auremar - Fotolia

Make identity management a foundation for cloud deployments

Every SaaS product has its own way to authenticate users, making it hard to keep track of which ones have access to which services

As organisations adapt more and more cloud services, it is essential to have a means to provide secure, authenticated access. This was one of the topics discussed at the recent Gartner Identity and Access Management conference in London.

Software as a service (SaaS) can be extremely flexible, but it is open to abuse. People can “reuse” or share logins, breaking the terms and conditions of SaaS contracts, which means that identity and access management (IAM) becomes a key part of cloud deployments.

During Gartner’s IAM conference, Richard Kramer, lead architect at PostNL, gave a presentation of how the Netherlands post service was using cloud-based identity and access management as part of its cloud strategy.

“PostNL is using cloud-based identity management to manage user authentication across the business’ various public cloud services,” he said.

Another speaker, Paul Hannan, CTO at gas distribution utility provider SGN, said he was also making using of cloud-based IAM as part of the company’s cloud strategy.

“We are undergoing significant disruption, just like other utilities,” he said, adding that SGN’s executive team was very focused on adopting new technology, such as sending robots down gas pipelines to perform inspections.

It is also receiving Ofgem funding to deliver real-time network monitoring technology.

When he joined SGN, Hannan said he looked at how well IT fitted in with the corporate strategy. “It was very clear that it was not fit for the future,” he said. “It did not promote automation or a consistent security model and it was expensive and inflexible.”

He found the business was getting fed up with asking IT to do something cost-effectively and ending up doing it themselves. “If we didn’t do something transformational, the IT department within SGN would become obsolete,” he said.

Read more about IAM

IT presented a new strategy to SGN’s board to migrate all the services that were running in two datacentres to the cloud, and the plan was to use SaaS. The main objective was to improve security and resilience, but Hannan said moving to the cloud had also improved agility.

Rather than waiting 12-18 months for IT to deliver a new project, when the Northern Ireland operation needed a new system, the company chose Microsoft Dynamics in the cloud, with user authentication provided via Okta.

By deploying cloud-based IAM alongside cloud-based applications, SGN has become more agile. “We have built a cloud programme and we are starting to migrate all our workloads out of our datacentres into virtual datacentres on Amazon Web Services (AWS),” said Hannan. “At the centre of this is good identity management.”

Keeping track of SaaS usage allows businesses to ensure they are only paying for what they use, and do not infringe the usage rights granted by their SaaS providers.

Licensing for the cloud

In a recent Computer Weekly article, Rory Canavan, author of the SAM Charter, said: “If you don’t want to pay for IT services ascribed to ex-employees, make sure you have a robust joiners, movers and leavers process.”

The challenges of SaaS, from a software licensing perspective, is not new. Back in 2013, the Navigating the cloud report by the Business Software Alliance noted that SaaS typically came with multiple restrictions on use. In many cases, these restrictions are not negotiable, given the nature of SaaS contracts.

“The customer needs to have proper controls in place to ensure compliance with all contractual requirements and limitations, such as limitation on geography or restriction on sharing,” the report said.

Given the growth of SaaS within business, keeping track of who is actually using these services is now a key part of good housekeeping in software asset management.

 The cost of IAM

Experts agree that IAM should be considered a key component in cloud projects, but there are a few areas that IT departments need to consider when deploying cloud-based IAM. The first is cost.

Gartner’s magic quadrant for IAM, published in June 2016, gives an idea of the funding that IT departments should put aside. The analyst estimated that the average three-year cost of 1,000-user IAM was $196,045. A more sophisticated system, supporting voice and mobile-based authentication for 10,000 internal users, would cost about $677,920.

Where costs start to escalate is in a business-to-consumer context. Gartner estimated that the three-year cost of covering one million consumers, supporting one web-based application and providing the ability for users to rest passwords themselves would be $807,674.

The other issue for IT  to take into account is business continuity. If the IAM provider’s cloud service is unavailable, access to applications that use it for authentication will be blocked. In effect, users will be locked out of those enterprise systems, and consumers on a B2C website using the affected cloud-based IAM may find they cannot log in.

Tips on selecting IAM

Among the areas IT departments need to look at when assessing IAM products is their ability to provide identity governance. Gartner recommended that IAM services should, at the very least, automate the synchronisation (adds, changes and deletions) of identities held by the service or obtained from customers’ identity repositories across target applications and other corporate repositories.

Gartner also recommended IT departments to ensure their IAM provides a way for customers’ administrators to manage identities directly through an administrative interface, and allow users to reset their passwords.

Source: Gartner magic quadrant for IAM, June 2016

Next Steps

What you need to know about cloud sprawl

Read more on Identity and access management products