EzIAM – Moving your Identities to the Cloud – An Analysis

Before an enterprise implements an on-premise IDM (Identity Management) solution, there are a lots of factors to consider. These considerations go way up, if the enterprise were to implement a new cloud IDM solution (i.e decide to move their identities partially or fully to a cloud like AWS, Azure or Google and manage these identities using a cloud IDM solution like the EzIAMTM solution). I will touch upon these items.

There could be 3 types of movers to the cloud.

  • New enterprise (or a start-up) that is planning to start their operations with a cloud IDM itself straightaway. These enterprises may not have an on-premise presence at all (Neo IDM Movers).
  • Some other enterprises might be planning to move only some of their existing IDM parts to the cloud and keep the rest of them on-premise (they are generally called the Hybrid IDM Movers).
  • While a few others could try to move their entire on-premise IDM operations to the cloud (Total IDM Movers). Although there will be some common considerations for these 3 categories of movers, before they decide to move to Cloud IDM, they individually will have some unique issues to deal with.

New Movers to a cloud IDM Infrastructure – companies starting their operations in the Cloud & hence want to have all their identities in the new cloud IDM infrastructure from day 1 of their operations:

These are the companies that start their identity management in the cloud itself straightway. The number of questions that these enterprises would want to be answered would be far less compared to the other 2 category of enterprises. Prime considerations for these type of organizations would be:

1. Will the cloud IDM solution be safe to implement (i.e safe to have my corporate users & identities exist in there) ?
2. Will the cloud IDM solution be able to address the day-to-day IDM operations/workflows that each user is going to go through?
3. Will the cloud IDM solution be able to scale for the number of users ?
4. What are the connectivity options (from a provisioning standpoint) that the cloud-idm system provides ? (i.e connecting to their applications/db’s/directories that are existing on the cloud, assuming they are a complete cloud organization)?
5. How robust these connections are (i.e in terms of number of concurrent users, data transport safety) ?
6. What are the Single Sign-On connectivity options that the solution provides ?
7. What are the advanced authentication mechanisms that the solution provides ?
8. What are the compliance and regulatory mechanisms in place ?
9. What are the data backup and recovery technologies in place ?
10. What are the log and audit mechanisms in place ?

If the organization can get convincing answers to the above questions, I think it is prudent for them to move their identities to the cloud. EzIAMTM, as a cloud IDM solution (from 8KMiles Inc.) has the best possible answers to the above questions in the market today. It is definetly an identity-safe, data-safe and a transport-safe solution, meaning identities stored within EzIAMTM directories and databases stay there in a secure manner and when transported either within the cloud or outside, always go through a TLS tunnel. Each component of EzIAMTM (there are 7 components/servers) is load-balanced and are tuned for high scale performance.

There are more than 30 out-of-the-box provisioning connectors available to connect to various directories, databases and software applications. The Single Sign-On connectivity options are innumerable with support for SAML2.0, OpenID 2.0 and OAuth 2.0. Varied advanced authentication mechanisms are supported that ranges from X509 cert/smart card based tokens & OTP/mobile-based authentications. Being in the AWS cloud the backup process and recovery process is as efficient as any back process can be. Daily backups of snapshots and data are taken, with ability to recover within minutes.

Hybrid Movers to a cloud IDM infrastructure – companies moving their on-premise identities & applications to the cloud but not fully yet :

Most of the companies would fall into this category. These kind of movers, move only a few parts of their IDM infrastructure to the cloud. They would initially move their applications to the cloud to start with. Then they would probably move their user stores/directories and along with that their identities to the cloud. They would still have some applications on-premise, which they would need to connect from the cloud IDM solution. They would also want to perform the daily identity workflow process from the cloud IDM solution. This way they can streamline their operations especially if they have offices in multiple locations, with users in multiple Organizational Units (OUs), accessing multiple on-premise and cloud applications.

Hybrid movers would have the maximum expectations from their cloud IDM solution, as the solution needs to address both their on-premise and cloud assets. Generally if these movers can get answers to the following tough questions, they will be much satisfied, before they move their IDM assets to the cloud.

