Identity and access management as a service (IDAAS or IAMAAS) refers to web-provided services that create and control access levels for individual users. It is one of the many types of cloud services offered by cloud vendors.
There is a movement in the modern IT world to move away from infrastructure in favor of SaaS-based solutions that leverage cloud. These days solutions in almost every IT category are delivered as a service from the cloud. Nevertheless, while most examples are cloudy, there are some categories that are slow to adapt.
Identity and Access Management (IAM) is a good example. Fortunately, a new generation of IAMaaS (Identity and Access Management-A-Service) solutions have changed.
These changes have been positive for the most part. However, to understand the benefits of the new cloud-based IAM solution, take the first step back and take a look at the old model. Then, we will discuss what has changed.
Identity and access management as a service – Idea of SAAS
Identity and access management as a service builds on the core idea of software as a service (SaaS) that began in recent years, as vendors effectively “stream” services over the web rather than licensed software packages. Were able to CDs and boxes.
Vendors started offering a wide range of cloud-delivered SaaS products, such as Platform as a Service (PaS), Communications as a Service (CAAS) and Infrastructure as a Service (IaaS). Refinement accelerated this development in network virtualization and logical devices of hardware.
Historically, the Identity Provider (IdP) category is primarily distributed and distributed as software managed by an IT organization.
IAMs provide system administrators with the tools and technology to change user roles, track user activities, create reports on those activities, and implement policies on an ongoing basis. These systems are designed to control user access throughout the enterprise and ensure compliance with corporate policies and government regulations.
Identity Access Management – A Wide Brief
We need to be able to manage our identities as they relate to us, and also access to our identities in the way we want.
This is a very real pain point for a lot of people. We all have multiple usernames and passwords, and even worse, some people have multiple accounts with different usernames and passwords.
Those are just the most obvious cases — there are still plenty of other cases where a company might want to invoke some kind of password reset or change of password process on behalf of its users. And there’s likely a lot more that falls into that category.
A few years ago, I had an account with a big e-mail provider who got me into trouble when I started using an expired password for my corporate account (the expired password created an automatic “reset” of that account). Basically, they were so concerned with protecting their data (and so were their customers) that they had no problem erring on the side of security to protect their own data too; but then it became a little awkward when it came time to protect my personal data too. That’s when I realized that identity access management tools could help solve this problem:
Why not use those tools for managing your own credentials?
It turns out there are many good IDAM providers out there — we’ll go over three here: AppMobi Login, Bitwarden and Usergrid (the last one is new).
How can you use them? We need to be able to check out with these companies from our SaaS products (that means CI/CD purposes only), so let’s start off with that: CI/CD teams can use Application Identity Management (AIM): every agile project should at least give it a try! This will let you manage all the different ways you authenticate yourself, like web or phone authentication, or username/password during authentication, or two-factor authentication during login.
You can add authorization codes during login if you want to automate them — again CI/CD teams can use AppMobi Login: You may already know about AppMobi Login , which is an application ID management tool for SaaS apps developed by [AppMobi].
It allows developers to create user profiles via SaaS apps easily and securely between multiple users (different social networks, etc.), while at the same time letting those users define their own roles . This way, individual permissions are defined in each app separately.
Roles and Users of IAM
The biggest challenge of identity access management (IAM) solutions is not in the technology itself, but in how to make it work right. There are a million ways to do IAM, and though some of them are better than others, it’s all about finding one that makes sense for your company.
One of the key reasons for that is that there isn’t a one-size-fits-all approach, just as there isn’t a one-size-fits-all approach to identity management. There are lots of options: federated and federated/logged in solutions like Active Directory; single sign-on services like Microsoft’s OneDrive; or the much less common OAuth 2.0.
The big issue with OAuth 2.0 is that it has become a security nightmare for many organizations (which clearly shows what happens when you pursue an open source solution). The way OAuth worked was that you would authenticate into an account (usually with a username/password) through a third party service, and then use it along with your own private keys to access content on websites and other services on the other side of the connection. That meant that you didn’t have to trust any third party service — even if it was not as secure as you thought.
Because every website and service could check whether you had permission to access their content, which could potentially lead to unauthorized use of your own data or even worse, full security breach of your company data.
