Identity management (IDM) in cloud computing is a nebulous application for most enterprises. While new products and standards efforts promote cost savings and management efficiencies, it all boils down to trust.
"I worry about authentication in the cloud," said Phil Kramer, chief technology officer of Systems Solutions Technologies LLC In Old Hickory, Tenn., a consultancy and systems integrator with more than 30 years of experience in enterprise-wide deployments of network infrastructure and information security. "I worry that encryption will be tightly coupled with weak authentication. Username and password would not be enough for me."
Federating identity management makes sense, especially in a cloud environment where users are logging onto to multiple systems within and outside the firewall, Kramer acknowledged. Internal IDM is all about account provisioning, assigning user access to systems and resetting end user passwords; interbusiness IDM is about identity mapping within a partner's context.
"Do I really want to authenticate every buyer that comes to my systems? Do I want to support password resets and handle the help desk calls for all external users? It would make sense to have a partner authenticate its user and send the credentials, but it's a matter of trust. I trust you to authenticate your users fully, then your systems communicate with mine and I provision the account and grant access. But would you rely on a password for this?" Kramer asked.
Like Kramer, most enterprise CIOs have shied away from moving their IDM applications to the cloud. Midsized and smaller companies have embraced IDM as a service, but larger companies tend to use the cloud for less critical services, such as storage, according to Andrew Sroka, CEO of Fischer International Identity LLC in Naples, Fla., which recently received the No. 1 ranking in the Brown-Wilson Group's top 10 list of outsourced identity and access management technologies for the second consecutive year.
"Savvy CIOs are using cloud services for email, storage and even CRM," Sroka said. "But once you start talking about IDM, a switch goes off. The fact is that aligning with an SAS 70 service provider that does nothing but identity management is far more secure than keeping IDM in-house."
Indeed, extending an organization's identity management into the cloud is a necessary precursor to strategic use of on-demand computing services, according to the Cloud Security Alliance, which recently released a set of guidelines that explore such identity issues as provisioning, authentication, federation and user-profile management as a cloud service.
"Identity management is a key technology to federate a heterogeneous cloud environment," said Jim Reavis, executive director of the CSA and an adviser to the Trusted Cloud Initiative, an industry group that plans to deliver the first cloud security certification, education and outreach program for cloud providers by year's end.
Old standards, new products
Several other groups are working on technology standards that will ensure interoperability of identities across the cloud. Some focus on particular environments, such as the InCommon platform promoted by more than a hundred higher-education institutions and several federal agencies. Another industry-led group, the Jericho Forum, has proposed a cloud architecture that uses security and identity management across all levels of the cloud (infrastructure, platform, software, process) in a design it calls Collaboration Oriented Architecture.
All these organizations recommend the adoption of applications and services based on such open standards as the XML-based Security Assertion Markup Language (SAML) for communicating identity information between organizations. The primary function of SAML is to provide single sign-on (SSO) to Internet applications that exist both inside and outside the safety of an organization's firewall.
SAML is at the heart of Fischer International Identity's Technology for Managed Identity Services, which is designed to be used by enterprises, as well as Fischer Identity, an identical Software as a Service (SaaS) solution that offers multi-tenancy, native cross-domain provisioning, rapid system interoperability and remote deployment.
Fischer International Identity competitor, the Denver-based Ping Identity Corp. also offers SAML-based solutions for cloud providers, as well as for enterprises that want to integrate a corporate directory with a SaaS provider's provisioning application programming interface to create, update and delete user accounts in the service provider's directory.
Mountain View, Calif.-based middleware provider WSO2 Inc.'s new Cloud Identity supports a broad set of authentication and security standards including SAML for SSO access to cloud applications. Cloud Identity provides enterprise identity management as a pay-as-you-go, scalable, hosted service.
Cost savings will lead to widespread adoption
For years large companies have outsourced IDM to traditional hosting services, using VPNs and requiring multiple administrators to manage them.
I worry about authentication in the cloud. Username and password would not be enough for me.
Phil Kramer, CTO, Systems Solutions Technologies LLC
But full-blown identity and access management solutions (with automated role and account management, password management, compliance, and so forth) have been cost-prohibitive, whether they're on premises or hosted. Not considering the administrators, the software and implementation costs run at least $250,000 plus annual maintenance, all due up front, according to Dennis McDermott, chief marketing officer for Fischer International Identity. If the suite is hosted, the cost goes up by at least $100,000 per year. In fact, most conventional IAM deployments are far more expensive; two years ago the average cost was $500,000 to $700,000, with some deployments going into the multimillions of dollars.
By contrast, SaaS products are designed for efficiency, rapid time to value and minimal disruption, so initial and ongoing costs are less than those of conventional software. SaaS products also can usually be rightsized: You don't need to buy a full-blown suite when all you may need is some subset of a function and only for a subset of your user base; that also keeps the client costs down from the perspective of both monthly services and professional services.
For an "apples to apples" comparison of the cost to deploy or acquire a full-suite identity management solution between, for example, the SaaS version of Fischer's Identity model versus a conventional hosted model (one where the client buys the software and outsources the deployment, ongoing administration and associated infrastructure to the provider), a 1,000-user organization can expect:
- Fischer's Identity
- Year 1 costs: $78,000
- Annual service fee: $28.00 per user, per year ($28,000)
- Implementation services fee: $50,000
- Ongoing annual costs: $28,000
- Conventional IAM product
- Year 1 costs: $310,000
- Software license and connectors (minimum): $100,000
- Implementation services (using 2:1 ratio for simple implementation): $200,000
- Infrastructure costs: $10,000 (for servers and associated software)
- Ongoing annual costs: $100,000
- Administration costs: $90,000 (for one administrator)
Moreover, in a SaaS solution, someone else is dealing with all the requests for passwords and entitlement approvals, based on rules set by an organization. A company with 10,000 users might field 1,000 requests in a 10-day period, according to Fischer International's Sroka, a tremendous burden on the IT department.
Such improvements in cost and management efficiencies, coupled with the fundamental need for federated identity management in the cloud, will drive enterprise adoption of IDM as a service, according to Gartner Group Inc. in Stamford, Conn. Approximately 8% of enterprise security budgets are currently dedicated to IAM, and the market is expected to grow to $11.9 billion by the end of 2013. By 2014, IAM as a service will account for 20 percent of all IAM sales revenue.
Let us know what you think about the story; email Laura Smith, Features Writer.