By Terry Gold, founder, IDanalyst LLC.
When it comes to identity credentials, historically the higher level of assurance, the more costly and complex it was to produce and manage. These higher costs, in turn, kept PKI-enabled smart cards out of reach for the masses. Only large organizations could attempt to scale, lower costs and resource a project that was demanding across various skill sets. But identity-as-a-service can enable smaller organizations without the resources the ability to use these advanced technologies.
When performed in line with best practices for trust and security, high-assurance identity programs demand a diverse set of skilled resources. While the token – or card – is what is most visible, it’s only the tip of the iceberg. Most of the complexity is in the back-end infrastructure required to securely issue and manage the larger system. This complexity is further compounded by the many touch points required to integrate, operate, support and form policies that enable it all to work cohesively.
Through the PIV program, the U.S. Federal Government has demonstrated that complexity can be reduced for organizations that require high assurance credentials. By building a model centered on delivering a set of capabilities as a service, the program has rolled out IDs to millions of individuals across agencies.
The reality is that complexity still exists but it’s now designated to those that can deal with the complexity, thus eliminating the burden for customers. Software as a Service (SaaS) models provide a turnkey solution, enabling customers to only be concerned about consuming the service, not managing it.
Think of it like riding a bus. If I were to hire a privately chartered bus to take me from Los Angeles to San Francisco on my own, it would cost thousands of dollars. However, if I buy a ticket for a commercially available bus that was already scheduled to make the same trip, the price becomes commoditized as the costs are shared across many customers.
The same can be said for the identity-as-a-service model. However, for this symbiotic relationship between provider and customer to mutually benefit, a group of customers must agree to the same set of service capabilities. The more customers that a provider can get to do so, the more they can monetize their existing service and likely lower costs, as they have more people sharing it.
When looking across various markets, the PIV program can’t meet everyone’s particular requirements. It was neither designed to do so nor is it even available to everyone. The good news is that new services are coming online to meet varying requirements.
This market is still young. On one end there is a rush by some vendors that have a lesser background in identity to get in on the action. On the other end established companies with proven backgrounds struggle to transition from government to enterprise with inflexible PIV-based solutions. As vendors try to appeal to a broader audience with increasingly varying requirements, the market is evolving.
Despite the market evolution, vendor’s products vary greatly in their focus and capability, and telling them apart, or even knowing which questions to ask specific to this type of solution can be challenging. Making assumptions based on features or brand will likely lead to major oversight.
Identities as a Service (IDaaS) solutions generally differentiate in a series of core areas.
Scope of Solution: The list of in-house technologies and processes the solution displaces
Conceptually, IDaaS strives to offload as much of the infrastructure that a customer would be required to install as possible. However, organizations with unique requirements may desire flexibility to keep some things in-house for a more hybrid model.
Intent: The specific problem the solution aims to solve
Products are generally developed to solve specific challenges faced by a customer or type of customer. Some take a general approach toward the size of a company for example, while others address specific market segments like health care. In general, vertically developed solutions will be less applicable to a mass audience but will be more powerful in the scenario for which they are intended. Also, the problem that vendors are trying to solve for a customer can vary across competitive solutions. Some focus on ease of convergence while others drive toward depth and flexibility.
Implementation: The technology and execution used to achieve proposed solution
Even though IDaaS categorically belongs in the cloud, each implementation may require customers to take a tailored approach to setting it up, using it and adopting preset policies. Additionally, how things integrate, how well they do so, and the third-party components that may or may not be hosted in their service can vary as well. It is key to completely develop solution requirements to determine which IDaaS is the best fit.
Security Philosophy: The approach to overall solution security
Though all solutions in this segment are intended to provide security, there is an incredible variance as to the levels of security offered. This is a culmination of varying talents in application security, cloud security, key management and overall internal policy.
Certification: The level of attainment by recognized third parties
In the smart card world there are a few certifications, but most have specific contexts for particular components or processes. PIV is the only attempt to certify the overall solution and execution. Perhaps the most common misunderstanding in the credentialing market is the assumption that certification automatically equates to a commensurate level of security. While certifications attest to a set of criteria being met, security is dynamic and certifications are typically narrow. The reality is that certifications should be viewed as a minimum starting point, not the overall achievement of security.
Standards: The adherence to standards from open and public domains
This is another area of significant variance. Standards can have significant implications on system operations. Thus, customers should perform a diligent review as to which, if any, standards make sense for their business both short and long-term.
Look beyond simple cost cutting
Most assume that an IDaaS costs them less than an in-house model, however this isn’t always true. Since the market is not yet mature and has not been commoditized, prices are still at somewhat of a premium. The size of the organization is key.
For small to medium sized organizations, even the most expensive IDaaS solution is likely to be cheaper than an in-house solution. Also with IDaaS, costs are spread out per year, rather than stacked up-front via perpetual licensing and backend infrastructure costs. However, for very large organizations with tens of thousands of users, these numbers start to reach parity.
It is important to note that large organizations that could spend less on an in-house model may still choose IDaaS as it can have financial benefits in how services are accounted for as compared to depreciating purchased assets.
Focus on both tangibles and intangibles
The whole point of IDaaS is to remove users and operators from the low-level components underneath, so that most of what is going on can’t easily be seen. For example, the solution may have a key management function, but how does one know how the key material is being handled or even if the service uses a hardware security module at all? You can’t go by features alone, you have to dig into to the intangibles to know what is included both visibly and out of sight.
Avoid fixating on product comparisons
Comparing products against one another is a must, but too often clients become fixated on this aspect and lose sight of developing a clear definition of their requirements and benchmarking. Comparisons are relative but are fairly transparent against solid internal requirements.
Don’t fall victim to the turnkey assumption:
Clients often assume that because IDaaS eliminates a great deal of infrastructure deployment that they will be able to flip a switch and go. This is partially true if the service is truly an out-of-the-box, multi-tenant system. However, deciding on workflows, setting policies, pushing out to clients, ensuring quality assurance, building a notification and support process and integrating the service into your infrastructure can all take time.
Performing due diligence of the service provider to ensure a complete understanding of how they secure their infrastructure takes time as well. Between scheduling, aligning resources and acquiring approval to do these things, it can easily take several months before rolling out beyond limited production.
A positive movement
IDaaS solutions may or may not cut costs, but they definitely make identification programs simpler and commercially available to more organizations. They reduce complexity, the burden of operation and the cannibalization of critical resources required for other projects.
Overall, IDaaS is a positive movement for everyone; even those that opt not to deploy it. IDaaS systems are undeniably lean and efficient, adding competitive pressure across the entire market landscape – IDaaS and traditional approaches alike. And as the market matures, things are just going to get better.