By Rajat Bhargava Posted April 17, 2017
Cloud identity management has been garnering a great deal of attention lately. It’s one of the hottest sectors in IT right now – and for good reason.
More organizations than ever are being compromised through identity theft and stolen credentials (Breach Level Index). This comes at a time when IT infrastructure is no longer purely based on Microsoft Windows and located on-prem. IT is now a complex, global department that is critical to the success of any organization.
But let’s set the buzzwords of cloud identity management aside. And instead ask some questions: Is moving to the cloud with some of your most crucial assets the right thing to do? In what scenarios does cloud identity management make sense? And when does it not?
We’ve provided all of the answers to these questions and more in our Q&A below.
Ten Questions to Ask About the Move to Cloud Identity Management
1. What is cloud identity management?
Cloud identity management is the reimagination of on-prem identity management for a cloud-centric era. Think of it as Active Directory® and LDAP reimagined.
More specifically, think of cloud identity management as securely managing and connecting your employee identities to the IT resources they need. Those IT resources could be systems, applications, and networks. They could be located on-prem or in the cloud. The IT resources could leverage any one of a number of authentication protocols, including LDAP, SAML, RADIUS, SSH, and REST. A cloud identity management platform is also independent, supporting Windows, macOS, Linux, AWS, G Suite, Office 365, and many other major platforms.
In short, cloud identity management is the central identity provider for an organization, capable of connecting users and IT resources, regardless of platform, protocol, provider, or location.
2. How is cloud identity management different from on-prem identity management?
You may think creating a cloud identity management platform is as easy as shifting a Microsoft Active Directory server to the cloud. It’s not. IDaaS platforms in the cloud era have reimagined what AD and LDAP are, taking into account what today’s IT environment looks like and what the future holds.
On-prem identity management approaches were largely focused on a single vendor or protocol. This happened because the IT environment was different when these platforms emerged. Microsoft Windows was the dominant operating system platform and most IT resources were located on-prem. As a result, the identity provider needed to handle a narrow scope of capabilities making past on-prem solutions such as AD and OpenLDAP ideal.
Fast-forward to today, and the IT landscape is dramatically different. Today’s IT environment is heterogeneous, cloud and on-prem, and multi-protocol. A cloud identity management solution can handle this situation. IT organizations should be free to leverage whatever IT resource is best for them. We’re talking about macOS, Linux, G Suite, AWS, web applications, WiFi, and much more. All of them, connecting and integrating seamlessly with the cloud identity management platform.
3. Isn’t cloud identity management just single sign-on (SSO)?
Not anymore. Cloud identity management used to be just an elaborate way to say web application single sign-on. But that has started to change. When everything was on-prem and Microsoft Active Directory was at the core of an IAM strategy, it made a lot of sense to call web application SSO cloud identity management. That was all the identity really needed to do in the cloud back then. But the cloud has grown and so has cloud IT. To limit ‘cloud identity management’ to just apps is reductive.
Today, cloud identity management is the term for a broad set of approaches to identity and access management from the cloud. At its best, Cloud IAM really is the central platform to control and manage user identities and the access to IT resources that those people need.
4. What are the benefits of cloud identity management?
There are a number of critical benefits to leveraging a cloud identity management platform for your organization. Below are a few key examples:
Increased productivity for end users and IT – connecting end users to the IT resources they need regardless of where or what those resources are is a critical part of the job for IT. By giving users what they need, they become more productive. And for IT, having a central platform with self-service capabilities gets them out of the middle of the password and SSH key process.
Focus on higher value projects for IT – by automating and building a central system for identity management via a SaaS-based cloud platform, IT admins can off-load a great deal of low-value work so they can focus on more critical projects of higher value.
Avoiding lock-in with vendors – traditional directory services locked organizations into their platform or protocol. But that’s not the way that IT organizations – or businesses for that matter – want to operate. They want the choice of leveraging whatever solution is best for their organization, regardless of vendor. A neutral cloud identity management platform gives IT organizations the independence that they need and want, while simultaneously centralizing access control.
Less chances of identity theft – security is far more important today than it has ever been. If the right credentials get in the wrong hands it’s game over for an IT organization. Strong cloud identity management solutions are focused on increasing your security posture and making it far more difficult for hackers to penetrate your IT infrastructure.
There are a number of other benefits that IT admins can find in cloud identity management, and many of those will be specific to your organization and your current challenges.
5. What do I need to implement cloud identity management?
The good news is, you don’t need much in the way of infrastructure or internal resources to make cloud identity management work for you. Instead, what you really need is a crisp set of requirements detailing what you want to accomplish. That will help steer you to the right platform with the capabilities to meet your needs. It will also help inform your cloud identity management partner. They’ll know what to focus on during the features demonstration and throughout the implementation process.
