Digital identity is a critical business-enabling technology for Small to Mid-Size Businesses (SMBs). However, as is borne out by cybercrime reports year-after-year, digital identity is also a primary vector through which SMBs are attacked. Many SMBs lack a fully staffed IT department to handle the complexities of deploying, maintaining, and securing IAM solutions. This is a factor fueling the growth of Identity-as-a-Service (IDaaS) solutions.
The risks of not having well-maintained and secure IAM solutions within SMBs can be great, ranging from lower productivity associated with password resets and incorrect entitlements; loss of data such as employee and customer PII; loss of trade secrets and other valuable business information; diminished revenue from reputation damage and fraud; to unwittingly becoming a vector of attack to other members in a supply chain. Many managers and owners within SMBs naively assume that they are too small to be attacked by malicious actors, but cybercrime studies show that SMBs are increasingly targeted because of the perception that they are less secure than larger organizations.
SMBs can have a variety of use cases and technical requirements they need to meet with IAM. Regarding use cases, everyone needs B2E IAM, many need B2B, and some need B2C. Consider B2E, where some may have Microsoft Active Directory in place. Many organizations also utilize various cloud-based SaaS applications, but do not have the IAM functions centralized or even under control. They are often lacking productivity-enhancing Single Sign-On (SSO) capabilities.
A sometimes-overlooked capability is that IAM systems can aid in regulatory compliance. Under the General Data Protection Regulation (GDPR) in the EU, collecting clear and unambiguous consent from consumers for the use of their data is necessary for compliance. The California Consumer Privacy Act will take effect in January 2020, which requires that organizations doing business in California to provide interfaces for consumers to allow/dis-allow sales of their private information. Well-designed IAM solutions can enforce and help demonstrate compliance with regulations that require segregation of duties and access certification, such as Sarbanes-Oxley (SOX) in the US.
With the advent of cloud and adoption of robust identity standards, IDaaS solutions have begun to proliferate and appeal to businesses of all kinds, especially SMBs. There are three major categories of functions provided by IDaaS vendors:
Identity Administration: The ability to administer identity lifecycle events including provisioning/de-provisioning of user accounts, maintaining identity repositories, managing access entitlements, and synchronization of user attributes. A self-service user interface allows for requesting access, profile management, password reset, and synchronization. Configurable cloud-native connectors offer automated user provisioning to both on-premises as well as SaaS applications. Other common identity administration capabilities include administrative web interface, batch import interface, delegated administration, SPML, and SCIM support.
Access Management: This category includes authentication, authorization, single sign-on and identity federation for both on-premises and SaaS applications delivered as a cloud service. The underlying support for industry standards such as SAML, OAuth, and OpenID Connect can vary but are largely present in most IDaaS offerings. API security and web access management gateways are fast becoming a differentiator for IDaaS vendors looking to offer competitive access management capabilities and so is social identity integration – which now represents a basic qualifier for consumer access use-cases.
Access Governance: This group of capabilities that are often absent from the portfolio of most IDaaS vendors, partly due to architectural limitations and partly due to ownership issues. While many organizations still prefer to keep access governance on-premises for better control and auditing purposes, others are moving it to the cloud for ease of integration and better time-to-value as their SaaS portfolio continues to grow.
Simeio Solutions, headquartered in Atlanta, GA, has been providing managed IAM services for clients since 2007. Simeio has 6 offices and 4 Security Operations Centers around the world. By leveraging their experience with customers, they have created a full-featured IDaaS solution that they offer to enterprises as well as SMBs. As of early 2019, they manage more than 150 million user identities.