated, and non-IT business departments and end users end up managing user accounts on an ad hoc basis.
Why it's time to move beyond ad hoc web app accounts
It's common knowledge that weak, stolen or misused credentials are a factor in a huge number of data breaches. The need for multifactor authentication (MFA) is preached constantly.
Without plans or tools for managing identity in web and SaaS apps, companies are putting themselves at risk. There's no way to enforce good password management or MFA, and it's hard to detect malicious activity or prevent users from falling for phishing attacks. Even seemingly low-stakes apps, such as social media management platforms, could cause large headaches if accounts are breached.
When credentials are shared via email, which is all too common in some organizations, there are all sorts of issues. MFA becomes impossible. Users may be running afoul of licensing agreements. Logins from multiple users in different locations may trip built-in security mechanisms or cause one user to kick out another. And removing access for one employee means emailing out a new password.
How identity as a service can help
As SaaS apps -- as well as SAML, a commonly used identity stand -- started to spread, IDaaS products sprang up to support them. Enterprises can choose freestanding vendors such as Okta or Ping Identity, or use IDaaS features bundled with other end-user computing products. Microsoft Office 365 and Google G Suite also come with IDaaS capabilities.
One of the central pillars of IDaaS products is they contain prevalidated integrations with many SaaS apps. This makes it much easier for IT departments to bring web and SaaS apps in the fold, because federation is no longer a huge project. IDaaS products also support user provisioning and deprovisioning and usually bundle in MFA options, as well.
Not only are there many security benefits, but the resulting single sign-on capabilities and reduction in the number of passwords that users need to remember means the employee experience is improved, as well. Furthermore, IT departments that embrace IDaaS will also set themselves up to be ready for future conditional access trends.