Setting Your Expectations for Cloud IAM Success

“Who?” has replaced “where?” as the fundamental question to ask, and answer, to maintain your organization’s security posture. Employees, customers and partners are no longer corralled by perimeters. Instead, they are in an ever-widening geographical area, with varying degrees of need to access your data and applications.

By having a strong identity and access management (IAM) program in place, you can ensure that the right people have the right access at the right time to the right information. The principles of this remain the same, regardless of whether your IAM enforcement is handled on-premises or in the cloud. But understanding and setting expectations can help you select the right cloud IAM solution, and help ensure its effectiveness for your organization. 

What is cloud-based IAM?

Traditionally, IAM solutions have been delivered as software- or appliance-based applications requiring a considerable amount of integration and customization to meet the complex business and security needs of the organization. In the past, implementing IAM solutions involved multiyear, multimillion-dollar projects requiring large consulting and implementation teams to achieve the desired outcomes. This kept IAM out of the reach of many commercial and mid-market organizations, and often lead to failed or partial implementations for many that undertook these initiatives.

Today, advancing cloud IAM technologies have lowered investment entry points, putting IAM solutions back into consideration for many organizations. Cloud-based IAM solutions offer many of the benefits of traditional software-based solutions without the heavy infrastructure requirements, significantly reducing the cost of implementation and the cost of maintenance. Along with the benefits, there are also nuances to cloud-based IAM solutions that are important to understand.

Cloud-hosted IAM versus SaaS-based IAM

Cloud IAM includes both cloud-hosted and Software as a Service (SaaS) solutions, sometimes referred to as Identity as Service (IDaaS).

Cloud-hosted IAM has some similarities to on-premises solutions, with each customer having their own software instance and database. While this can allow greater control over the solution by offering the same features and flexibility as traditional software-based solutions, it can also be more expensive to implement and maintain over time than a SaaS solution. Patching customized software can create a risk if the new feature or patch breaks existing code extensions or other extensions to the system, which is why most cloud-hosted solutions are updated in scheduled intervals, often every three or six months. Because cloud-hosted solutions must be regression-tested, most updates are applied to a non-production instance before being applied to production.

In comparison, SaaS solutions are fully cloud-based and multi-tenant, using shared software and a shared database that isolates each customer’s data. A multi-tenant solution generally offers greater savings through economies of scale.

Setting expectations for SaaS-based IAM

One common challenge for organizations moving from an on-premises IAM solution to a SaaS-based solution is understanding the differences. A SaaS IAM solution is not as flexible as an on-premises solution that is customized with code. Instead of bending the features to meet your requirements, you will instead need to bend your requirements to meet the features available in your SaaS-based IAM solution.

The functionality of a SaaS IAM solution is based on configurations. While not as customizable, a well-configured SaaS solution can meet most requirements, and there is little to no coding or developer time needed. This also means there is no way to inject a coding error into the IAM process that will adversely affect your security posture.

For most organizations, the lack of customization is usually more than offset by the ability to set and forget. A SaaS-based solution does not require the IT team to patch or maintain the software; updates are frequently and instantly applied to safeguard your IAM program from improper maintenance or management. A SaaS-based solution can also offer cost savings and improvements in uptime.

Security for IAM in the cloud

The use of a cloud-based IAM solution often includes an on-site agent or appliance in your data center that maintains the security of the communications to the cloud using outbound connections. Maintaining complex firewall rules, site-to-site VPN connections, and host components in a demilitarized zone (DMZ) subnet are all eliminated.

A properly configured cloud-based IAM solution offers the same level of security as an on-premises solution and requires less time, skill and resources to secure your IAM program in the cloud.

Making the move to cloud-based IAM

Are you ready to move your IAM program to the cloud? The following considerations can help you decide which IAM delivery works best for you:

  • What level of maintenance does your team have the time and skills to deliver?
  • Are budget constraints a concern?
  • What is your current IT infrastructure architecture and road map? Is modernizing part of your strategy?
  • Does your organization use CapEx or OpEx budgeting for IT programs?
  • Do you have special compliance or certification requirements, such as NIST or FedRAMP?
  • Do you have data residency requirements such as GDPR?

Choosing the right IAM solution

Whether you are ready to implement a new IAM program or to modernize your existing program, Sirius has the expertise to help you identify your organization’s IAM drivers to pick the best solution for you.

We use a vendor-neutral approach, and our IAM experts can work with you from discovery to proof-of-concept to implementation so that your IAM program meets your most critical security and business needs. Contact us today to learn more.

By and |2020-07-27T15:32:22-05:00July 29th, 2020|Blog|Comments Off on Setting Your Expectations for Cloud IAM Success

About the Author: and

Thad Smith is a Principal Consultant with the Sirius Security practice.

Andy Egan is a Senior Solutions Architect, IAM Services for Sirius.