Enterprise Identity Where You Want It

In my last blog post I discussed Gartner’s recently published report on market trends for Cloud-based Security Services and how Gartner ranked Cloud-based Identity and Access Management (aka “Cloud IAM” aka “Cloud Identity” aka “Identity-as-a-Service”) as the largest market segment in this year’s $2 billion cloud-based security services market. What struck me in the report is some of the concerns Gartner raised around cloud identity and most of them had to do with concerns regarding where identity is stored. I want to use this blog post to explore that issue in a bit more detail and correlate it to the Centrify approach for storing identity data.

But first a recap of my last blog post: IDaaS is considered by Gartner as one of the top 3 most “must have” cloud security services by prospective customers and enjoys one of the highest growth rates within the overall fast growing cloud security market, and is in fact considered the largest market segment within cloud security. While this is exciting news for vendors such as Centrify that are innovating in the cloud identity market, one should note by using the Gartner market size numbers of $1.24 billion in 2017 for cloud-based identity and IDC’s market size number of $7 billion for the overall identity market in that same year, while cloud identity is growing rapidly, even by 2017 cloud identity it is only 20%-ish of the overall IAM market. In other words, there is still a big honking market for on-premise identity which is also good news for vendors such as Centrify who also offer on-premise identity solutions besides our cloud and mobile offerings.

So what did Gartner flag as potential growth inhibitors to this cloud identity market?

First of which is overall availability of a cloud-based service, with “a serious failure of one or more well-known, cloud-based security providers could damage organizations’ confidence in cloud-based security as a whole.” And hence Gartner may reason that organizations may revert back to using on-premise identity solutions if that scenario happens. Clearly identity technologies such as on-premise Active Directory have been around for over 10 years and have shown a good deal of stability and reliability while cloud-based identity solutions are not as mature and battle-tested. So it is critical to the health of the market that vendors show they can match on-premise alternatives’ uptime and availability. And given that many cloud startups can come and go (witness Nirvanix) they must give confidence to customers that they will be around for the long haul too.

The other major concern has to do with the “loss of control” of identity data, with issues around privacy tied to that concern. Identity in effect represents the “keys to the kingdom” and as hard as you might convince large enterprises that “the cloud” is the end all / be all, for example a large European bank with 100s of thousands of employees may be a bit queasy to have every one of their users’ usernames and passwords for all their apps stored in some startup’s public cloud service. That means if that cloud identity service has a breach … well every bit of data accessible from every user’s apps within the entire organization is now accessible. This is a difference in magnitude if say the same bank’s cloud-based file share vendor gets breached as only data to that one SaaS app is in question; a breach with a cloud identity vendor potentially opens up every app that an organization has access to.

In addition, if a company’s identity data is stored in a cloud service that resides in a foreign country, it is conceivable that the foreign country may have jurisdiction to gain access to usernames and passwords etc. for the entirety of the bank and its users.

So as much as identity vendors we may think cloud is the future, the reality is that while many customers really want centralized identity management for the cloud and mobile resources that they are deploying, they actually may not want to have the actual identity itself stored in the cloud. In other words, organizations will want single sign-on to their SaaS apps for their end users, but may still want to have Active Directory as the central identity repository and not have that data in AD duplicated and/or replicated to the cloud and stored in some identity startup’s data center, but instead have an identity gateway/broker from/in the cloud into their on-premise AD.

[Side note: I have seen some cloud identity startups cleverly discuss their tight Active Directory integration, how they love AD, etc. but the fine print is that they actually create a duplicate of that on-premise identity data in their cloud. Which means their cloud directory becomes a competing authoritative source for identity. So instead of identity consolidation, you actually get identity sprawl, with the need to have complex synchronization between the two sources and the potential risks/concerns described above.]

That being said, there is also significant appeal to having as an option some of or all of your identity stored in the cloud. For example, a newly formed enterprise may be trying to be “cloud only,” meaning they may not have an on-premise Active Directory (although it should be noted that Active Directory penetration is still in the high 90% across SMB and large enterprises, and I know for a fact that many Silicon Valley cloud darlings internally heavily use AD, but if an organization wants to be cloud only … I say go for it!). Or the organization may want to supplement access to SaaS apps for users who may not have accounts in AD, e.g. partners or contractors or customers. Having that data stored outside AD and in the cloud gives them flexibility they may not otherwise have.

So what is the right approach to store enterprise identity? In our opinion it is giving enterprises the flexibility and option to store their identity data on-premise, in the cloud, and/or in both places. This is in stark contrast to some startup cloud identity vendors who only allow you to store identity data in their cloud directory. Again this cloud-only approach may not appeal to some organizations who, rightly or wrongly, have concerns about losing control of the keys to the kingdom, or have security or privacy concerns, or flat out concerns about the long term viability of the vendor. We on the other hand think choice and options are good, because one approach does not fit all.

So how does Centrify give enterprises “identity where they want it?” Recently we rolled out to our Cloud Platform (i.e. the Centrify Cloud Service) a key feature called the Centrify User Service. What this means that in addition to Centrify’s leading Active Directory integration for SaaS and mobile management, Centrify now supports cloud-only deployments for non-Active Directory users, as well as a hybrid Active Directory and cloud deployment for external users, thus enabling the industry’s most flexible Identity-as-a-Service (IDaaS) offering. Centrify is unique in not replicating Active Directory to the cloud and out of organizations’ control, even if they choose to manage some of their users via Centrify’s cloud model.

The diagram below shows the deployment options we offer, namely what we call Cloud User Identity, Active Directory User Identity or Hybrid. As you can see the Hybrid approach gives you the best of both worlds in terms of flexibility.

And this architectural diagram shows how our cloud service can communicate with either AD and/or the Centrify User Service.

Net net we believe IDaaS should give customers flexibility in storing identity where they want it vs. a one size fits all approach. Hopefully after reading this blog post you will agree.

For more information on Centrify for SaaS or to request a free trial, click here.