Sizing Up the Changing IAM MarketNew Tools Bridge Gap Between Enterprise, Cloud Apps
As major cloud vendors, including Salesforce, integrate identity and access management features into their platforms, security professionals must size up the role that stand-alone IAM systems will play in the long run.
Salesforce, which offers customer relationship management software in the cloud, announced recently that it's integrating IAM into its CRM and collaboration platform. The move is a "significant shakeup" to the market and "can mean trouble for companies who offer federated identity as a premium offering," says Brian Iverson, a research director at the consulting firm Gartner.
In addition, Microsoft plans to unveil a version of Active Directory for its Azure cloud platform later this year.
Identity and access management is becoming more challenging as security professionals deal with an increasingly distributed workforce accessing corporate applications and resources from outside the corporate network and using personally owned devices. The growth of cloud computing and the popularity of mobile devices add to the complexity.
Built-In Single Sign-On
Salesforce customers will now be able to take advantage of the built-in IAM features for free instead of dealing with the challenges of integrating a third-party IAM product with Salesforce and other applications. As other technology providers follow suit and add IAM to their platforms, organizations will have to decide whether stand-alone IAM software gives them any benefits that these integrated platforms lack.
Salesforce Identity provides single sign-on capabilities for on-premises enterprise applications, third-party cloud services and mobile apps. End-users will be able to use Salesforce Identity to access not only Salesforce applications but also their SAP applications and third-party services, such as Google Apps, ADP's payroll application and DocuSign document signing service, says Chuck Mortimore, Salesforce's vice president of product management, identity and security. Salesforce Identity is free for the company's enterprise and unlimited customers and $5 per user per month for those who are not customers.
At many organizations, user identity for each application is placed in distinct silos, forcing users to remember dozens of different login credentials just to access all the applications and resources they need to complete their tasks. Enterprises can't easily use Active Directory credentials, which enable the user to log on to the computer and authenticate onto the network, with Google Apps, for example. It's a challenge that security professionals face as they're asked to offer users access to on-premises, cloud and mobile applications.
With Salesforce Identity, "there is now the option to use the same platform they already use to manage their customers to manage employees and partners," says Julian Waits, CEO of ThreatTrack Security, a security vendor specializing in detecting and stopping targeted and sophisticated attacks.
Bridging the Gap
The market for IAM is huge. Market research firm IDC estimates it could hit $6.6 billion by 2016. The market has been dominated by large, complex enterprise solutions from IBM, Oracle, Microsoft, CA Technologies and others that focus on on-premises applications, while startups, such as Okta, Symplified, OneLogin and Ping Identity have generally focused on IAM for cloud applications.
"The cloud versus enterprise divide to IAM was never a comfortable situation, but had become quite clear cut," says Andy Kellett, a principal analyst at market research firm Ovum. That's why Salesforce's move to offer an IAM that can be applied to both cloud and on-premises applications "breaks the mold," he says.
Considering the widespread adoption of Salesforce, and the huge number of organizations that use Active Directory, many security professionals now must consider whether they need a separate IAM system that needs to be integrated into the network infrastructure.
Microsoft's Azure Active Directory, now in development, will enable organizations that have already invested considerable resources into using Active Directory for managing their enterprise applications to use it in the cloud as well.
Despite the moves by Salesforce and Microsoft, many organizations will still choose to work with separate IAM providers if their systems' features and capabilities match their needs, Gartner's Iverson says. However, the pressure is on these IAM providers to demonstrate why their technology is worth the extra investment, he says.
"Salesforce offering IAM-as-a-service can be seen as an example of how identity and access management is increasingly becoming commoditized," Iverson says. "The battle is moving toward platform as a service," where cloud providers will need to offer more services integrated together to attract customers, he adds.
But before security professionals consider abandoning stand-alone IAM systems in favor of built-in offerings from major platform providers, they must carefully evaluate the IAM capabilities the platform providers are offering, Waits of ThreatTrack Security recommends.
Some organizations may want to have one password to log into multiple applications, in which case single sign-on is sufficient, Waits says. Other organizations may want more control, specifying which applications are restricted if the user is logging in outside work hours, or from unknown devices. As a result, they may want a more robust IAM platform.
Security professionals need to initiate a discussion with senior executives to determine whether the organization can use a single sign-on system from a major platform provider or whether they need, instead, a full-fledged, identity and access management platform to meet their needs, Waits says.