Why IDaaS for MSPs?
IDaaS has several characteristics that make it an excellent opportunity for MSPs, particularly for MSPs that are also providing private cloud and hybrid cloud (a combination of private and public cloud) services to their customers.
Demand – IDaaS is one of the fastest growing segments in cloud computing, with Gartner predicting a 55% compound annual growth rate (CAGR) and a total market size of $US 7.3 billion by 2019.
Security – Security continues to be the number one inhibitor of cloud adoption, and effective identity management is the foundation of security. By providing a secure, robust identity system for their customers, MSPs can address cloud security concerns and accelerate their customers’ migration to the cloud.
Value – Identity services are high-value. Simplifying end-user access to low cost cloud SaaS applications adds value while increasing end-user satisfaction and enhancing overall security. Adding user self-service functions adds further value by streamlining the password reset and application access request processes and therefore reducing IT help desk costs.
Revenue – IDaaS can provide a significant and reliable new revenue stream for MSPs. Vendors such as Okta, Microsoft and OneLogin offer IDaaS on a per-user/per-month basis with list prices ranging from $US 6 per user/per month. Added-cost features such as multi-factor authentication, mobile device integration, and automated identity provisioning can lift the list price to $15 per user/per month.
Stickiness – Identity is a fundamental component of security and application infrastructure, and properly implemented, provides a way to create and maintain long-term relationships with enterprise customers. Active Directory is a prime example of how sticky identity services are in the enterprise.
Reduce vendor lock-in – MSP managing SaaS applications for their customers risk losing them if they switch SaaS vendors – the customers may simply work directly with the old SaaS vendor. Providing the underlying identity services (including single sign-on) helps insulate MSPs and their customers from the effects of vendor changes, albeit that there may be a migration process.
Service Opportunities – Because few enterprises will simply lift and shift their entire IT service catalog into the cloud, a hybrid (part on-premises, part in the cloud) environment will be the norm for most enterprise customers. This creates several high-value services opportunities for MSPs:
Reviewing existing identity systems and processes
Developing a modern cloud-focused identity strategy
Integrating on-premises identity services and applications
Developing and implementing customized identity data models and workflows
Why Not Public Enterprise Identity Services Like Microsoft Azure or Okta?
There are several vendors providing capable IDaaS solutions in the public cloud that are mature and relatively easy to set up and use. While for many customers these services provide a workable approach, identity is a service where one size does not fit all, and your customers may be better served by a privately hosted IDaaS solution for various reasons, including:
Regulatory or corporate policy requirements – Many organizations simply can’t put their sensitive identity information in the public cloud, either because of corporate policy or government regulations. These customers may need complete control over the geographic distribution of their identity data, or may simply need dedicated infrastructure. MSPs can address both of these concerns by hosting IDaaS in their own data center.
Better performance – Public cloud identity services are designed to meet the needs of a huge number of concurrent users while using the minimum possible amount of computing resources in a handful of globally distributed data centers. This means that most customers will receive adequate, but not great performance. By hosting IDaaS in their own data centers, MSPs can provide reduced latency and better performance to those customers who need it.
Flexibility and customizability – In order to achieve the scalability they require to be profitable, public IDaaS providers need to reduce identity to the lowest common denominator. But, although identity is a core software infrastructure service, it is not a one-size-fits-all proposition. Beyond simply adding attributes to a user object, enterprises often need to model organizational structures, projects, and cross-organizational relationships that can’t reasonably be represented by a simple users-and-groups identity model. MSPs can provide this additional customizability when they host IDaaS services for their customers.
What Should MSPs Look for in an IDaaS System?