Most cloud IAM solutions are SaaS-based so there is little for the IT organization to manage in the way of hardware, software, patches, security, availability, and redundancy. Outsourcing all of those tasks allows the IT organization to focus on their goals of creating a central identity provider for their entire user population and IT resource base.
6. Can I replace my on-prem Microsoft Active Directory® solution?
Yes! That’s the whole goal with cloud identity management – to move your identity infrastructure to the cloud. You’ll want to take advantage of modern solutions, approaches, and security techniques. Legacy, on-prem solutions don’t need to hold an organization back any longer. You can virtually create an all-cloud IT infrastructure, if you so choose. And, cloud identity management is at the core of that strategy.
7. How reliable is cloud identity management?
Cloud identity management providers have invested an immense amount of time and resources into architecting solutions that are highly reliable. Identity access control is at the center of any network. If the identity provider is down, that means work isn’t being done and your organization is at a standstill. Outside of the physical network itself, there may not be a more important piece of technology in your infrastructure.
Cloud identity providers know this and that’s why they safeguard against outages. They have redundant, global networks. Many of the components of the platform – system-level authentication, for instance – can operate even when there is an internet outage, or if the provider experiences a problem. Reliability is critical when thinking about a platform that grants or denies access to IT resources for your users.
8. How secure is cloud identity management?
Security is of paramount importance to cloud identity management providers. The most secure providers are taking enormous steps to secure your identities in the cloud. These steps are often far beyond what you can invest internally, and greater than the capabilities of legacy solutions like Microsoft Active Directory.
The best IDaaS providers are leveraging one-way hashing and salting algorithms, mutual TLS, data at rest encryption, tight access controls, and network segmentation, among others. The best cloud identity providers live and breathe security.
Today’s IT environment is a challenging one when it comes to security. But taking strong steps and enforcing the right behaviors with employees can translate into a better security posture for customers.
9. What happens if the Internet is down?
Internet connections sometimes go down. It could be yours or your provider’s. In either case, there will undoubtedly be some disruption to the organization. However, modern cloud identity management platforms protect against many of these challenges.
The core of a user’s IT platform is their system – whether that’s Windows, Mac, or Linux. Those systems need to be accessible even if the Internet is down or if the user is on a plane. The best cloud IAM systems handle those cases. Some cloud-hosted solutions, LDAP and RADIUS, for example, are a little different since the IT resource authenticating needs to have access to the identity provider. The protection for LDAP and RADIUS in the cloud is to have a local cache, but that isn’t always possible. It’s not always helpful, either.
Talk to your provider about the scenarios that matter to you. Ask if you are covered when your Internet is down. Decide if that is a risk you can take when you are in the cloud.
10. I’ve heard that Amazon, Google, and Microsoft all offer cloud identity management – are they true cross-platform and provider-agnostic solutions?
No. All of the major tech titans want to own your identity for their purposes – to sell you more of their solutions and lock you into their platforms. Each provider does have a “cloud identity management” option, but we’d argue that it’s really just a user management system for their cloud infrastructure – the place where they make their money.
Azure Active Directory is wonderful if your entire IT infrastructure is Windows based and on Azure. Google’s G Suite Directory or called Google Identity Services is a simple user management system for Google apps and a select few web applications. AWS Directory Service is great for your Windows desktops in the cloud.
All of these platforms miss the key point for you as an IT admin: a central, authoritative identity provider needs to integrate with whatever IT resources you have within your organization regardless of platform, provider, protocol, or location.
Next Steps Toward a Shift to Cloud Identity Management
There’s really a two-step process when thinking about cloud identity management. The first is to determine if it’s the right approach for your organization. There can be any number of factors that matter to an IT organization when it comes to a move to the cloud. Among these, are the availability of internal talent and expertise, security, and diversity of platforms/protocols.
Once you’ve decided to move to the cloud, the second part of the process is to think about which platform is right for you. Of course, your choice of the right provider will be based on your key requirements and which solution matches up best to meet them.
One cloud identity management platform you’ll want to investigate is Directory-as-a-Service®. As a cloud-hosted IAM solution, the goal of Directory-as-a-Service has been to serve as an organization’s core, authoritative identity provider. The IDaaS platform is independent and secure.
Drop us a note if you would like to learn more about how cloud identity management can help your organization. Finally, sign-up for a free Directory-as-a-Service account and give it a try for yourself. Your first 10 users are free forever.