Making the case for Identity-as-a-Service

Access & Identity Management Handbook 2017 Access Control & Identity Management

Identity-as-a-Service (IDaaS) is a topic that has picked up considerable momentum recently as the IT landscape has continued the shift toward SaaS applications, to the point where today many organisations are seriously considering running security applications from the cloud. Many organisations today are considering IDaaS, but as with many new concepts, the unknown presents both exciting and daunting aspects. As organisations consider IDaaS, it is natural to have questions and concerns that need to be addressed before proceeding down that path.

First, not all paths are created equal. It may be tempting to think that there is a step-wise, one-size-fits-all approach to IDaaS, but the truth is that there are multiple variables that influence this decision. It is critical that organisations understand what these variables are, which questions to ask, and the context in which their organisation sits in order to understand whether a cloud-based IAM system is the right approach.

Second, again, as with any new concept, there are always doubts and perceived barriers to tackle. The goal organisations should reach for is to dig deeper into these barriers and understand what the reality, drivers, and constraints are for their particular organisation. The ultimate goal should be to address any doubts and confidently proceed down the right path for you at the moment. First, let’s explore the topic of whether a cloud-based IAM solution makes sense for you.

Is cloud-based IAM right for you?

Cloud-based Identity and Access Management (IAM) solutions have come a long way. Now that these solutions have achieved a reasonable level of maturity and market acceptance, it’s a good time to evaluate whether it is the right solution for you and your organisation. The more an organisation can ask the right questions and understand what the key criteria are, the more confident can the organisation be in its decisions.

The first consideration is to create, validate, and gain a deep understanding of your organisation’s business and technical goals as they relate to IAM. These goals serve as the most critical guideposts that set the direction in the decision path. Common goals include reducing operational costs, creating a simpler user experience, or even building a more secure system. Dig deep into what the primary problems and challenges your organisation is facing, from both a business and technical perspective. Once you have this as the foundation, you can take the next step in evaluating whether a cloud-based IAM solution will work for your organisation.

The next consideration is to look at the volume and types of Software-as-a-Service (SaaS) applications that your organisation uses. This will provide a good indication of what your organisation’s level of acceptance is for SaaS applications. Beyond your organisation’s appetite for SaaS applications, you will also need to understand the level of trust being placed in the cloud. In other words, assess how ‘business-critical’ the SaaS apps are – for example, are only basic HR systems being stored in the cloud, or are critical files being stored in the cloud as well?

As organisations move to the cloud, the hybrid approach is inevitable – consider how your organisation is choosing to take their next step to the cloud. Some organisations choose to deploy only new business applications in the cloud as a first step. Other organisations choose to deploy certain aspects such as development and test in the cloud and deploy production systems inside the firewall. It all depends on the business and technical strategy behind your organisation’s approach.

Finally, bring it up a level higher and question what value a cloud-based IAM solution will bring to your organisation. Various drivers organisations consider include a reduced operational effort, a smaller on-premise deployment footprint, and a financial shift from capital expenses to operational expenses. At the end of this evaluation, the end game is to be sure that, in the right context, a cloud-based IAM solution fits with your organisation. Now that you’ve asked all the right questions and made the assessment that IDaaS is the right choice for your organisation, it is natural that doubts will surface and make way for a few more questions.

Overcoming barriers to IDaaS

Common (or at least, commonly perceived) barriers to IDaaS that we often see include questions around stability, security, cost and interoperability with existing systems. We believe the best approach for each of these is to tackle them head-on, so we can understand whether each obstacle is truly an obstacle.


Contrary to popular belief, cloud-based solutions do not necessarily offer less stability than an equivalent system deployed on-premise. By design, many enterprises do have a single point of failure in parts of their IT infrastructure. In fact, organisations can rarely justify fully redundant infrastructure for 100% of their applications and are faced with selecting just a few key systems. In comparison to a cloud-based solution, it runs on commercial-grade cloud infrastructure, which is more robust than an organisation’s standard infrastructure. This, in turn, provides a higher level of uptime.


Now that your data is stored in the cloud, a common fear is the loss of control, given it sits outside your organisation’s traditional boundaries. Again, contrary to popular belief, on-premise deployments are not automatically more secure than cloud-based deployments. The notion of a traditional security perimeter has been shattered, and in place of that, organisations are responding to the demands of business agility and have opened up internal applications to partners, customers, and suppliers.

By doing so, they have of course also opened up their vulnerability to an evolving generation of hackers. IDaaS solutions are deployed with a very limited set of entry points, which reduces the potential in an attack. IDaaS vendors also typically go through rigorous and ongoing penetration tests to ensure that the systems are secure and up-to-date, and in many cases, surpass the level of testing that on-premise solutions undergo.


