Friday, April 12, 2013

The High Costs of Securing Identities: How to Fix the Problem Using the Cloud

By Dan Dagnall, Chief Technology Strategist

Identity Management is well down the path of a mature market space. But I believe there is still one final, fundamental disconnect which is driving up your cost of deploying and maintaining an identity management solution, and that is programming and customization.

For example, one can appreciate the need to tailor your user’s experience within your organization to be the way that you want it, but the question begs to be asked, to what end? Do you believe that identity management solutions should require your staff to write programming code in order to connect to your systems or for the purposes of maintaining custom user interfaces? Should your IdM solution require a strategy for maintaining a code base, or simply a strategy to secure user access and their identifiers while increasing efficiencies across your organization? These questions are important, because when we get down to brass tacks, these questions represent the primary drivers that can lead to insurmountable costs associated with maintaining and supporting your IdM solution.

“Fun factor” (and personal preference) aside, there is no reason why multiple industries should not be able to adopt similar identity management practices. I’m able to validate that personally, as I’ve worked with multiple customers, in multiple industries, and all of them have many requirements in common. Your identity management requirements are not as unique or “custom” as you might think. Specifically, you need password management, you need user provisioning, you need approvals, etc. The fundamentals of deploying such services do not change across industries (or IdM vendors). It is the mechanics that change. And certain mechanisms that enable IdM just simply cost more (i.e., programming your way to a solution costs much more than simply configuring the solution without requiring a single programmer (yes, it’s possible, and available right now).

The cloud serves as that mechanism to enable configuring as opposed to programmer-driven customization to provide each and every industry with a predictable cost, a predictable path (with a real light at the end of the tunnel!) and a predictable result for solving identity management problems. In order to justify how a cloud service model can drastically reduce your overhead associated with identity management, I must first define what identity management IS and what it IS NOT.

What is Identity Management?

Identity management (IdM) describes the management of individual identifiers, their authentication, authorization, and privileges/permissions within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks ( This is the definition provided by Wikipedia, and for the most part, it is accurate; however, it is the last half of the sentence that I’d like to focus on.

“…with the goal of increasing security and productivity while decreasing cost,
downtime and repetitive tasks”

Perfect. That’s exactly what everyone who ever decided they needed an identity management solution hoped to achieve. Unfortunately the reality in many cases is the exact opposite effect, specifically for on-premise deployments where consultants stand up your solution and turn over the keys when the project is complete. If you’ve procured a solution that requires constant care and feeding, that consultant may be needed again to ensure your solution continues to serve its purpose and doesn’t lag behind and eventually fall short of securing your identities into the future. Sure, all identity management solutions should “increase security” (if they don’t, then what’s the point?), they should all “increase productivity” (if repetitive processes are automated, productivity by default will increase), which on the surface appears to lead to “decreased cost.” But the cost decreases gained from efficiencies are quickly overtaken by the cost required to support the solution itself. This is a direct result of the mechanism chosen to manage your solution (i.e., holding the customer hostage to programming code, as well as the responsibility to maintain programming code post-production deployment).

What is NOT Identity Management?

First and foremost, writing programming code is NOT identity management. Frankly, from a customer perspective, it should not enter into the equation, ever. In order to call yourself an identity management provider, you must provide full-scale end-to-end identity management capabilities, provide them in a way that enables customers to input their local policy, define their workflow(s), connect to their downstream target applications, and include out-of-the-box end-user interfaces that are directly connected to those same policies and resources that are distinct to each organization, and without the requirement to write “glue code” to make it happen. And by this I mean managing users’ identities, not managing and editing programming code that then leads to managing user identities. I’m speaking of programming, and debugging, and more programming, and more waiting to leverage new functionality or new process, and more… I could go on.

As an organization, the second you have to write programming code so your “solution” can actually provide value, you’ve lit the fuse that will eventually result in an explosion in overhead; specifically, the costs associated with maintaining what essentially will become a programmer’s playground and signal the end to your “increased security,” “increased productivity,” and most importantly, the end to your “decreased cost.” When your identity management “solution” starts to take on attributes of a software company, rest assured that is NOT the intent of identity management; in fact, the result will be the exact opposite. Identity management products must enable you to focus on your policy, your data, and your business rules. They shouldn’t force you to focus on how to connect to your downstream target systems, or force you to be an expert computer programmer in order to solve your identity-related problems. Managing identities does not have to be that way. You have other options to realize “increased security,” “increased productivity,” and “decreased cost” without programming, at all. So how can “the cloud” decrease my identity-related costs and overhead?

If your primary driver for procuring identity management is to “increase security,” “increase productivity,” and “decrease cost,” the cloud should be a strong contender as you vet potential solutions. “The cloud,” as it has been coined, is definitely more than a potential cost-saving option at this point. It is THE most impactful method to lower your operating costs while maintaining or improving service levels to your user community.

First, let’s talk security…

Cloud-based identity management can be more secure than conventional, on-premise deployments. Storing sensitive user data in the cloud is the single biggest point of contention when we discuss cloud-based IdM, followed closely by questions about identity-related data being sent over the public internet to get from the customer’s network to the cloud provider. For starters, data sent across the web is protected by web-services security, including PKI, so it’s secure. Second, we must consider the unpopular truth that in many cases, a local datacenter is less secure than those of service providers. Also, most data breaches are caused by internal, often disgruntled, users. Externalizing the data center from the local premise helps address the issue of employees conspiring to remove sensitive information from the datacenter, while introducing a third party into the process directly correlates to a greater level of data storage security.

Finally, decreasing cost…

First, it’s a service, so it includes the entire software stack, which may include automated provisioning, role management, self-service portals, self-service [automated] password reset, as well as audit/compliance & governance controls. Second, because it’s a service, you only have to subscribe the services you want, as opposed to licensing an entire product suite when you only require a fraction of it to address your specific needs. Simply outsourcing the administration around such a large stack of services can save you 1 to 2 FTE (including help desk, as well as server administrators like DBAs, etc.). Once you consider the laundry list of infrastructure requirements to support the IdM stack as well as the operational hours associated with managing and supporting the platform, you can begin to realize the significant amount of cost savings your organization can achieve if you choose to secure your identities via an Identity as a Service model. And let’s never forget the expensive staffing requirements to maintain any “glue code” that is required to actually provide value to your organization. ALL OF IT goes away in the IaaS® model.

In closing, identity management is just not scalable for your organization when finances are a factor and the mechanism in use requires you and your staff to maintain extensive “glue code” in order to keep your solution afloat and growing to meet your demands.

No comments:

Post a Comment