However, when companies adopted OAuth 2.0 they ran into major problems:
1) It introduced secondary authentication which complicates things further (in particular making it harder to “trust” third parties);
2) It made things more difficult for most users who don’t want authentication being required at all;
3) It took an approach that was very hard to scale globally;
4) It was highly centralized (i.e., not best-of-breed); etc…
As such, we decided against OAuth 2.0 and instead we went with Single Sign On (SSO). We chose SSO because we saw no reason why we shouldn’t get rid of passwords entirely: since there is no need for usernames or passwords any more than there is for usernames or passwords now (the login process is typically done once), this should be relatively easy by simply requiring only our password each.
Managing Identity Access
I’ve been eying the new Dashlane app for a while now, and finally decided to sign up for it. Why? Because it’s free! But there was a catch: I had to sign up with a certain email address, which is the one I use for my personal account at work.
In theory, this should have come as no surprise to me. After all, I had been using my company-provided email address for most of my personal accounts for years — but unlike many of my colleagues and friends, I rarely used it in business.
Still, a few days later I found myself looking at the app and seeing that I had entered my correct email address into it without thinking about it once (until one day when I went back and was surprised by an error message that said “your email address is not allowed here”).
I thought about it for a while — trying to figure out why this was happening. The first thing that occurred to me was that perhaps the app didn’t recognize some other option in my settings that would allow me to enter another email address (perhaps like “[email protected]”).
So it had assumed I entered “[email protected]” instead of “[email protected]:*@example.com…” (which is what Dashlane gives me by default). So eventually, after mulling over the problem in more detail than usual (and having dinner with friends) and realizing how close we are to launch day, I decided to call Dashlane support and confront their support representative about why she thought her customer could not enter another email address in her settings than what is provided by default.
And get this: she actually had no idea why she made that assumption! She thought that from the moment she opened up the app until she saw me trying out different options in her settings menu — even though there were useful options like not accepting new emails from third parties or allowing for two-factor authentication or using two-factor authentication even if two-factor authentication was turned off on Dashlane itself.
Dashlane didn’t know how long you have been using your own EAC password before they assumed you were still using an EAC password! They didn’t know you were already signed into your company account with your company email address anyway! It just worked like everyone else did! That said, they did give me some suggestions on how they can be sure.
How many identity access management tools in market?
With the recent surge of interest in identity management technology, we are constantly being asked, “How many identity access management tools are there in market?” This is especially true for startups that have not yet developed their product and/or haven’t been able to establish a solid brand.
In my opinion, there are 2 main types of identity access management tools:
- Identity and access management (IAM) tools that enable user authentication and authorization by granting users a unique username and password.
- Identity and access management (IAM) tools that enable user authentication and authorization by compelling users to present their social security number or corporate ID (such as a passport or driver’s license).
Working style of identity access management software tools
There are currently three main approaches to identity access management (IAM): Anti-Tampering, Anti-Spam and Anti-Forensics.
Anti-spam refers to the setup of systems that prevent you from sending email, text messages or other communications to legitimate users. Anti-forensics is the techniques used by security companies to map out a user’s activities, so they can be stopped before they do damage.
Anti-tampering is the way most companies implement IAM, which means that in order for a user to access corporate resources, you need to run a highly secure system that doesn’t allow compromise of their credentials. This can be done with hardware (in which case it will give you full control over who can use your data), software (in which case it will give you only limited access) or a combination of both.
Anti-forensics requires you have an anti-spam system in place and either hardware or software to prevent snooping on communications. It also requires careful cybersecurity — which means that if someone gets into your system and compromises your anti-forensics tools, they can extract data from your computer or server — including all your sensitive data like passwords and credit card information.
There are some additional challenges for IAM vendors:
- Different approaches with different benefits at different price points
- Different types of IAM solutions: browser plug-ins vs. API integrations vs. external tools vs. native apps vs. “management” solutions
- Complicated interfaces between IAM systems, enterprise services and applications
- Complicated implementations in different environments (mobile vs desktop)
How each approach works against one another and what can be done differently when it comes to solving them, as well as some recommendations on where we believe current IAM solutions might go next if their current trends continue.