Advantages of a Hybrid Co-Sourced IDaaS Model
Earlier this year, I published a blog article entitled Approaches to Identity-as-a-Service (IDaaS) for Enterprise Identity Management. In this article, I will focus on the advantages of one of the approaches discussed: co-sourced IDaaS (a.k.a. identity management co-sourcing), and, more specifically, the 3 model or "Hybrid: on-premise and in the cloud".
So, why focus on this hybrid co-sourced IDaaS model? I predict this model will become the de facto approach to Identity and Access Management (IAM) in the future (in two years or so). Here's why:
- It provides an approach that is more palatable to the organization. It doesn't take everything to the cloud, or turns everything to a Managed Identity Service Provider (MISP). Rather, the organization will have options for how many, and which services, can be migrated to the cloud. This will resonate better with risk, security and compliance officers, who may have some reservations about the migration. It gives them time to get more comfortable with the MISP.
- The model allows for more flexible integrations with internal identity assets, such as Active Directory or HR databases, which might not even be exposed to the cloud due to risk concerns. Having an on-premise footprint alleviates these concerns, and provides for an enforcement point in which data can be filtered, secured and transmitted with the appropriate level of risk mitigation. Likewise, this approach avoids the undesirable side effect of exchanging data files (typically via batch), which then increases the risk of data being leaked. The on-premise footprint (or appliance) can implement a message-driven data exchange model with the internal Identity repository and with the cloud-based Identity service.
- From a connectivity standpoint, the on-premise footprint (i.e., the appliance) provides secure communication with the Identity service through the public or private cloud. It may provide caching and queuing to increase the reliability and responsiveness of the service and build high-availability and load-balancing logic, making it easy to determine with which Identity service to connect (provided the Identity service is deployed in a highly-available and hot-swap disaster recovery architecture).
- Architected properly, it allows the MISP to scale its managed service model by being able to funnel existing and new services that can be offered to the same client by leveraging the existing architecture. In other words, adding a role management service onto an existing user provisioning service would not require deploying another appliance or opening new ports in the organization's network to be able to provide the service. The on-premise appliance would be able to syndicate these services transparently. This translates to less overhead for the organization (no additional burden on IT or the auditors) and for the MISP (no additional appliances and re-architecting needed)
- It still achieves the goal of simplifying and reducing the IT footprint that the organization would need to deploy and maintain.
The Business Side
From the organization's standpoint, the co-sourced IDaaS model, in general, can alleviate the need for:
- selecting, purchasing, and depreciating IAM technology
- building, maintaining, and operating the IAM infrastructure
- customizing and integrating various products
- staffing, training, and retaining personnel to manage the IAM environment.
All this immediately translates to cost savings.
The MISP is responsible for building, integrating, deploying, and operating the Identity service that suits the organization's requirements. This approach will reduce upfront costs (not needing to procure hardware and software, and their respective maintenance annuity), which are now blended as part of the managed service "lease." Likewise, by not having to recruit, train, and retain specialized staff to operate the environment, the model expedites deployment timelines and reduces operational costs and risks to the organization.
In this approach, the MISP is involved in the delivery of the IAM solution, which is then governed by established parameters and service standards (i.e., SLAs). Whether it's hosted on premises or outsourced (in the "cloud"), in the end, the organization sees immediate and measureable value for the services they purchase-in a predictable and simpler manner.
For the MISP, the need to reduce the implementation timeline and create the capability of a repeatable model forces it to streamline the deployment process and ensure that it is done with such quality that its' operation after deployment requires minimal involvement. In the end, these elements accelerate time-to-value. In a past blog post, I discussed time-to-value as one of the key points to consider in any IAM initiative. It is a metric that is often overlooked - everything being equal you should look to shorten time-to-value for the organization.
The MISP will be motivated to shorten and streamline implementation so clients can consume its Identity service(s) much more quickly. Clients will also be able to scale operation and profit from the MISP's efficiency. This distinct synergy in the co-sourced IDaaS model is worth noting: both parties, the organization and the MISP, are motivated to reduce the time it takes to be up and running. This is why we believe that this deployment model will succeed, as it aligns more closely with the interests of the parties involved. Moreover, the need to shorten the implementation timeline and create the capability of a repeatable model forces the MISP to streamline the deployment process and ensure that it is done with such quality that its operation after deployment requires minimal involvement.
The charts to the left compares, at a very high level, a typical flow of value and cost that occur in a timeline between the two models, and illustrate why the co-sourced IDaaS model will exhibit a shorter time-to-value.
Furthermore, for current IAM initiatives, there is no longer room for soft ROI; hard dollar is king. Organizations need to think about how to measure value and ROI from IAM. We see that in a co-sourced IDaaS model these metrics can be easily tracked and gauged at any given point in time.
Organizations can also benefit from implementing charge backs from IT to other internal organizations to effectively determine TCO, and possibly ROI, and from shifting their expenditure from capital to operation expense.
In the end, from a business standpoint, the MISP and the organization engage in a long-term contractual relationship, jointly committed to successfully operating an environment with tight controls on scope and complexity. The net result is that the client measures value immediately and continues to see value on an ongoing basis, through relatively simpler and more transparent metrics.
I hope these points are thought provoking. Your comments are most welcome.