Secure identity management in hybrid cloud is still behind the curve – here’s why and what we can do about it


Posted on: March 4, 2019 by Thierry Winter

If identity as a service (IDaaS) for hybrid cloud users were easy, we’d have done it already. It does exist, but it still lacks all the features users expect and have from an on premises Identity Access Management (IAM) perspective. Analysts have pointed to this being a major issue in adoption and one that vendors must rush to solve.

There are a number of reasons for the delay in features. The first is that Identity as a Service is complex. It includes identity governance, access management, and analytics functions applying to applications and systems located both on customers' premises and in the cloud.

When used for hybrid cloud, the transformation of IAM software delivery model from on-prem to IDaaS requires vendors to look at three different areas:

  • Adapting people skills,
  • Technical approach and
  • Product line processes.

Adapting people skills

First, people skills need to evolve in order to adopt Agile principles, with small teams and strong transversal coordination. Technical personnel must learn latest user interface technologies, think cloud-ready by design, think secure by design and prepare for DevOps cycle with permanent refinement of up-to-date features, delivered with quality and shorter delivery cycles than traditional on-prem releases.

Technical approach

Second, state-of-the-art technology is key. A future-proof approach is mandatory: for back-end, all business functions are delivered by secure APIs. For the front-end, a modern look and feel is paramount, since end-users now just require excellence: it must be intuitive, quick, efficient and nice.

Product line processes

Finally, product management must evolve, too. A realistic evolution plan to IDaaS implies a “think big, start small, grow fast” approach:

  • Split the program in phases, with customer value at each delivery;
  • Deliver first a Minimal Viable Product, then add must-have and differentiating functions;
  • Mandatory underlying product adaptions to Software as a Service (SaaS) are balanced with new features, to maintain visibility and avoid any “tunnel” effect.

In turn, customers benefit from this phased approach in the transformation of IAM into IDaaS. For instance, a three-step delivery of a full-featured IDaaS service may include:

  • Phase 1: thanks to IDaaS, customers can be autonomous in administering IAM, rather than traditional managed services;
  • Phase 2: they take advantage of the SaaS model, especially for native web and mobile apps, with new authorization principles and appropriate security schemes;
  • Phase 3: they extend the scope of IDaaS to the most complex customer environments, such as sophisticated mutualization of IAM governance among an organization’s entities.

Why do we need a rich set of features for IDaaS?

Even if access management is one of the first IAM domains to be available as a service, with services like identity federation using SAML and OpenID Connect, customers are now used to utilizing the efficiency of on-prem services such as roles and permission life cycle management, including segregation of duty (SoD), access policy certification etc.

They have already benefitted from the on-prem IAM security models, with sophisticated configurations and workflows to handle very specific but key business use cases. Migrating to a lightweight IAM tool in SaaS mode would mean introducing procedures that have been refined over months, with an eventual high level of internal end-users’ satisfaction. IDaaS therefore must deliver the equivalent, or customers will prefer to extend the existing implementation, with the risk of an even more costly path to hybrid IDaaS in the future.

Above all, while identity governance is the “head”, the “legs” embodied by identity provisioning are key to make the whole IAM implementation tangible and effective. This is why provisioning of on-prem legacy apps, together with SaaS apps, through a global and common governance workflow is the proof that the hybrid approach meets all needs.

To do so, a smart secure IAM gateway, leveraging standards such as System for Cross-domain Identity Management (SCIM), is an important component in the landscape of hybrid IAM, taking in charge, optimizing and securing the flow of data between customers’ premises and IDaaS in the cloud.

What kind of features will make IDaaS successful?

In addition to the above, IAM administrators and end-users benefit from a single pane of glass access, assisted simplified workflows, AI-powered IAM processes for certification, access governance, management of segregation of duty etc.

These visible features require developments in parallel of the underlying IDaaS framework, such as APIs secured using OAuth 2 to create, read, update and delete IAM information, multi-tenancy for back-end efficiency from onboarding to rated speed, clustering for elasticity, DevOps for permanent refinement of up-to-date features, delivered with quality and shorter delivery cycles than traditional on-prem releases.

Why do we need to get this right?

Overall, in the medium term, customers will be able to take advantage of the forthcoming interoperability of all security domains adjacent to IAM, such as threat intelligence, user and entity behavior analytics, coordinated by intelligent supervision capabilities of Security Operation Centers.

Such a “Prescriptive IDaaS” is indeed the target to reach.

We’ll be in London on the 7&8 of March for Gartner’s IAM Summit. If you would like to speak to us there, please contact: Vasco Gomes

Share this blog article


About Thierry Winter

CTO Evidian IAM products
Graduated from the French Ecole Nationale Supérieure des Télécommunications, Thierry Winter started his career within the software department of Bull, by carrying out projects for network and applications management. He has filed several patents on QoS management and security. In 2000, he took the lead of the security R&D of the Evidian company, with a focus on Identity and Access Management. As part of his duties as Evidian CTO, he’s driving the Research and Development activities for the different Evidian product lines. He has participated in many Eureka, FP7 and H2020A collaborative projects, targeting security governance. He has been the initiator and project coordinator for three successful terminated ITEA projects; two received the golden achievement award in 2002 (PEPITA) and 2011 (MULTIPOL). Distinguished Expert, member of the Atos Scientific Community, Thierry is president of the Digital Trust & Security thematic group of the Systematic-Paris-Region ICT cluster.