IAM and SaaS/Cloud Computing

As we hit the mid-point of 2009, Corporate America has not yet rebounded from the recent tough economical environment. Shrinking budgets, tightened spending, resource cuts - Logic Trends has witnessed these same spending trends regardless of the type of industry. We believe these trends will likely continue into 2010. Therefore, creativity and flexibility are cornerstones of IT spending for the foreseeable future.

Interestingly enough, the requirements, however, have not changed. Organizations must increase security, increase regulatory compliance, and optimize IT workloads – All with less or a more multipurpose IT staff. It is also important to understand that these challenges / requirements are common regardless of the size of the organization. In reality, it is even more important today to truly understand who has access to what and how to manage and report on that access effectively, but with increased fiscal constraints.

Let’s face it – deploying an IAM system, as it exists today, is costly and time consuming. Organizations need to invest in analysis and requirements-related work, vendor evaluations, proof of concepts, hardware and software spend, prototyping, development and integration services, internal resource training, and enterprise communications and marketing costs. Given the amount of required investment, IAM deployments rarely show high Return on Investment (ROI) until a number of years after the initial deployment. Logic Trends has developed its IAM5 Methodology for the purpose of being able to somewhat forecast and lessen the costs and risks associated with these deployments, but not even a mature methodology will offer enough immediate return for some organizations (especially the small to medium-sized business).

This is where Software as a Service (SaaS) or Cloud Computing comes into play. These concepts haven’t become a reality in the IAM space specifically yet, but as the major IAM vendors look for new ways to grow business and offer IAM solutions to increasingly diverse clients, these concepts will become much more important. If you are not familiar with Cloud Computing or SaaS please view the following for more information:

http://csrc.nist.gov/groups/SNS/cloud-computing/

or

http://en.wikipedia.org/wiki/Cloud_computing


Where does IAM fit into the Cloud?

Simply put, IAM concepts fit very nicely into the cloud. Think about the basic components of any IAM deployment – first, you have the business processes that any technology-based solution must support, and second you have an application server, a web server, a database, and a user repository. In addition, there could be provisioning connectors, additional databases/data stores, multiple directory domains, target systems, and other third-party tools.

Now think about the basic components that could make up a “cloud”:

Storage networks
Servers
Zones/partitions
Load balancers
Network components
Technology Stack

The intriguing bullet on that list is the “Technology Stack”. The Technology Stack includes application servers, web servers, caches, databases, etc; all the components necessary to deploy an IAM system internally today. One of the main benefits of deploying an application in that stack is that once the IAM software and necessary development/configurations/customizations (including connectors) has taken place, the risks associated with availability, scalability, and maintenance are absorbed by the vendor managing the cloud. For organizations already on tight budgets, this could provide reductions in costs associated with storage, daily maintenance, and training administrators, and end users.

Additionally, there is potential in separating the various modules that make up an IAM solution into individual SaaS solutions. One of the most commonly discussed modules is authentication. Authentication, especially web or enterprise SSO, remains one of the hardest IAM functionalities to deploy and manage properly. How would organizations respond if they could simply point toward the cloud, have users enter their credentials via whatever authentication service, have the secure token services layer handle any authentication conversion, and the user is granted access to whatever applications are managed in the cloud? Couple that with a federation model and the possibilities could be endless.

Finally, showing the cloud’s true potential and versatility, Joe McKendrick of ZDNet recently wrote an article about the cloud’s flexibility and introduced an interesting idea from George Ravich, Chief Marketing Officer of Fundtech – Services, in general, could be offered like songs on iTunes. We can take it one step farther with IAM. Although there would most likely be legal hurdles to overcome, a publically available, iTunes-like program would allow various IAM vendors to offer IAM applications/modules for organizations to download, IAM workflows/frameworks/connectors for purchase and modification, third-party integration firms and developers could offer their services and expertise, and a community could be established for organizations to discuss product improvements and challenges.


Deploying an IAM solution in the cloud conceptually makes sense from both a technical and business perspective. Its benefits are many, the technology already exists for other industries, and in the current economic climate the demand is present. However, we are still some time away from rapid adaptation. There are still some risks that need to be overcome by both the consumer organization and the service providers – how to overcome the issue of data localization, how to restructure licenses, how to design their own architecture to be flexible enough, how to provide privacy, governance, and assurance in the cloud and the legalities and how-to’s related to managing third party tools…all of which are rather large hurdles.

Despite the challenges, IAM as a SaaS/cloud offering is definitely on the horizon as we’re already seeing glimpses of progress. Hitachi ID Systems recently launched an outsourced IdM Administrator service offering for its password management product (Password Manager), Sun and Oracle are authoring white papers involving cloud computing/SaaS and its possibilities, and with the focus Microsoft has been putting on its cloud computing offering called Azure Services Platform (allows an organization’s applications to be hosted and new applications to be built in various languages), the future for IAM will soon be the present.

Come back for the next blog where we will dive into the technical side of common use cases that could be supported by IAM in the cloud.