With so much technology nowadays delivered via the web, it’s no surprise that an increasing amount of data, applications, and transactions are moving to the cloud—including traditional identity and governance administration (IGA) and access management and enforcement (AME) functionality. IDaaS, or identity as a service, provides cloud-based authentication and provisioning, federated identity or single sign-on (SSO), and analytics, logging and monitoring services. IDaaS solutions for both access management and IGA replace custom on-premises solutions with cloud-based ones, delivered for a subscription fee.
Last year we published a couple of blog posts on IDaaS: “IDaaS: Does one size fit all?” and a “2018 Prediction: The IDaaS market matures without a clear leader.” Now that we’re in 2020, we wanted to take another look at what trends and changes are driving the market, and look ahead to where our clients are going and what organizations should consider.
The Growing IDaaS Market
A report on the global IDaaS market (covering both IGA and AME) forecasts that it will hit $26 billion by 2027, a growth rate of more than 25 percent from 2019. The Gartner Magic Quadrant for Access Management predicts that in the next few years, a majority (60 percent) of all SSO transactions will leverage federated identity protocols such as SAML, OAuth2, and OIDC over proprietary technology—that’s double what it is today. And by 2024, Gartner predicts that multifactor authentication (MFA) will be used for more than 70 percent of all application access requests—up from 10%. Among the vendors Gartner mentions are Auth0, ForgeRock, IBM, Idaptive, Microsoft, Okta, OneLogin, Oracle, and Ping Identity; Sailpoint and Saviynt are also popular IDaaS IGA vendors to consider.
The Shifting IDaaS Landscape
There are several trends driving the growth of SaaS-based identity solutions and the direction of IDaaS vendor roadmaps.
- GDPR: The introduction of GDPR in 2018 sparked demand for IDaaS solutions as a way to tightly manage user access and support compliance.
- SSO: Single sign-on (SSO), already ubiquitous in consumer apps, is increasingly deployed in B2B solutions.
- BYOD: A majority of employees are now bringing their own devices to the office and even running work-based applications on them.
- Hybrid Platforms: Because many organizations have a mix of on-premises and cloud-based applications, IDaaS access management solutions need to bridge with non-SaaS applications and existing legacy AME directories.
- Cost Controls: One of the key drivers of cloud IGA adoption is organizations’ desire to curb FTE staff costs by replacing customized, high-maintenance systems.
As the market matures, vendors will consolidate, expand their customer base, and add use cases that accommodate the levels of security, compliance, and customization more organizations need.
Moving forward, organizations will seek to reduce the complexity of their IT infrastructure, collapsing their number of systems to make everything easier to use and manage. From a security perspective, a single “pane of glass” gives organizations an easier way to see everyone’s access. In response, vendors will work to provide comprehensive solutions that consolidate functionality and remove the need for third-party add-ons.
IGA and AME Tool Overlap
Though there are significant distinctions between IGA and AME tools, there’s an increasing amount of overlap among IDaaS solutions. For example, some vendor’s cloud access management tools have evolved to be used for provisioning as well. In organizations with very basic identity needs (just-in-time provisioning and deployment, use of templates) a cloud access management tool might be enough. In organizations that can’t manage their user base as if they were customers, however, an access management tool by itself won’t suffice. What’s important to understand is IDaaS access management vendors are pitching IGA capabilities that may not be realistic, so it’s important that organizations look at the complexity of their use cases to avoid ending up with security gaps that never go away or process nightmares. Provisioning and governance, more than one account state for a single identity, and connecting multiple applications will all require a dedicated IGA tool.
Vendor Consolidation and Partnerships
Where IDaaS vendors aren’t overlapping, they’re often partnering: Sailpoint’s relationship with Okta is a good example. Companies that don’t merge or acquire each other are trying to avoid competition by partnering with each other, building seamless integrations into their solutions. M+A activity in this space could also result in several large companies with best-in-breed applications dominating the market share, while smaller companies provide niche products. We envision that IDaaS solutions with such broad market share will no longer be limited to the B2B market: several vendors are well-positioned to make a sharp turn that includes B2C populations.
Amazon and Microsoft are beginning to swallow up a lot of the growth in the IDaaS solution market. Their market dominance means that steering committees will exert pressure to go with one of these companies and their free offerings, rather than purchasing a niche tool (for reference, it’s interesting to look at the competition between Microsoft Teams and Slack.) Microsoft’s tools could present a threat to what is now the symbiotic environment of Okta and SailPoint’s IdentityNow. We can already see how Microsoft might use Azure to control the entire lifecycle of access, and we anticipate that identity governance will soon take a similar turn.
