IDaaS explained: How it compares to IAM

Cloud-based identity as a service offers cost, scalability, and other advantages, but it also comes with its own risks.

A vast network of identity avatars. [identity management]
Dem10 / Getty Images

It is often said that identity is the new perimeter in the world of cloud-native ecosystems and zero trust. Identity is inarguably at the center of everything we do in modern systems and it is key to facilitating zero trust architectures and proper access control. That said, running identity and access management (IAM) at scale can be a daunting task, which is why more organizations are adopting identity-as-a-service (IDaaS) solutions.

IDaaS has its pros and cons, but first let’s clarify what IDaaS is.

What is IDaaS?

IDaaS is a cloud-based consumption model for IAM. Much like everything else in today’s modern technology ecosystem, IAM can be offered as a service. While there are some exceptions, IDaaS is typically delivered via the cloud and can be offered as a multitenant offering or dedicated delivery model depending on the organizational requirements and the capabilities of the provider in question.

Gartner predicted by the end of 2022 40% of mid-sized and large organizations will have adopted an IDaaS offering in place of traditional IAM. Several factors are contributing to the growth, such as continued cloud adoption, the remote workforce, and organizations realizing they can consume IAM rather than host and solely manage it, freeing up time to focus more on their core competencies of delivering value to customers.

IDaaS benefits

Some of the pros associated with IDaaS offerings include the ability to consume rather than host IAM and offloading some of the management overhead associated with IAM to an external provider. Other benefits include feature-rich offerings that make your IAM implementations more robust and secure in many cases. Most IDaaS providers offer native and integrated capabilities such as single sign-on (SSO) and multi-factor authentication (MFA).

IDaaS providers also pride themselves on being cloud-native and by nature more easily integrating with robust cloud ecosystems. This means using protocols such as OIDC and SAML to integrate with the organization's likely sprawling portfolio of SaaS applications to ensure a unified identity solution and enterprise wide IAM governance. Even organizations as complex and massive as the federal government have released entire playbooks and guides to help federal agencies government contractors align their IAM services with a cloud operating model, with IDaaS being at the center of the playbook.

cso onprem identity providers table Foundry

The above table from the previously mentioned federal playbook does an excellent job of summarizing some of the key differences between legacy IAM solutions and IDaaS. Much like cloud more broadly, cloud-enabled IDaaS offers many of the same key benefits. Organizations no longer need to be constrained by their ability to scale their IAM infrastructure since it is being consumed and is elastic.

Organizations can be billed based on consumption and they’ve offered the requirement to physically own and host the IAM infrastructure since it is hosted by the service provider. Organizations also no longer need to physically provision and manage the fault tolerance of their IAM infrastructure since the IDaaS providers offer globally available infrastructure that can be fault tolerant and enable organizations to meet their disaster recovery and business continuity (DR/BC) goals, at a likely much lower price point.

IDaaS cons and considerations

IDaaS isn’t all sunshine and rainbows though, and organizations much account for some major considerations when evaluating it. If identity is truly the new perimeter, adopting IDaaS gives some level of control of your perimeter to an IDaaS service provider. This is similar to the shared responsibility model concept in cloud computing but extended further up the stack from not just infrastructure but to critical things such as identities, permissions, and access control.

Some of the benefits cited in the above table can now potentially be a vice or point of contention depending on your organizational requirements and security sensitivity. Since you are consuming the application and system associated with IAM, you now are limited to the permissions the providers offering includes and likely have limited ability to alter the way the offering functions. This is due to the reality that the IDaaS provider offers their interface/application to many customers and can only have so much customization without losing the ability to have a standardized offering. On the measured service front, you might run into surprise charges due to poor or naive choices from your administrators that could exceed your originally planned budget.

Those concerns aside, some of the biggest security concerns come from the resource pooling and broad network access aspects of IDaaS. Depending on the nature of your line of work, the idea of having a shared tenancy with other customers can be concerning, since a security incident in one of their logical environments could potentially provide lateral access to your environment and by consequence your entire IT ecosystem.

The globally available nature of IDaaS is a compelling benefit, especially given how expensive it would be to provide that level of fault tolerance yourself. That said, there are also regulatory requirements to keep in mind. Some organizations are restricted geographically with regards to where they can have their systems/data, such as GDPR or national security if you’re working on, for example, the Department of Defense (DoD) front. You might be able to work with the IDaaS provider to ensure your data stays within a specific region, but it is certainly a topic to consider and address if geographic restrictions apply to you.

Some of these concerns aren’t without merit either. Just a couple of months ago, one of the largest IDaaS providers, Okta, experienced a security breach that impacted two corporate customers. In this case the security breach potentially originated from a sub-processor of Okta’s, which warrants an entire conversation on cybersecurity supply chain risk management (C-SCRM). If an IDaaS provider is compromised by a malicious actor, it could have devastating consequences for your entire organization, or potentially the entire industry, as many IDaaS providers are dealing with hundreds or thousands of customers' critical IAM information.

Assess IDaaS carefully 

All this said, it is clear why many organizations are adopting IDaaS offerings. With the ubiquity of cloud, organizations often need dynamic and robust IAM options that support their diverse ecosystems. For many organizations, IDaaS providers can offer IAM capabilities at a fraction of the cost of what it would cost an organization to host and manage themselves. They do it at a scale that is massive due to their portfolio of customers.

Consuming IDaaS often lets organizations focus on their core competencies, which typically isn’t IAM, and instead put their attention on their customers and stakeholders. As with any technology and as-a-service offering, there are critical factors to consider, and organizations shouldn’t adopt IDaaS without thinking them through clearly.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.