SaaS solutions have shifted the cost and consumption model for enterprise applications. The models have shifted from the on-premise licence associated with an upfront capital expense and annual maintenance costs. This has shifted to a subscription-based approach, which usually can be classified as operational expenses. Given this, it’s important to understand how your organisation treats capital expenses vs. operational expenses. In some scenarios, it’s easier to secure funding and execute for operating expenses, which would help make the case for IDaaS.

Then, it is important to understand the total cost of ownership behind on-premise vs. SaaS solutions. At first glance, the sticker prices will naturally vary, but also think about hidden costs associated with implementation, customisation, time-to-deployment and maintenance. If your organisation requires complex use cases, oftentimes custom coding is far more involved and costly than a simpler configuration-based deployment. Most organisations find that cloud-based solutions are easier to deploy and faster to derive immediate value from, which translates to a lower cost of ownership.

Interoperability with on-premise applications

As valuable as it is to access external SaaS applications, it is just as critical to access on-premise applications as well. Many IDaaS vendors claim to provide ‘enterprise identity management’, but if you take a closer look, they oftentimes only connect to on-premise directory systems and not with on-premise applications. Take a close look at what vendors claim they do when it comes to application access and understand what it really means. After all, the ability to access only external SaaS applications provides only half of the equation when it comes to business impact.

Fit with existing processes

When it comes to IAM systems, especially IDaaS solutions, this is an ideal time to engage with the line-of-business (LOB). Take this as an opportunity to analyse and improve your current business and technical processes. During time of change, it is always a good chance to re-evaluate current processes and determine whether changes are required. The key in choosing an IDaaS vendor in this process is to find one that is flexible and can adapt to your current (or proposed) processes.

There is no quick answer when it comes to understanding whether IDaaS is right for your organisation. The best thing you can do for your organisation is ask the right questions, assess your organisation’s business and technical goals, and of course, apply it all in the context of your business. With the right level of thought, planning, and reflection, IT can successfully leverage cloud-based IAM across the organisation for maximum impact.

To download the full white paper, go to

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Improved security health check tool
Gallagher Access Control & Identity Management Products
Gallagher Security has streamlined its free Security Health Check tool, making it easier than ever to protect against potential system risks and improve business efficiencies.

Suprema showcases integrated security solutions
Suprema Access Control & Identity Management Products
Apart from being an access terminal that supports multiple credentials such as facial recognition, RFID, mobile and QR codes, the BioStation 3 also supports VoIP Intercom and real-time video monitoring features to make it a truly multi-functional reader.

Local electronic locks
Access Control & Identity Management
YeboTech is an electronics manufacturing company, founded in 2005, which designs, markets and sells an electronic key and locking systems, aimed at replacing all conventional mechanical locks.

Selecting the correct access control system
Enkulu Technologies Access Control & Identity Management
Frazer Matchett, Managing Director of Enkulu Technologies, suggests the right questions to ask when selecting an access control solution; not just the access system, but the integrated solution that fits your requirements.

Integrated guarding services
XtraVision Integrated Solutions Access Control & Identity Management Industrial (Industry)
XtraVision offers a few tips on how to go about planning and setting up an integrated approach to sustainable and successful security services, from the initial risk assessment to the technology and people required.

Paxton secures multi-tenant office in Cape Town
Paxton Integrated Solutions Access Control & Identity Management Products
Cecilia Square in Paarl, Cape Town is an office building from where several businesses operate. The multi-tenant site has recently undergone a full refurbishment, including a complete upgrade of its security system for access control.

AI face recognition OEM module
Suprema News Access Control & Identity Management Products
Suprema AI, a company specialized in artificial intelligence–based integrated security solutions, recently launched its high-performance face recognition OEM module called ‘Q-Face Pro’ in response to the growing need for contactless security solutions.

KWAL raises a glass to security upgrade
Turnstar Systems Access Control & Identity Management Products
The Kenya Wine Agencies Limited (KWAL) was in need of an integrated security upgrade. This is where Turnstar came into the picture to provide a solution that would keep KWAL secure and efficient.

Dahua Insider Series for touchless access
Dahua Technology South Africa Access Control & Identity Management Products
The Insider Series Access Control Solution offers touchless access (via Bluetooth) using the DMSS mobile app; it has three distance modes and two trigger modes (normal and shake).

Time and attendance with a difference
Access Control & Identity Management
The Platinum Mobile app allows employers to track employees work hours, location, leave and more, when employees do not have access to the office clocking terminal, are onsite or out in the field visiting clients.