1. Will the cloud IDM solution enable me to have a single primary Corporate Directory in the cloud? How will it enable the move of my current on-premise primary directory/user database to the cloud?
2. Will the solution allow me to provision users from our existing on-premise endpoints to the cloud?
3. Will the solution help me keep my on-premise endpoints (that contain user identities) in tact and move these endpoints in stages to the cloud.
4. I have applications, on-premise whose access is controlled by on-premise Access Control software. How can I continue to have these applications on-premise and enable access control to them via the cloud IDM solution?
5. How will the solution provide access control to the applications that I am going to move to the cloud?
6. Will the cloud IDM solution help me chalk out a new administrator/group/role/user base structure?
7. Will the solution help me control my entire IDM life-cycle management (from the day a user joins the org to the time any user leaves the org) through the cloud IDM ?
8. How exhaustive will the cloud IDM solution allow my access permission levels to be?
9. How often would the cloud IDM solution allow me to do a bulk-load of users from an on-premise directory or db?
10. What will the performance of the system when I perform other IDM operations with the system, during this bulk-load of users?
11. Will the solution allow us to have a separate HR application which we would want to be connected and synched up with the cloud IDM Corporate Directory?
12. What are the security benefits in connectivity, transport, access control, IDM life cycle operations, provisioning, admin-access etc. that the solution offers?
13. What are the connectivity options (i.e connecting to other enterprise applications across that enterprise’s firewall’s?)
14. What SaaS applications that the solution would allow the users to connect to in the future? How would the solution control those connections through a standard universal access administration for my company?

Total Movers to a cloud IDM infrastructure – companies that move 100% of their identity infrastructure to the cloud from an on-premise datacenter :

The primary motivation behind the “Total Movers” of IDM to the cloud would be the following:

1. How can I move my entire IDM infrastructure without loosing data, application access control, identity workflows, Endpoint Identity Data, Connectors ?
2. How long would it take for my move ?
3. Would I be able to setup a QA environment and test the system thoroughly before moving to production in the cloud?
4. How can I transition from my on-premise IDM software to a different cloud IDM software like EzIAMTM?
5. What is the learning curve for my users to use this system?
6. How can I customize the cloud IDM user interface, so it depicts my organizations profile & IDM goals/strategies ?
7. How much can I save in trained IDM skilled personnel and on-premise infrastructure costs when I move my IDM to the cloud in its entirety?

For all the 3 kinds of cloud movers described above, EzIAMTM would be a perfect solution. Pretty much all the questions posted above for all the types of movers, can be answered by the deployment of EzIAMTM. The solution is very versatile, customizable and has great connectivity options to all types of endpoints that an enterprise can have. The learning curve to get used to the screens is very minimal, as the screens are intuitive. Mobile access is enabled. The feature of integrating EzIAMTM with a cloud Governance Service solution is an added incentive for the movers, as this option would be extremely helpful to govern their identity environment efficiently.

EzIAM – IAM Made Easy on Cloud

8KMiles’ EzIAM combines the power of a reliable user provisioning and user management solution with the benefits of an AWS-hosted, cloud-based deployment model. Whether your organization is interested in provisioning to cloud-based applications and on-premise applications or providing user management for end users, 8KMiles EzIAM provides robust capabilities for user management, user provisioning, and access requests.

EzIAM FAQ

 

EzIAMTM Identity-as-a-Service was recently launched by 8kMiles in AWS. We get a lot of queries from customers about the technical & functional capabilities of EzIAM. I am planning to write a series of blog posts that would help understand this service better. The following FAQ would help us get introduced to the service.

1. What is EzIAMTM?

EzIAM is a cloud-based Identity Management solution that can be configured to accomplish 3 important Identity and Access Management functions:

  • Identity Management
  • Advanced Authentication
  • Single Sign-On

2. How is EzIAM different from an On-premise Identity Management Solution?

With EzIAM one can completely outsource the management of their identities to a secure cloud.    For a company, especially Small & Medium Businesses, this could be a great option as they can save up on the:

  • The setup costs of IAM infrastructure
  • Skill and knowledge required to drive the IDM systems
  • Day to Day running & operations of their IDM systems

3. Is EzIAM secure?

All communications from, to and within EzIAM (be it http, ldap, database operations, reading configuration files, user data inputs into html forms of EzIAM, email notifications) happen via Secure Socket Layer/TLS with AES ciphers aided by 2048 bit key certificates.

