I remember when Azure Active Directory was first coming out a few years back, if you can recall the days of Access Control Service (ACS), you would agree that things are drastically different in today's Azure AD. Yet, with the rapid growth of Cloud adoption by both, established businesses and those born in the cloud, the adoption of Identity As A Service (IDaaS) seems to be gaining momentum.
So I would think that more forward thinking businesses would start to include into their roadmap the adoption of a secure and scalable IDaaS such as Azure AD or the like, and that is indeed the case for the most part. However, once in a while I hear a comment that adopting an outside identity management strategy would somehow 'couple' the organization or application solution to an IDaaS provider. I can somewhat agree with those concerns to an extent, as it really depends on how things are being implemented. In any case, given that many businesses out there are using legacy Active Directory internally to secure their environments, and a lot of internal applications depend on it, I would say that all IDaaS providers worth their name can securely extend an organization's Active Directory into the Cloud and provide value right out of the gates. Thus, implementing an IDaaS solution should actually be viewed as a highly integrated strategy that enhances and compliments investments such as an on-premise Active Directory for example.
There are many options out there when it comes to choosing an IDaaS provider, and due diligence is required when choosing one, but regardless of which one an organization chooses I think there are a few reasons why leveraging an IDaaS is a good option:
Cloud Availability: If an organization wants their business to survive and thrive in the years to come, then having a strategy for extending their reach into the Cloud is imperative. According to this older article from Gartner, the majority of IT expenditures would involve cloud by 2016. Fast forward to 2017 and it seems that Hybrid Cloud is the new predicted trend. Nevertheless, the truth is that Cloud (in some shape or form) is here to stay and an organization should have a strategy in place for shifting on-premises identity management into a Cloud ready environment that will support hybrid applications that may be hosted privately but available in the public cloud.
Internal Directory Integration: Terms like Single Sign On (SSO) are becoming ubiquitous amongst users. As internal applications are migrated into the cloud, users expect to be able to access the same internal applications from any device outside the corporate firewall. How will an organization secure such applications? Thus, having a single account that IT can control in Active Directory is a good option, one that allows immediate account termination in case an individual leaves an organization and is no longer allowed access to such applications. IDaaS providers possess the means to manage users' accounts and permissions to applications from a central location that spans beyond the limits of the corporate firewall.
Monitoring: Knowing who has access to an organization resources and when those resources where access is important in identifying trends in abnormal user behavior. IDaaS providers have the capabilities to log all of these activities and analyze any trends that may present a security risk. This is not a silver bullet, however, knowing where your baseline is for normal user behavior is a start.
Federation: The advantages of leveraging an IDaaS provider go far beyond being able to benefit from new capabilities such as the Cloud and SSO. In fact, utilizing a well established IDaaS will give an organization the advantage of being able to federate that organization's security with that of other organizations' or prospective clients. For small organizations with a high growth trajectory, sooner or later they will want to land bigger clients in order to increase their revenue. This will have its own set of challenges as the bigger clients will have greater demands, specially around security. For more information about this topic, I recommend reading the excellent article by Auth0 about the ins and outs on the sales cycle of Enterprise Federation.
Security: Evidently one would expect that any access to an organization resources or applications would be...well...secure! However, like many things in life, this is easier said than done. Especially when it comes to home-grown solutions that when scrutinized under a bright light, may not be as secure as one would like. Nevertheless, the alternative of not using a secure and specialized IDaaS is that well-intended developers end up building custom sign-in solutions into their applications that are not as secure as they should be. Leaving an organization's data and assets vulnerable to cyber attacks.
Security is hard, you have heard this many times before I am sure, but it hits home even more so when falling giants such as Yahoo disclose the existence of yet a third attack on their security infrastructure. Therefore, the question in every security conscious technical personnel and CSO should be: are we secure? Thus, it is imperative that organizations consider carefully their Identity Management strategy and weigh in the trade offs of implementing a specific IDaaS, because this becomes the secure foundation for everything that an organization builds whether they stay fully in the Cloud or adopt a Hybrid Cloud paradigm.
Until next time, stay secure.