Customer-oriented features – The most important aspect of any IDaaS system is the set of identity services it provides to your customers. At a minimum an IDaaS system should provide a cloud-based directory service, the ability for end-users to login (authentication) and single sign-on to cloud-based SaaS applications. In addition, it should also offer add-on services, configurable on a tenant-by-tenant basis, including:
Self-service password management
Integration with on-premises identity systems like Active Directory
Fine-grained, policy-based authorization services
Provisioning and synchronization of identities to applications both in the cloud and on-premises
A customizable data model allowing each tenant to define new attributes and new classes of object
Customizable workflows to support on-boarding, off-boarding, access requests, and other identity-related processes
Multi-tenanted – It is not uncommon for software developers to install their traditional single-tenant enterprise application software on a cloud-hosted virtual machine and call it “cloud”. Each customer gets a new virtual machine and a new copy of the software. This approach completely negates the cost and efficiency advantages of computing in the cloud, and it creates a huge administrative burden on the operator to boot. It is critical for a cloud identity platform to be architected from the ground up as a multi-tenant service, leveraging common software infrastructure to increase efficiency and reduce costs.
Standards-based identity services – The IT industry through its various standards bodies such as the IETF and OASIS has invested significant effort to define standard identity-related protocols that are effective, secure and work well on the public internet. These protocols have been heavily reviewed and vetted by experts, and have broad support from application developers and programming tools. Any system that uses proprietary protocols is likely less secure, and certainly more difficult to integrate and support.
Integrated out of the box – Some identity software vendors provide an entire suite of products and leave it to the MSP (or their consultants) to build a custom system. The problem with a made-to-order system like this is not primarily that it takes longer to implement (which it does), but that it is a one-off. Every time the vendor upgrades one of their products, the MSP has to go through the potentially risky process of upgrading pieces of the system. If business requirements change, all of the custom scripts and integration modules may need to be rewritten. And if a new group of consultants to update the system, the MSP has to pay for their learning curve. A complete product that is integrated out of the box suffers from none of these disadvantages.
Comprehensive API set – Identity is a platform service, meaning that it is consumed not just by end-users, but by other applications as well. Exposing all of the platform’s capabilities, including configuration, through a set of web APIs makes the platform easier to extend and integrate with other applications. A complete set of APIs also makes the identity platform easier to automate, which can significantly reduce operational costs.
Self-contained – There are many platform services available from public cloud vendors that allow cloud application developers to create cloud-based applications faster, cheaper, and more reliably. Amazon Web Services (AWS) for instance provides more than 70 such services, and adds new ones every few months. It is tempting for application developers to use these services whenever they can. But any MSP, and particularly MSPs implementing private clouds, should think carefully before accepting such external dependencies. Most of these platform services are charged for on a per API-call or per-MB basis, which creates a substantial hidden operating expense that is beyond the MSPs ability to control. Further, customers who are concerned about the privacy and sovereignty of their identity data will certainly not want their identity data leaked to external service providers with whom they have no contractual relationship.
Customizable on a tenant-by-tenant basis – As covered earlier, enterprise identity is not a one-size-fits-all service. Each customer will need at least some level of customization to support their own needs. The areas that most need customization by enterprises include the ability to:
Add new attributes to objects like users and groups
Add new kinds of objects, like departments and projects
Create new relationships between identity objects
Extend the role and permissions models
Insert and customize workflows into identity operations
Define and customize the production of reports
Source and transform identity data from other cloud or on-premises systems, including Active Directory and HR applications
Target and transform identity data to other cloud and on-premises systems
Easy to install and operate – As a rule, MSPs have competent network operations people on staff who are fully capable of installing, configuring, and operating complex enterprise applications. But even so, it is still important for a cloud identity service to be easy to setup and operate and it should automate (or support the automation of) most common administrative tasks. For instance, adding a new tenant should be a simple API or command-line exercise and not require administrators to manually provisioning new virtual machines or configure load-balancers except in extraordinary circumstances. A cloud identity service should also expose performance and debugging information that can be consumed by common cloud management tools to enable operations staff to monitor and manage the service with little additional effort.
Scalable, robust, and efficient cloud architecture – Cloud service architectures need to support scaling both vertically to support large tenants, and horizontally to support more tenants and higher transactional loads. Cloud services need to replicate critical identity and configuration data in multiple locations to mitigate the risk of a virtual machine or disk failure causing data loss. And finally, cloud services need to be efficient to minimize operating costs.