Lost in the Cloud: A Useful Checklist for Identity Management and IDaaS Integration

Leonel Navarro

Identity management problems arose nearly a decade ago when organizations began to increase the number of business processes automated through web applications and integrate more systems into daily operations. This situation provoked a new challenge: How should you keep access control lists up-to-date when users are given multiple usernames and passwords? Even worse, if an employee leaves the company, how do you coordinate with HR departments to have IT teams disable access to their applications?

Today, with the evolution of technologies and the increased use of cloud-based applications, organizations face the same challenges in finding an effective way to perform user identity management. Though the environment has evolved, the nature of the problem persists: Identity management is time-consuming, expensive and difficult.

In addition, new challenges have arisen: ensuring employees receive explicit approval from IT departments when using cloud-based applications, and also integrating Identity Management on-premise solutions for legacy applications with cloud-based applications on IDaaS platforms. Fulfilling regulatory requirements that require evidence for provisioning and de-provisioning users like SoX is also important, as is managing the complexity to provision/de-provision user access in a time-effective way. One must, furthermore, be aware that the diverse authentication and authorization mechanisms within SaaS applications may reduce or increase the organizations’ exposure to risk.

Identity management-as-a-service (IDaaS) solves an organization’s main challenges around Identity Access Management solution’s installation and maintenance, including deployment, customization, system patching and updates, specialized resources, and all of the challenges indirectly associated, i.e., infrastructure procurement and resource attrition. In addition, IDaaS allows organizations to consistently enforce policies and compliance requirements, preserve and extend existing identity management investments, and increase security posture, while minimizing daily administration time, and reducing overall cost.

It is important to avoid confusing IDaaS with cloud-based SSO, however.  Cloud-based single sign-on enables the creation of one single username and password that, when authenticated by the identity provider, serves to access other applications without requiring second-time login.  In contrast, IDaaS may integrate different functions, including SSO, directory integration, multi-factor authentication, password vaulting, user provisioning, and reporting.

With so many IDaaS solutions out there, organizations struggle to select a provider that will meet their needs without adding risk to operations. To help with this process, try dividing the selection criteria into three phases: business-driven, IDaaS solution-driven, and IDaas provider-driven.

From a business perspective:

  • Identify your current overall IAM program status; focus on costs, resources, and time allocated.
  • Identify all regulatory requirements needed to properly align to your industry, and if possible, identify your current level of compliance.
  • Update the list of applications to include those that are critical to your operation.
  • Identify the SaaS applications already used by your employees, as well as the type of information they host.
  • Identify your SaaS strategy and/or work with your internal IT teams to set a baseline.
  • Based on the information gathered, define a business posture and long-term strategy around SaaS applications and also your IAM requirements.

From a solutions perspective:

  • Based on your current overall IAM program status, identify the technology stack involved in your IDM platform’s implementation and all applications connecting to it.
  • Evaluate the IDaaS solutions that integrate smoothly into your existing IDM technology stack.
  • Evaluate the amount of time required to deploy, the time it will take the application to become fully functional, the procedures for data protection and password management, the effort required to move out from the application and, finally, the monthly service cost.

From an IDaaS provider's perspective:

  • Ask your provider to share their vision and roadmap for the company and IDaaS solution.
  • Be sure you are aware of any major changes the company is planning in the future and that such chances align to your strategic plans.
  • Request your IDaaS provider's information security policy and procedures to ensure your data will be protected from physical controls. Implement corresponding HR policies.
  • Ask your provider to provide an overview of disaster recovery plans.

As the market matures and the cloud environment becomes more regulated, keeping the above checklist top of mind will go a long way to ensure your identity management platform runs as smoothly as possible. Good luck!

Leonel Navarro is Practice Manager & Business leader for Softtek Information Security Practice. He is a certified project management professional (PMP) and a certified information systems security professional (CISSP). Navarro’s ten years of experience in IT operations with teams based in Mexico, the United States, and China, combined with critical customer-facing positions he has held, enable him to perform the overall coordination of the Sales, Marketing, Product Management and Strategic Alliances strategy for Softtek’s Information Security Service offering while overseeing the delivery of those services with existing clients. Leo holds a Bachelor in Electrical Engineering & Computer Architecture from ITESM.

Add Comment      Leave a comment on this blog post
May 7, 2013 5:11 AM Lucy Lucy  says:
Great post .I came across this "Cloud risks Striking a balance between savings and security" useful paper on cloud risks and security http://bit.ly/ZFPu1l readers might also find it very useful Reply
May 30, 2013 2:06 PM Gerardo Gerardo  says:
I'm leading an "User Access Management" project for a large Corporation and moving to IDaaS solution looks imminent. This kind of articles are very well-timed for what we should forsee in our next future in terms of security strategies, before the Cloud "covers" us completely. Quite a useful information! Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.