Google's Cloud Identity
Identity as a Service (IDaaS) is fast becoming the new face of Identity and Access Management (IAM) with several vendors now delivering cloud based IAM services to support the growth in cloud-based applications in the enterprise. Google’s Cloud Identity provides access to many popular cloud applications and offers some endpoint management features.
IDaaS is one of the fastest growing market segments of IAM characterized by cloud-based delivery of traditional IAM services. The market, driven largely by web-centric use-cases in its early days, now offers full-fledged delivery of IAM capabilities irrespective of application delivery models. The IDaaS market has registered significant growth over the last few years primarily driven by the need of organizations to achieve better time-to-value proposition over on-premises IAM deployments. IDaaS solutions offer cloud-ready integrations to extend an organization’s IAM controls to meet the security requirements of their growing SaaS portfolio.
IDaaS vendors have originated from distinct backgrounds and therefore their abilities to support the primary IDaaS use-cases vary significantly. Most of the IDaaS vendors come from distinct backgrounds including:
- Access Management vendors that offered broader IAM capabilities required for large IAM implementations but could not easily extend these functions to support rapidly emerging cloud and consumer access use-cases.
- IGA vendors that traditionally offered support for identity administration and access governance on-premises, but neither could extend these capabilities to applications in cloud, nor could support access management beyond basic authentication and authorization
- Traditional SSO vendors that have evolved over time to support web and cloud access use-cases but are deficient on common Identity Governance and Administration (IGA) functions required by most organizations for basic IAM implementation
IDaaS market consolidates access management functions with few IGA and Access Governance capabilities thrown in – all delivered and managed as a service. Today, all IDaaS vendors predominantly deliver a cloud-based service in a multitenant or dedicatedly hosted fashion to serve the common IAM requirements of an organization’s hybrid IT environment.
The IAM capabilities served by most IDaaS vendors can be grouped largely in three categories:
Identity Administration: This represents the group of capabilities required by organizations to administer identity lifecycle events including provision/ de-provision of user accounts, maintaining identity repository, managing access entitlements and synchronization of user attributes across the heterogenous IT environment. A self-service user interface allows for requesting access, profile management, password reset and synchronization. Configurable cloud-native connectors offer automated user provisioning to both on-premises as well as SaaS applications. Other common identity administration capabilities include administrative web interface, batch import interface, delegated administration, SPML and SCIM support.
Access Management: This refers to the group of capabilities targeted at supporting access management requirements of organizations ranging from authentication, authorization, single sign-on and identity federation for both on-premises and SaaS applications delivered as a cloud service. The underlying support for industry standards such as SAML, OAuth and OpenID Connect can vary but are largely present in most IDaaS offerings. API security and web access management gateways are fast becoming a differentiator for IDaaS vendors looking to offer competitive access management capabilities and so is social identity integration – which now represents a basic qualifier for consumer access use-cases.
Access Governance: Access governance represents the group of capabilities that are least mature and largely absent from the portfolio of most IDaaS vendors, partly due to architectural limitations and partly due to ownership issues. While many organizations still prefer to keep access governance on-premises for better control and auditing purposes, several others are moving it to the cloud for ease of integration and better time to value as their SaaS portfolio continues to grow. IDaaS vendors may have some serious limitations in how they could support integration with legacy on-prem systems for common access governance capabilities such as auditing and reporting, and so it is important for IAM leaders to ensure they assess their access governance requirements aligned with their IAM vision before starting to evaluate IDaaS vendors for their access governance capabilities.
The IDaaS market has evolved over the past few years and is still growing, both in size and in the number of vendors. However, under the umbrella term of IDaaS, we find a variety of offerings. IDaaS in general provides Identity & Access Management and Access Governance capabilities as a service, ranging from Single Sign-On to full Identity Provisioning and Access Governance for both on-premise and cloud solutions. These solutions also vary in their support for different groups of users - such as employees, business partners, and customers - their support for mobile users, and their integration capabilities back to on-premise environments.