How to Choose Between On-Premises and IDaaS Delivery Models for Identity and Access Management
Published: 18 July 2016 Gartner Analyst: Gregg Kreizman ID: G00296572
Summary
It may be smart to use identity and access management as a service for all or part of an organization's IAM functions. However, IAM leaders need to analyze the business and technology drivers and blocking factors, as well as the total cost of ownership, to make the appropriate choice.
Overview
Key Challenges
· Rapid SaaS adoption for the workforce; replacement of homegrown, consumer-facing identity and access management systems; and new B2B initiatives can outpace IAM programs' abilities to deliver effective, efficient and business-enabling IAM.
· Many organizations lack the staff or the skills to manage on-premises IAM implementations and to extend those implementations to the cloud, consumers and partners.
· Using identity and access management as a service for web application authentication, single sign-on, and basic identity administration and reporting functionality is relatively straightforward. Replacing customized, on-premises IAM (especially identity governance and administration) software to support legacy application architectures with IDaaS can be costly and difficult.
· Drivers for moving to IDaaS delivery models include faster time to value, ability to overcome staffing concerns and the perceived ability to overcome organizational issues with internal IAM programs. However, IDaaS breeds shared responsibilities between vendors and buyers, and total cost of ownership for IDaaS and on-premises delivery models should be compared.
Recommendations
IAM leaders should:
· Identify the root causes for why IAM programs are not delivering value to support changing business priorities.
· Assess whether staffing challenges are likely to continue during the planning period.
· Focus IDaaS versus on-premises implementation decision making by determining the use cases that will be supported and by determining whether implementations will be completely new, will augment existing IAM tools or will be replacements.
· Use this research to determine the responsibilities and costs for on-premises IAM, relative to IDaaS costs for the same functions and features.
Strategic Planning Assumption
Through 2020, organizations that perform cost analysis for internally delivered identity and access management (IAM) will spend 20% less, on average, for IAM as a service (IDaaS) delivery of the same functions, compared with organizations that do not conduct this analysis.
Introduction
The IDaaS market and client interest in IDaaS as an alternative to on-premises software deployments continue to grow. 1 However, IDaaS is not for every organization, and the IDaaS delivery model continues to represent a minority share of the overall IAM market (see "Magic Quadrant for Identity and Access Management as a Service, Worldwide”).
Based on client inquiries, Gartner is getting feedback that organizations are not paying attention to details with regard to business drivers and true costs, when comparing on-premises versus IDaaS IAM implementations. 2 Many organizations "do their homework"; however, some clients are unpleasantly surprised by the price tag for subscription-based IDaaS. These organizations have not fully analyzed their current, fully burdened costs for managing IAM. Others may have performed the necessary cost analyses, but are not completely recognizing other business value drivers that would support one delivery model or the other.
How should organizations make informed decisions regarding IAM delivery models? The decision to move IAM workloads to the cloud should be made in context with the organization's overall sourcing strategies, and these organizations, especially those with "cloud first" strategies, should weigh several criteria before advancing with IDaaS (see "Applying a 'Cloud-First' Checklist to Ensure Successful Sourcing and Business-IT Alignment”).
IAM leaders should identify IAM business drivers and blocking factors, as well as the use cases and depth of IAM functionality that must be supported. Organizations should also understand the full costs for managing IAM internally before making a decision to use IDaaS (see Figure 1).
Figure 1. Decision Factors for Using IDaaS or On-Premises IAM Implementations
Source: Gartner (July 2016)
Gartner's best practices detail business drivers, IAM functional support available in the markets, IDaaS buyers' and vendors' responsibilities, and total cost of ownership (TCO) categories to be used when considering IDaaS versus on-premises implementations.
Analysis
Identify the Reasons IAM Isn't Delivering Value in Support of Business Priorities
Organizations that have chosen IDaaS have used several non-cost-related drivers as their rationale.
Time to Value
Buyers believe they can reach their IAM goals more rapidly by going with IDaaS. This has been proved, although mostly for web-centric application use cases that don't require the full features of a traditional IAM software stack, particularly identity governance and administration (IGA). Buyers should expect faster implementation times with IDaaS than with on-premises deployments. This also applies, but less so, to full-featured IDaaS and projects that include legacy applications and functional depth requirements for IGA. IDaaS vendors know their solutions, and have worked to streamline implementation and operations. However, these more-complex projects can still require significant time and money to implement, and customization demands are a common cause of prolonged projects and cost increases.
