Brian Jackson - Fotolia
Identity and access management as a service is surging in importance thanks to the spread of cloud-based applications.
Older on-premises applications can easily integrate with Microsoft Active Directory, but cloud-based applications often have their own siloed directories. Provisioning and maintaining user accounts for these applications is a time-consuming task for IT. It's also a burden to users, who have to remember additional passwords for cloud-based desktop or mobile apps.
IT departments need better identity management and access capabilities, such as single sign-on (SSO) and federation, which allows users to access applications from multiple sources with one login.
Identity management also has major security implications. Sixty-three percent of data breaches involve using weak, default or stolen passwords, according to Verizon's "2016 Data Breach Investigations Report." Identity federation can reduce the exposure of passwords, and multifactor authentication can decrease the likelihood of hackers using weak, default or stolen passwords alone to breach enterprise systems.
What's new in ID management
Identity management benefits from several technology trends and innovations.
Security Assertion Markup Language (SAML) 2.0, a standard protocol that federates identity to cloud applications, is becoming more popular. On mobile devices, Apple's Safari View Controller and Google's Chrome Custom Tabs features, released in 2015, make it easier for native apps to implement SSO by sharing browser session states. In addition, mobile device management (MDM) protocols can help distribute security certificates, further reducing the need for users to enter passwords.
Identity management also enables automated account provisioning in cloud applications. It enables this provisioning by using the emerging System for Cross-Domain Identity Management standard, features in SAML 2.0 or through proprietary APIs or integrations. Automated provisioning eliminates time-consuming manual tasks for IT when deploying new cloud apps.
How IDaaS works
Identity and access management as a service (IDaaS) makes it easier for organizations to take advantage of these various identity technologies and recent innovations by offering identity management through a cloud service provider.
IDaaS vendors take care of validating standards-based federation and provisioning integrations with cloud application providers. When necessary, they build custom integrations as well. For applications that do not support federation standards, identity and access management as a service can save and automatically fill passwords. IDaaS products typically sync to existing on-premises Active Directory implementations, so there's no need for companies to replace their user databases. Only greenfield companies are likely to use entirely cloud-based directories.
For authentication, most IDaaS products support typical multifactor techniques such as text messages, mobile authenticator apps, one-time passwords and smart cards. Some IDaaS products can enable smart-card access on mobile devices by enrolling users' cards on desktops, creating derived credentials, and using MDM to push those credentials to devices in the form of a certificate.
Even though identity and access management as a service is oriented to cloud applications, many IDaaS products can control remote access to on-premises apps, too, often through a proxy. This approach enables IT to centrally apply policies for all applications.
IDaaS gets smarter
Many IDaaS platforms incorporate additional information sources that they can use to create access policies. For example, many IDaaS products now integrate with enterprise mobility management platforms. As a result, mobile access policies can take into account whether users' devices are enrolled in MDM and whether they comply with MDM policies.
IDaaS platforms can also use machine learning to look for anomalous user behavior patterns that may indicate compromised credentials, such as a spike in activity or logins from distant locations.
By taking all of these additional data sources into account, IDaaS platforms can provide what are known as conditional or contextual access policies. These policies can be smarter about when to perform certain actions, such as allowing or blocking access, asking users to reauthenticate, asking them to authenticate with a second factor or notifying administrators about violations.
Considerations for implementing IDaaS
Companies considering identity and access management as a service should look at the applications that different vendors support. Most IDaaS vendors publish catalogs with details about federation, mobile SSO and provisioning capabilities for each application.
63% of data breaches occur because of weak, default or stolen passwords.
Source: "2016 Data Breach Investigations Report," Verizon
Companies should also consider how to handle username and password authentication. Most organizations want users to be able to use their Active Directory passwords with IDaaS, too. Syncing a clear text list of passwords directly to an IDaaS platform would be insecure. Instead, passwords can be encrypted with a one-way algorithm, creating what's called a hash, which then syncs to the IDaaS. Another option is to have the platform connect to an on-premises Active Directory Federation Services server to authenticate users.
Since IDaaS is a natural integration point for many other services, it can enable digital workspaces that encompass all of a user's applications, devices and locations. The increasing prevalence of cloud applications, mobile devices and remote users will spur IDaaS adoption in the coming years. The result will be a better user experience, easier cloud application administration and better security -- a win for all parties.
This article originally appeared in the November/December issue of the Modern Mobility e-zine.
Learn the benefits and drawbacks of IDaaS in a Q&A with Ping Identity's CEO
Understand how identity and access management as a service works
Learn what's next on the identity management frontier