Identity as a Managed Service
Given the desire for streamlined, more cost-effective identity management solutions, it should come as no surprise that outsourced identity management and the emergence of identity as a service (IaaS) are hot topics within the identity management community. Olden says, "The costs associated with identity management make it probably one of the best things to do as a service. When you outsource, you save on the account management side, but there are also savings associated with servers, data centers, accounting, and system integration."
The Forrester forecast notes that existing vendors in the identity management space such as Oracle Corp./Wipro, Ltd.; Covisint, a subsidiary of Compuware Corp.; and Mycroft are offering small and medium-sized businesses outsourced identity management services and, in some cases, the establishment of networks of trust. TriCipher, Inc. and Arcot Systems, Inc. are among newer market entrants who are building off-site, multitenant managed verification services designed to be low-cost and scalable.
These vendors seek to reduce the complications in implementing identity management solutions that may have put off all but the largest enterprises. In its announcement of the Oracle/Wipro solution, which pairs Oracle’s identity and access management functionality with service and management from Wipro, Hasan Rizvi, VP of identity and security products at Oracle, said, "Heightened compliance and security regulations make identity and access management a critical component of today’s enterprise. However, many organizations lack the resources to deploy and manage a comprehensive identity management infrastructure."
The escalating growth of SaaS, or cloud services, in the enterprise has also opened the door wide for IaaS solutions. A December 2008 Gartner survey found that 90% of 258 respondents expect to maintain or grow usage of SaaS in 2009, with 60% of North American respondents indicating that they had already adopted it within the past 3 years. That overall adoption rate means that companies who might never have considered releasing identity data into the cloud 3 years ago are now gaining a level of reassurance regarding security and accessibility possibilities within cloud architectures.
Symplified’s Olden has seen increased interest in migrating identity services to the cloud, but not for the obvious reason of cost. "The early days of IaaS were driven by cost. But now as more companies are using SaaS models for their business applications, it has created additional identity management silos and headaches. Putting identity services into the cloud lets you integrate in a different way," says Olden, noting that IaaS solutions are generally built to handle the collaborative ways in which enterprises work in a Web 2.0 world.
Olden also points out that since IaaS components can generally be preintegrated with leading SaaS providers such as Salesforce.com and Netsuite, it’s much faster for clients to implement via the cloud than they might on their own. "We get calls from Fortune 500 companies who are interested in our solution not because it’s cheaper, but because it’s less complicated for them than implementing their own integrated identity management solution."
Still, not every enterprise is embracing IaaS, and a primary reason is ongoing security concerns. Enterprises are understandably nervous about how employee data might be handled outside their own firewall architecture, and since an enterprise’s identity management schema may encompass data on contractors and even customers who have legitimate cause to access the enterprise’s information systems, the risk seems exponentially higher.
In December 2008, Finjan, Inc., a provider of secure web gateway solutions for the enterprise market, released its 2009 cybercrime predictions based on findings by its Malicious Code Research Center (MCRC). Expectations include a continued rise in cybercrime, with an increasing number of unemployed IT professionals joining in; cybercriminals exploiting the Obama administration’s plan to widen broadband internet access to citizens; and cybercriminals continuing to leverage Web 2.0 techniques and services, with a focus on Trojan technologies.
So while the threat seems dire, the truth is that the horse is already out of the barn. Jim Hietala, VP of security for The Open Group, a vendor- and technology-neutral consortium working toward open standards and global interoperability, says, "As SaaS takes off, enterprise IT managers have to think about the information that is already residing outside the firewall, for instance in a Salesforce.com application. The question doesn’t become whether but how do I manage identity information that lives outside of the organization’s control?" Managing that information means showing auditors that data is in compliance, wherever it resides.
Olden concurs that, in time, the bifurcation between "inside" and "outside" the firewall will fade away. Going back to the king analogy, he says, "It’s like a castle fortress surrounded by a wall. If the king breaks a hole in the wall to use Salesforce.com, and then breaks another hole in the wall to access a CRM system … pretty soon you can’t really call it a wall anymore." With a proliferation of employees relying on mobile devices to do their jobs, enterprise walls are already letting through a lot of daylight.
CoreStreet’s Vancollie says that to make enterprises comfortable with the idea of putting identity management outside the firewall, they need to be convinced of three things. "A clear cost/benefit is first, because that makes them pay attention," he says. But backing that with a solid service level agreement (SLA) is a nonnegotiable aspect of building trust. "Then, the customer needs to know that they will have access and visibility; they will not settle for a black-box application. Enterprises want to be able to see their data and understand easily how it’s been accessed, and by whom." With those assurances in place, Vancollie says, the enterprise IT manager can focus on setting identity management policy and monitoring the effectiveness with which a vendor delivers it.