Niche vs. Platform
How do organizations that prefer a bespoke tool make the business case to executives? It might be necessary to show first why Microsoft’s platform won’t work. Currently it’s not difficult for those with heterogeneous environments to make a case for an IGA tool, but it will become more challenging as companies like Microsoft make the market more homogeneous. Small organizations that use automated provisioning to Active Directory probably will be able to centralize on Azure and one or two other enterprise tools. On-premises products offer a unique level of sophistication because they handle use cases that can’t be handled any other way, and organizations that require niche products should be ready to advocate for them with senior leaders. But we expect to see the IDaaS market dominated by use cases that are less sophisticated and more adaptable.
Considerations for Moving to IDaaS IGA
Though nearly all organizations have a SaaS presence at this point, not all organizations match the use cases for existing IDaaS IGA and AME products. The status of your cloud migration, your budgeting and cost systems, your ability to adapt processes, your staffing plans, and your customization requirements will all influence your ability to adopt IDaaS.
Switching from on-premises to the cloud can be a trust issue and a major cultural shift, especially in high-compliance firms. There’s a misperception that on-premises is safe and that the cloud is risky, but this doesn’t hold up. For example, Google Cloud and AWS are both SOC2 compliant. Not only are data centers only as secure as the company that runs them, but most corporate data centers are not SOC2 compliant. Organizations that keep their own data behind their own firewall may think it makes them safer, but at the same time they’re inevitably facilitating daily interactions in the cloud anyway. If your leadership doesn’t know what the future may bring, going to the cloud can be a good way to hedge.
It’s understood that on-premises applications allow the product to adapt to the organization, while cloud-based applications require that the organization adapt to the product. But many organizations adopt IDaaS IGA solutions without considering what new external processes they’ll need to create to really make the product work for them. For example, cloud IGA tools lack sophisticated abilities to manipulate data, so your data has to be in its “final format” before it reaches your IGA tool. Will you need to build a lot of middleware utilities or offload data to get it formatted in a way that works for you? Will you need to adapt information from your HR or ETL systems so your IGA application gives you the outcomes you want? At the end of the day cloud IGA applications do introduce hard constraints and compromises, and organizations should evaluate their expectations and their appetite for managing data and processes before moving IGA to the cloud.
Cloud IGA systems are appealing for many organizations because they tend to be less complicated, easier to implement, and straightforward to manage and maintain. As a result, cloud-based tools require fewer and less-specialized resources—in particular because they don’t need to be customized or maintained. The savings generally isn’t drastic, and organizations will still need onboarding and applications staff. Professional services assistance can be critical to ensure proper implementation and processes from the get-go. But your organization’s ability to find and staff FTEs who can maintain your implementation should factor in your decision about whether or not to go to the cloud.
Cost savings—often in the form of budget or staff headcount—will be a deciding factor for many companies considering IDaaS solutions. It’s common to capitalize outright purchase and implementation of on-premises technology solutions as CAPEX. Subscription costs are typically considered OPEX, which for some companies is tougher to budget for. However, it’s not unlike buying a car: you have to budget for both the purchase and the cost of ownership. An on-premise solution incurs an upfront expense and approximately 20 percent of this expense in ongoing maintenance costs. An IDaaS solution has a lower annual cost than an on-premise one, but IDaaS continues to have the same yearly cost for as long as you have it. So it’s important to keep in mind that within about five years, the overall costs for each solution tend to equalize.
Moving to a multi-tenant, subscription-based IDaaS model gives organizations access to business best practices, and provides workflows built around the best-possible processes. But nearly every company will want to customize around something. You can either adjust your process to match the tool, or you can adjust the tool to match your process. Customization typically makes upgrading a painful experience, whereas IDaaS will update more frequently but won’t allow as much customization.
Organizations should drive their IDaaS decisions by asking themselves some key questions:
- Five years from now, where will the technology be, and what will our needs be?
- Is GDPR compliance part of our IAM strategy and roadmap?
- Are we prioritizing upgrading our wonky business processes to standardized best practices?
- What’s the status of our cloud migration? What percent of our current apps are SaaS vs. on-premises?
- Will IDaaS solutions give us a more centralized way to manage access and provisioning?
- Consider compromises in cloud IGA tools