Making the case for Identity-as-a-Service

November 2016 Access Control & Identity Management

Identity-as-a-Service (IDaaS) is a topic that has picked up considerable momentum recently as the IT landscape has continued the shift toward SaaS applications, to the point where today many organisations are seriously considering running security applications from the cloud. Many organisations today are considering IDaaS, but as with many new concepts, the unknown presents both exciting and daunting aspects. As organisations consider IDaaS, it is natural to have questions and concerns that need to be addressed before proceeding down that path.

First, not all paths are created equal. It may be tempting to think that there is a step-wise, one-size-fits-all approach to IDaaS, but the truth is that there are multiple variables that influence this decision. It is critical that organisations understand what these variables are, which questions to ask, and the context in which their organisation sits in order to understand whether a cloud-based IAM system is the right approach.

Second, again, as with any new concept, there are always doubts and perceived barriers to tackle. The goal organisations should reach for is to dig deeper into these barriers and understand what the reality, drivers, and constraints are for their particular organisation. The ultimate goal should be to address any doubts and confidently proceed down the right path for you at the moment. First, let’s explore the topic of whether a cloud-based IAM solution makes sense for you.

Is cloud-based IAM right for you?

Cloud-based Identity and Access Management (IAM) solutions have come a long way. Now that these solutions have achieved a reasonable level of maturity and market acceptance, it’s a good time to evaluate whether it is the right solution for you and your organisation. The more an organisation can ask the right questions and understand what the key criteria are, the more confident can the organisation be in its decisions.

The first consideration is to create, validate, and gain a deep understanding of your organisation’s business and technical goals as they relate to IAM. These goals serve as the most critical guideposts that set the direction in the decision path. Common goals include reducing operational costs, creating a simpler user experience, or even building a more secure system. Dig deep into what the primary problems and challenges your organisation is facing, from both a business and technical perspective. Once you have this as the foundation, you can take the next step in evaluating whether a cloud-based IAM solution will work for your organisation.

The next consideration is to look at the volume and types of Software-as-a-Service (SaaS) applications that your organisation uses. This will provide a good indication of what your organisation’s level of acceptance is for SaaS applications. Beyond your organisation’s appetite for SaaS applications, you will also need to understand the level of trust being placed in the cloud. In other words, assess how ‘business-critical’ the SaaS apps are – for example, are only basic HR systems being stored in the cloud, or are critical files being stored in the cloud as well?

As organisations move to the cloud, the hybrid approach is inevitable – consider how your organisation is choosing to take their next step to the cloud. Some organisations choose to deploy only new business applications in the cloud as a first step. Other organisations choose to deploy certain aspects such as development and test in the cloud and deploy production systems inside the firewall. It all depends on the business and technical strategy behind your organisation’s approach.

Finally, bring it up a level higher and question what value a cloud-based IAM solution will bring to your organisation. Various drivers organisations consider include a reduced operational effort, a smaller on-premise deployment footprint, and a financial shift from capital expenses to operational expenses. At the end of this evaluation, the end game is to be sure that, in the right context, a cloud-based IAM solution fits with your organisation. Now that you’ve asked all the right questions and made the assessment that IDaaS is the right choice for your organisation, it is natural that doubts will surface and make way for a few more questions.

Overcoming barriers to IDaaS

Common (or at least, commonly perceived) barriers to IDaaS that we often see include questions around stability, security, cost and interoperability with existing systems. We believe the best approach for each of these is to tackle them head-on, so we can understand whether each obstacle is truly an obstacle.


Contrary to popular belief, cloud-based solutions do not necessarily offer less stability than an equivalent system deployed on-premise. By design, many enterprises do have a single point of failure in parts of their IT infrastructure. In fact, organisations can rarely justify fully redundant infrastructure for 100% of their applications and are faced with selecting just a few key systems. In comparison to a cloud-based solution, it runs on commercial-grade cloud infrastructure, which is more robust than an organisation’s standard infrastructure. This, in turn, provides a higher level of uptime.


Now that your data is stored in the cloud, a common fear is the loss of control, given it sits outside your organisation’s traditional boundaries. Again, contrary to popular belief, on-premise deployments are not automatically more secure than cloud-based deployments. The notion of a traditional security perimeter has been shattered, and in place of that, organisations are responding to the demands of business agility and have opened up internal applications to partners, customers, and suppliers.

