What to ask IDaaS vendors before you buy

Of the Everests that IT faces daily, identity and access management is a particular challenge. These 10 questions help you find a solution that delivers what you need.

false identity

Identity as a service (IDaaS), also known as identity and access management as a service, uses a cloud infrastructure for securely managing user identities and access enforcement. At its most basic level, IDaaS enables single sign-on (SSO) for systems in the cloud or on-premises, but it goes well beyond that to include access provisioning and deprovisioning, governance and analytics.

Leading vendors in the IDaaS field in 2016 (per Gartner) included Okta, Microsoft and Centrify, with OneLogin, Ping Identity, SailPoint, Covisint, Salesforce, Lighthouse Security (IBM) and EMC/RSA figuring prominently as well. Although each company offers IDaaS, differences in feature sets and capabilities can make one solution preferable over the others for a particular organization.

According to DocuSign CIO Eric Johnson, an IDaaS solution will become your centralized mechanism to access all important business applications. Choosing the right solution is imperative because any downtime will result in a significant business disruption. It's important to consider things like the solution's integration capabilities, single sign-on (SSO) experience and security when deciding which IDaaS is best for you.

These 10 questions, contributed by DocuSign and Box — IDaaS customers who have already gone through the selection and acquisition process — provide a foundation when evaluating vendors.

1. How secure is the IDaaS product?

Mark Schooley, senior manager of IT operations at Box, says that security sits at the center of every SaaS evaluation that Box completes and notes that it’s critical when evaluating IDaaS. "Security is extremely important because, with IDaaS solutions, we are entrusting the keys to the front door of (in some cases) our most important and sensitive applications."

DocuSign’s Johnson agrees that security is a high priority, adding that "the solution should provide automated fraud detection tools that block suspicious user access. The solution should be able to integrate with the company's existing security tools and infrastructure, such as a security information and event management (SIEM), for further security management and analysis."

2. Does it provide out-of-box integration with a broad range of applications and infrastructure?

"Companies are able to realize additive value with each application that is on-boarded to the solution," says Johnson. "This reduces overall company risk, removes painful manual processes and is a better employee experience."

Johnson adds that the solution should provide cross-platform support, including the capability to control apps on mobile devices. Forward-thinking IDaaS solutions should provide the flexibility to be used with any type of IT infrastructure, including firewalls, virtual private networking, wireless access and other key infrastructures that require user access management.

3. What integration/development model does it use?

Schooley says that the integration/development model is highly important when evaluating an IDaaS solution. Box, like many other organization, needs to be able to integrate with a large ecosystem of applications and other vendor solutions. Schooley suggests looking for a solution with an extremely rich application programming interface (API) that can be used to automate complex tasks and build advanced integrations.

4. Does it support integration with your existing user directory store?

Johnson says the solution needs to support — with minimal disruption — the employee system of record, whether it's on-premise or in the cloud, and with an HR system or Active Directory, for example. This ensures fast deployment and time to value of the solution.

5. Does it provide both an SSO experience and key user access management capabilities?

"The solution should provide flexibility to support a wide range of SSO technologies, such as Security Assertion Markup Language (SAML), OpenID Connect, Active Directory Federation Services (ADFS) and others. This assures integration with a wide variety of enterprise applications," according to Johnson.

He also says the solution should provide third-party applications with the ability to easily enable user provisioning, updates and deprovisioning capabilities to fully support the employee life cycle.

6. Does it support multiple SSO policies?

"The solution should provide flexibility to create different SSO policies based on application risk profiles and be adaptive in cases where suspicious access is detected," says Johnson. "The solution should support multiple different factors, including soft and hard tokens, endpoint certificates and look to support new innovative factors like biometrics."

7. Does it provide world-class performance capabilities?

Johnson suggests looking for a vendor and solution with a spotless uptime track record, and one that can provide proof of a highly available infrastructure and commit to a service level agreement (SLA) that quickly resolves any issues.

8. Does it offer a unified, centralized experience?

Schooley believes a unified, centralized experience is very important for both the end user and the IT administrator. "It's important for us to have a consolidation of services onto a single, easy-to-manage platform," he says.

9. What is the cost of using it?

The elimination of upfront hardware costs, lower ongoing maintenance costs and subscription-based pricing are top reasons why organizations are flocking to cloud-based services in general. However, even at a relatively low per-user monthly fee, the cost can climb quickly. And evaluators need to determine ahead of time whether customization, troubleshooting and the like are part of the overall package.

Schooley says that the cost of an IDaaS solution needs to be reasonably priced with a licensing model that's flexible and simple. "We want to see cost savings versus existing incumbent home-grown/on-prem solutions."

10. What do other customers say about the vendor's experience and track record?

Any organization looking to move to IDaaS wants reassurance that the vendor can provide a service that improves the organization's existing capabilities and can continue in that capacity over the next three to five years.

A preferred IDaaS solution "needs to have a proven track record of success in late-scale deployments," advises Schooley. When evaluating vendors, Box wanted to hear from other organizations using a particular solution that it was a must-have technology because it "transforms the way we work every day."

This story, "What to ask IDaaS vendors before you buy" was originally published by CIO.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022