Twelve Questions for Cloud Identity Management

According to Gartner (News - Alert), by the end of 2014, IDaaS (Identity Management-as-a-Service) will account for 25 percent of all new IAM sales, compared to less than 5 percent in 2012. At the same time, the explosion of cloud-based apps is taking the enterprise by storm.

In fact, OneLogin's 2013 State of Cloud Application Access Study showed that 78 percent of respondents plan to increase the number of cloud apps in their organizations this year.

As we reach this tipping point in cloud adoption, it’s important for IT pros to ask the right questions of cloud identity management providers. Here are 12 of the most critical:

1. Is Active Directory integration batch or real-time?

Real-time directory integration means that all directories are updated whenever changes are made in one directory within seconds, creating a “kill switch.” This is important as the last thing you want is sensitive data sitting out there in the cloud that's still accessible by former employees. Yet according to our survey, 20 percent of firms admitted that former employees could still access applications after they no longer worked for the company.

2. Is there a planned downtime or read-only mode for any portion of your IAM product during upgrades or maintenance windows?

By its very nature, a single sign-on service to other applications must be extremely reliable. While some SaaS vendors operate with planned partial or full downtime, a cloud-based single sign-on solution should perform without planned downtime – this includes planned read-only mode for the admin interface during upgrades.

3. What set of pre-integrations does your IAM solution offer?

Since the value of an identity management solution is a direct function of its ability to integrate across an organization’s IT assets, any head-to-head product evaluation should start with a comparison of the competing vendors’ pre-integrated offering. The size of the app vendor ecosystem and directory types is paramount (Active Directory, LDAP, Workday, GoogleApps, etc.), but don’t overlook other types of infrastructure such as VPN integration (Juniper SSL VPN, Cisco (News - Alert) ASA, SonicWall, RADIUS-based VPNs, etc.)

4.  How extensible is your IAM solution?

In today’s dynamic business environment, even smaller businesses or teams need to be ready to incorporate new network infrastructure and applications. Whether it’s through an acquisition, new branch office or joint venture, IT needs to consider the advantages of having a complete and highly extensible identity platform that can cover requirements when business needs change. Does the IAM vendor offer free SAML Toolkits for all five Web development frameworks or third-party SAML plugins for popular Web apps like Drupal, Joomla, Moodle, Wordpress, and Atlassian’s Jira and Confluence?

Do you have access to a well documented REST API for unique requirements?

5.  Do you have access to user-provisioning with entitlements?

Fact is, many SaaS applications offer built-in provisioning capabilities, including Box, Clarizen, Dropbox, Echosign, Google Apps, GoToMeeting, HipChat, Netsuite, Parature (News - Alert), RemedyForce, Salesforce, SAManage, WebEx, Yammer and Zendesk. For example, upon creating a new user in Salesforce, you should also be able to assign the new user to the Admin, Marketing or Sales group based on business rules inside the IAM solution. Most IAM vendors offer real-time user provisioning, importing, matching and de-duplication as well as Just In Time Provisioning into the IAM directory. But most stop at basic CRUD operations.

6. How flexible is your IAM solution in terms of defining password constraints, session timeouts, IP address restrictions and enforcing Multi-Factor Authentication, and can you apply these policies at the account level, to individual groups or to specific users?

Modern cloud-based IAM solutions should empower IT to take back the security controls they once had when all their applications were behind the corporate firewall.

7. Are administrative roles and privileges fixed or flexible?

Flexible roles and privileges mean that you can give users the power to manage accounts, groups or specific users. This means that a LOB manager could administer his own group and users.

8. Can you assign security policies to specific users independent of granting their access to their apps?

This flexibility could be important for the ability to separate app administration from user management.

9. What else can you do with Active Directory Groups besides simply grouping people and apps?

You may find it useful to use attributes in Active Directory as an indicator for assigning roles (groups of applications), group memberships (policies), as well as performing bulk operations (like activating users).

Bulk operations should let administrators perform operations on sets of users based on any combination of role, group and status. Examples of bulk operations include applying mappings, sending invitations, activating accounts, deactivating users and forcing password resets.

10. How easy is it to define a logical structure for application access that doesn’t correlate exactly with Active Directory Groups?

Seventy-two percent of the respondents in our survey have the need to provide external users (i.e. consultants) with temporary access to the company’s cloud applications. Will you ever need to manage cloud app access outside of your on-premise AD model? Would it be beneficial for you to be able to write and rewrite rules in seconds without changing your on-premise security permissions?

11. How does your IAM solution increase worker productivity and/or break down SaaS data silos?

Does it work seamlessly across the web, mobile and iPads? Can your users search across cloud apps in real-time? How easy and secure is your Mobile OTP App for Multi-Factor Authentication (e.g. is there a Push feature to send the one time password out-of-band over a cellular or wireless network without having to enter the digits manually?).

12. How quickly will you need to add additional applications to your system? Will your IAM solution require an extra charge?

Our survey showed that 71 percent of respondents admit to using cloud applications that have not yet been sanctioned by their IT department (like Dropbox (News - Alert) and Gmail) to get work done. The ability to quickly add new apps will be crucial to overall security.

Thomas Pedersen is chief executive officer and founder of OneLogin, the innovator in identity management with 12 million users across 700 enterprise customers in 35 countries, including AAA, Gensler, Netflix, News International, Pandora (News - Alert), Steelcase and PBS.