By doing so, they have of course also opened up their vulnerability to an evolving generation of hackers. IDaaS solutions are deployed with a very limited set of entry points, which reduces the potential in an attack. IDaaS vendors also typically go through rigorous and ongoing penetration tests to ensure that the systems are secure and up-to-date, and in many cases, surpass the level of testing that on-premise solutions undergo.


SaaS solutions have shifted the cost and consumption model for enterprise applications. The models have shifted from the on-premise licence associated with an upfront capital expense and annual maintenance costs. This has shifted to a subscription-based approach, which usually can be classified as operational expenses. Given this, it’s important to understand how your organisation treats capital expenses vs. operational expenses. In some scenarios, it’s easier to secure funding and execute for operating expenses, which would help make the case for IDaaS.

Then, it is important to understand the total cost of ownership behind on-premise vs. SaaS solutions. At first glance, the sticker prices will naturally vary, but also think about hidden costs associated with implementation, customisation, time-to-deployment and maintenance. If your organisation requires complex use cases, oftentimes custom coding is far more involved and costly than a simpler configuration-based deployment. Most organisations find that cloud-based solutions are easier to deploy and faster to derive immediate value from, which translates to a lower cost of ownership.

Interoperability with on-premise applications

As valuable as it is to access external SaaS applications, it is just as critical to access on-premise applications as well. Many IDaaS vendors claim to provide ‘enterprise identity management’, but if you take a closer look, they oftentimes only connect to on-premise directory systems and not with on-premise applications. Take a close look at what vendors claim they do when it comes to application access and understand what it really means. After all, the ability to access only external SaaS applications provides only half of the equation when it comes to business impact.

Fit with existing processes

When it comes to IAM systems, especially IDaaS solutions, this is an ideal time to engage with the line-of-business (LOB). Take this as an opportunity to analyse and improve your current business and technical processes. During time of change, it is always a good chance to re-evaluate current processes and determine whether changes are required. The key in choosing an IDaaS vendor in this process is to find one that is flexible and can adapt to your current (or proposed) processes.

There is no quick answer when it comes to understanding whether IDaaS is right for your organisation. The best thing you can do for your organisation is ask the right questions, assess your organisation’s business and technical goals, and of course, apply it all in the context of your business. With the right level of thought, planning, and reflection, IT can successfully leverage cloud-based IAM across the organisation for maximum impact.

To download the full white paper, go to

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

HID addresses identification challenges at ID4Africa
August 2019 , News, Access Control & Identity Management, Government and Parastatal (Industry)
Being able to verify people’s identities is critical for a nation’s growth and prosperity and yet HID says nearly half of all African citizens can’t prove who they are to vote, travel freely and receive government benefits and services.

Came acquires Turkish company Özak
August 2019, CAME BPT South Africa , News, Access Control & Identity Management
Came broadens its market horizons and signals growth and consolidation in the Middle East.

The benefits of electronic visitor management
August 2019, Powell Tronics , Access Control & Identity Management, Residential Estate (Industry)
Access control is a critical aspect of estate security as it represents the controls put in place to restrict entry (and possibly exit) along the outer boundary of the location.

Addressing risks by means of access control layout and design
August 2019 , Access Control & Identity Management, Security Services & Risk Management
In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy.

Secure hands-free access
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
Suprema’s facial biometric terminals bring no-touch access into secure residential estates, high-rise apartments and luxury homes providing fast, easy and intuitive user authentication with the added benefit of hygiene.

MorphoAccess Sigma Extreme
August 2019, IDEMIA , Products, Access Control & Identity Management
MorphoAccess Sigma Extreme from IDEMIA is a touchscreen device with multiple recognition device interfaces (NFC chip reader, PIN and BioPIN codes, contactless card readers).

Outdoor access terminals
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry), Products
Rugged, dust- and weather-proof access control solutions that provide exceptional durability in extreme conditions is a strong requirement for many residential estates.

MorphoWave Compact
August 2019, IDEMIA , Products, Access Control & Identity Management
The MorphoWave Compact captures and matches four fingerprints on either the right or left hand in any direction. It is robust to environmental factors such as extreme light or dust.

MorphoAccess Sigma Lite
August 2019, IDEMIA , Products, Access Control & Identity Management
IDEMIA’s MorphoAccess Sigma Lite and Lite + are fingerprint access control terminals, offering time and attendance in and out function keys.

Eliminating forced gate opening scenarios
August 2019, ET Nice , Home Security, Access Control & Identity Management
When activated by the gate forced open alarm feature, the transmitter transmits a wireless alarm signal up to 750 metres in any direction.