4. What are the technology benefits offered by EzIAM?

EzIAM offers a lot of technology benefits for an enterprise:

  • SSL/TLS Communications
  • IAM Hosted in a secure AWS (Amazon Web Services) Virtual Private Cloud (VPC)
  • A Multi-tenant environment where each customer’s data is logically and physically segregated from another customer’s data
  • Advanced & Multi-factor Authentication features that can be leveraged to control access to high valued assets/resources
  • Identity Federation infrastructure that would help companies to access other SaaS Services & expose their own SaaS services to other companies
  • Synchronization with on-premise Active Directory & other on-premise endpoints
  • Out-of-the box SSO connectors to common SSO endpoints
  • Out-of-the box provisioning connectors to common provisioning endpoints
  • Option to have custom connectors to custom endpoints (both SSO and provisioning)
  • Simple and Complex IDM workflows
  • Email Notifications

5. Is EzIAM a multi-tenant solution?

Yes, EzIAM is a multi-tenant solution.   Each company’s identity data is logically and physically segregated from another company that subscribes to this solution.    Designated Tenant Administrators are assigned for each tenant/company who can basically control the identity and access management objects of their own company only.  No asset of one company can be accessed by a user or admin of another company.

6. How is EzIAM managed?

There are 3 sets of administrators to functionally manage EzIAM.

  • MSP Administrators
  • CSP Administrators
  • Tenant Administrators

The 8kmiles team manages the EzIAM infrastructure with strict SLAs.

7. Is EzIAM managed 24×7?

Yes.  EzIAM is run and operated by 8kMiles with strict SLAs on a 24×7 basis.    8kMiles team is responsible for fixing any operational or functional issue related to EzIAM.     8kMiles has deployed multiple layers of support and help desk, to troubleshoot any issues.

8. What is the role of administrators (of a company) who signs up for EzIAM?

The Tenant Administrator role in EzIAM is assigned to a person (of a company that signs up for EzIAM) who is currently responsible for maintaining the IAM infrastructure of that particular tenant/company on-premise.

9. Can EzIAM be used to “Request Access” by users to applications?

Yes. EzIAM has a “Request Access” feature by which users can request access to applications. The request will be assessed and granted permission by the administrators (who will be part of the Request Access Workflow)

10. Does EzIAM have email notifications as part of its workflows?

Yes.  EzIAM has secure configurable email servers that make sure that email notifications are sent and received by identities within EzIAM in a secure manner.

11. Does EzIAM support federated access to other SaaS providers and third party applications?

Yes. EzIAM supports federated access to other SaaS providers and third party applications.   A Federated partnership can be setup between EzIAM and the external party wherein EzIAM can act as either the IDP (Identity Provider) or the SP (Service Provider).

12. How is advanced authentication implemented in EzIAM?

Advanced or Strong authentication schemes can be used by tenant or CSP administrators to protect high valued resources within the IAM infrastructure of the tenant deployment.  It is implemented in an easily configurable manner.   The Advanced authentication scheme can easily be configured to be part of a multi-factor authentication also.

13. What are the primary advanced/strong authentication mechanisms supported by EzIAM?

The primary strong authentication mechanisms supported by EzIAM are:

  • ArcotID PKI
  • ArcotID OTP

14. What is ArcotID PKI?

ArcotID PKI is a patented Cryptographic key concealment technology from CA.  It can be used to authenticate to a website or other online resource, through a web browser.

15. What are the features of ArcotID PKI?

The important features of the ArcotID PKI credential are as follows:

  • An ArcotID PKI can be accessed only with the correct password
  • ArcotID PKI authentication uses a challenge-response authentication protocol. During authentication, a client application on the end user’s device signs the challenge with the end user’s private key.  The signed challenge is then sent to the Advanced Authentication Server for verification
  • A plausible response is generated for every password that is entered, even if the password is incorrect
  • The validity period for the ArcotID PKI credential is configurable

16. What is ArcotID OTP?

ArcotID OTP is a secure software authentication mechanism that allows the use of mobile phones, iPads, and other PDAs as convenient authentication devices. The ArcotID OTP credential is used for primary authentication, and it supports the Open Authentication (OATH) standard. Similar to the ArcotID PKI credential, ArcotID OTP also uses CA Arcot’s patented Cryptographic Camouflage technology to protect credentials from brute force attacks.

