EzIAM – Moving your Identities to the Cloud – An Analysis
Before an enterprise implements an on-premise IDM (Identity Management) solution, there are a lots of factors to consider. These considerations go way up, if the enterprise were to implement a new cloud IDM solution (i.e decide to move their identities partially or fully to a cloud like AWS, Azure or Google and manage these identities using a cloud IDM solution like the EzIAMTM solution). I will touch upon these items.
There could be 3 types of movers to the cloud.
- New enterprise (or a start-up) that is planning to start their operations with a cloud IDM itself straightaway. These enterprises may not have an on-premise presence at all (Neo IDM Movers).
- Some other enterprises might be planning to move only some of their existing IDM parts to the cloud and keep the rest of them on-premise (they are generally called the Hybrid IDM Movers).
- While a few others could try to move their entire on-premise IDM operations to the cloud (Total IDM Movers). Although there will be some common considerations for these 3 categories of movers, before they decide to move to Cloud IDM, they individually will have some unique issues to deal with.
New Movers to a cloud IDM Infrastructure – companies starting their operations in the Cloud & hence want to have all their identities in the new cloud IDM infrastructure from day 1 of their operations:
These are the companies that start their identity management in the cloud itself straightway. The number of questions that these enterprises would want to be answered would be far less compared to the other 2 category of enterprises. Prime considerations for these type of organizations would be:
- Will the cloud IDM solution be safe to implement (i.e safe to have my corporate users & identities exist in there) ?
- Will the cloud IDM solution be able to address the day-to-day IDM operations/workflows that each user is going to go through?
- Will the cloud IDM solution be able to scale for the number of users ?
- What are the connectivity options (from a provisioning standpoint) that the cloud-idm system provides ? (i.e connecting to their applications/db’s/directories that are existing on the cloud, assuming they are a complete cloud organization)?
- How robust these connections are (i.e in terms of number of concurrent users, data transport safety) ?
- What are the Single Sign-On connectivity options that the solution provides ?
- What are the advanced authentication mechanisms that the solution provides ?
- What are the compliance and regulatory mechanisms in place ?
- What are the data backup and recovery technologies in place ?
- What are the log and audit mechanisms in place ?
If the organization can get convincing answers to the above questions, I think it is prudent for them to move their identities to the cloud. EzIAMTM, as a cloud IDM solution (from 8KMiles Inc.) has the best possible answers to the above questions in the market today. It is definetly an identity-safe, data-safe and a transport-safe solution, meaning identities stored within EzIAMTM directories and databases stay there in a secure manner and when transported either within the cloud or outside, always go through a TLS tunnel. Each component of EzIAMTM (there are 7 components/servers) is load-balanced and are tuned for high scale performance.
There are more than 30 out-of-the-box provisioning connectors available to connect to various directories, databases and software applications. The Single Sign-On connectivity options are innumerable with support for SAML2.0, OpenID 2.0 and OAuth 2.0. Varied advanced authentication mechanisms are supported that ranges from X509 cert/smart card based tokens & OTP/mobile-based authentications. Being in the AWS cloud the backup process and recovery process is as efficient as any back process can be. Daily backups of snapshots and data are taken, with ability to recover within minutes.
Hybrid Movers to a cloud IDM infrastructure – companies moving their on-premise identities & applications to the cloud but not fully yet :
Most of the companies would fall into this category. These kind of movers, move only a few parts of their IDM infrastructure to the cloud. They would initially move their applications to the cloud to start with. Then they would probably move their user stores/directories and along with that their identities to the cloud. They would still have some applications on-premise, which they would need to connect from the cloud IDM solution. They would also want to perform the daily identity workflow process from the cloud IDM solution. This way they can streamline their operations especially if they have offices in multiple locations, with users in multiple Organizational Units (OUs), accessing multiple on-premise and cloud applications.
Hybrid movers would have the maximum expectations from their cloud IDM solution, as the solution needs to address both their on-premise and cloud assets. Generally if these movers can get answers to the following tough questions, they will be much satisfied, before they move their IDM assets to the cloud.
- Will the cloud IDM solution enable me to have a single primary Corporate Directory in the cloud? How will it enable the move of my current on-premise primary directory/user database to the cloud?
- Will the solution allow me to provision users from our existing on-premise endpoints to the cloud?
- Will the solution help me keep my on-premise endpoints (that contain user identities) in tact and move these endpoints in stages to the cloud.
- I have applications, on-premise whose access is controlled by on-premise Access Control software. How can I continue to have these applications on-premise and enable access control to them via the cloud IDM solution?
- How will the solution provide access control to the applications that I am going to move to the cloud?
- Will the cloud IDM solution help me chalk out a new administrator/group/role/user base structure?
- Will the solution help me control my entire IDM life-cycle management (from the day a user joins the org to the time any user leaves the org) through the cloud IDM ?
- How exhaustive will the cloud IDM solution allow my access permission levels to be?
- How often would the cloud IDM solution allow me to do a bulk-load of users from an on-premise directory or db?
- What will the performance of the system when I perform other IDM operations with the system, during this bulk-load of users?
- Will the solution allow us to have a separate HR application which we would want to be connected and synched up with the cloud IDM Corporate Directory?
- What are the security benefits in connectivity, transport, access control, IDM life cycle operations, provisioning, admin-access etc. that the solution offers?
- What are the connectivity options (i.e connecting to other enterprise applications across that enterprise’s firewall’s?)
- What SaaS applications that the solution would allow the users to connect to in the future? How would the solution control those connections through a standard universal access administration for my company?
Total Movers to a cloud IDM infrastructure – companies that move 100% of their identity infrastructure to the cloud from an on-premise datacenter :
The primary motivation behind the “Total Movers” of IDM to the cloud would be the following:
- How can I move my entire IDM infrastructure without loosing data, application access control, identity workflows, Endpoint Identity Data, Connectors ?
- How long would it take for my move ?
- Would I be able to setup a QA environment and test the system thoroughly before moving to production in the cloud?
- How can I transition from my on-premise IDM software to a different cloud IDM software like EzIAMTM?
- What is the learning curve for my users to use this system?
- How can I customize the cloud IDM user interface, so it depicts my organizations profile & IDM goals/strategies ?
- How much can I save in trained IDM skilled personnel and on-premise infrastructure costs when I move my IDM to the cloud in its entirety?
For all the 3 kinds of cloud movers described above, EzIAMTM would be a perfect solution. Pretty much all the questions posted above for all the types of movers, can be answered by the deployment of EzIAMTM. The solution is very versatile, customizable and has great connectivity options to all types of endpoints that an enterprise can have. The learning curve to get used to the screens is very minimal, as the screens are intuitive. Mobile access is enabled. The feature of integrating EzIAMTM with a cloud Governance Service solution is an added incentive for the movers, as this option would be extremely helpful to govern their identity environment efficiently.