17. What are the Risk evaluation and Fraud detection features enabled in EzIAM?

EzIAM’s Advanced Authentication service provides real-time protection against fraud in online transactions.  This is made possible by the following features:

  • End-User Device Identification Data and Location Data
  • Risk Score and advice
  • Risk Evaluation Rules
  • User Device Association

18. What are the secondary authentication mechanisms supported by EzIAM?

Secondary authentication refers to the additional authentication that is performed in the following cases:

  • An end user has either forgotten or wants to reset the password or PIN
  • An end user’s ArcotID PKI or ArcotID OTP credential has expired
  • A roaming end user is trying to authenticate from a device that is different from the one used to enrol with the system, or one that is already marked trusted during a previous roaming attempt
  • Risk evaluation is enabled, and it generates an advice to increase authentication for the transaction that the end user is trying to perform

Secondary authentication methods supported by EzIAM are:

  • Question and Answer pairs
  • Security Code (which is similar to a one time password)

19. What is a two-step authentication?

When a two-step authentication is enabled, the end user is authenticated consecutively using two different authentication methods.

20. What are the Advanced Authentication flows?

The Advanced Authentication service of CA CloudMinder provides various advanced authentication flows that cater to a tenant’s business requirements. Each flow is used to secure access to a tenant’s resource and define the authentication steps that take place when end users try to access the resource.

The Advanced Authentication service offers ArcotID PKI, ArcotID OTP, Security Code, and Risk Evaluation as primary credential types that can be used to secure access to a resource. An advanced authentication flow is based on either a single credential type or a combination of these credential types.

21. What are the Advanced Authentication flows supported by EzIAM?

The Advanced Authentication service offers the following advanced authentication flows for the supported credential types :

  • ArcotID PKI Only
  • ArcotID PKI with Risk
  • ArcotID OTP Only
  • ArcotID OTP with Risk

22. What are the ArcotID OTP flows supported by EzIAM?

  • ArcotID OTP Only flow
  • ArcotID OTP Roaming Download flow
  • ArcotID OTP New Device Activation flow
  • Forgot my PIN flow

23. What are the primary Identity Management features supported by EzIAM?

  • User Management
  • Password Management including Synchronizing Passwords on Endpoints
  • Role Management (including Admin & Provisioning Roles)
  • Access Requests
  • Integrating Managed Endpoints
  • On-premise Provisioning
  • Provisioning with Active Directory
  • Synchronization
  • Identity Policies
  • Reporting
  • Workflow
  • Email Notifications
  • Task Persistence
  • System Tasks
  • Custom Connectors

24. What are the primary SSO features supported by EzIAM?

  • SSO Applications configured for your business portal
  • Authentication Methods for SSO Applications
  • Federated Partnerships to enable SSO
  • SSO using a Third-party IDP
  • Secure Token Service (STS)
  • WS-Trust claims transformation
  • Self-registration services for SSO
  • User validation for sensitive applications
  • Attribute Query Support
  • Proxied Attribute Query Support

25. Is EzIAM highly available and load-balanced?

Yes, each component server of EzIAM is load-balanced and is made highly available in an AWS (Amazon Web Services) cloud environment.

26. What are the specific benefits offered by EzIAM to companies, especially SMBs, from a cost standpoint?

  • Companies do not have to invest in an IAM infrastructure
  • Companies do not have to hire or train staff to manage IAM infrastructure
  • IAM consultants need not be hired to perform domain specific complex IAM tasks for IDM setup, federation, SSO or Advanced Authentication
  • The EzIAM infra is available 24×7 with help desk and support. So companies can save on these

27. Can EzIAM support directory synchronization with on-premise Active Directories?

Yes it does.   EzIAM can synchronize with an on-premise Active Directory.

28. Can EzIAM support SSO with on-premise applications?

Yes. EzIAM supports SSO to on-premise applications.   EzIAM can also protect applications to be accessed by external users through an SSO process i.e. it can act as an SP too.

29. Can EzIAM support advanced authentication and/or multi-factor authentication as part of SSO process?

EzIAM supports advanced authentication and/or multi-factor authentication as part of the SSO process.

30. Can EzIAM UI be customized?

EzIAM UI can be customized to reflect the tenant environment’s look and feel.