Gartner encourages clients to use products that are configurable, rather than customized, when possible. Organizations that are moving a heavily customized software implementation to a dedicated hosted IDaaS provider model should expect potentially significant transition work to support the new hosting and operations model provided by the vendor.
Overcoming Staffing Shortages/Skills Deficiencies
Gartner clients regularly highlight the inability to obtain or retain staff members that have IAM product skills, and we expect this trend to continue for common planning horizons. 3 Consultants and system integrators (SIs) with these skills may also be in short supply, or they may be deemed too expensive to keep on an ongoing basis. However, organizations that move to an IDaaS model still require some internal expertise for managing the business side of IAM requirements and the interface between the organization and the IDaaS vendor.
Resolving Conflicts Over Duplicate IAM Implementations
Due to mergers or acquisitions, organizations may inherit additional IAM infrastructures. These can coexist; however, these organizations may wish to consolidate the functions, although this consolidation may be unsuccessful due to organizational or technical conflicts. Web-centric IDaaS used to augment these solutions may provide standardization and consolidation for IAM to support newer SaaS applications or a B2C implementation, as duplicated legacy IAM systems serve workforce and legacy application needs.
Overcoming Ineffective or Inefficient Internal IAM Implementations
IAM programs may have failed to deliver expected operational effectiveness or efficiency value for one or more of the following reasons:
· Insufficient planning
· Poor IAM governance or lack of leadership buy-in, resulting in an inability to move projects forward
· Insufficient funding
· Project scope creep
· Staffing shortages or skills deficiencies
With the exception of inappropriate technical staffing levels or skills, these inhibitors will not be automatically resolved by switching to IDaaS. There are often root causes for these inhibitors that have nothing to do with the delivery model for IAM, and these issues must be addressed with solid IAM program governance. IDaaS may simply help go around the problems or alleviate some of them (see "Identity and Access Management Program Primer for 2016”).
Organizations with mature IAM programs and well-run, fully staffed, on-premises software implementations that meet their needs may have no strong reasons to consider IDaaS, other than for its potential cost savings or the redeployment of IAM staff to other priorities.
Organizations must also evaluate the risks of moving to IDaaS:
· Data security and especially credential (password) security
· Service and data residency
· Service availability and business continuity
· Other security controls
· Vendor viability
For our more detailed analysis of IDaaS risks, see "Magic Quadrant for Identity and Access Management as a Service, Worldwide."
Determine Which Use Cases Will Be Supported and Whether Implementations Will Be New, Augment Existing IAM Tools or Be Replacements
Most IDaaS purchases support IAM functions for workforce access to SaaS or an organization's own web - architected applications. B2C and B2B are the second and third most-prevalent use cases, respectively. Outright replacement of traditional IAM software stacks that support deep IGA functionality and legacy application targets is relatively rare.
Web-centric vendors, such as OneLogin and Okta, provide robust access control and reporting functionality. However, they provide only basic IGA functionality, and most of this is administrative. For example, web-centric IDaaS offerings generally include one level of administrator approval workflow, but few vendors provide manager and application owner approval. Based on Gartner vendor interactions, we believe these features will become more common by 2018. Web-centric IDaaS generally lacks support for access certification campaigns, role life cycle management, entitlement catalog and the segregation of duties (SOD) policy enforcement features of traditional IGA products. The choice to outsource the web-centric functions may come relatively easy for organizations with "greenfield" IAM implementations or for those using IDaaS to augment existing on-premises implementations. Rapid time to value is a strong driver in these cases. Web-centric IDaaS also makes sense for consumer and business-facing use cases.
However, some IDaaS implementations, such as SailPoint, EMC (RSA) and Fischer International, are supporting legacy application targets and require the deeper functionality typically found in mature IAM software products and suites, especially for IGA functions. IDaaS may be replacing traditional on-premises implementations in these cases.
Figure 2 depicts the set of core IAM functions, the common set of cloud and on-premises IAM delivery models, and the extent to which the typical, cloud-based market offerings can deliver IAM functional depth found in traditional IAM software stacks that have been deployed on-premises.
Figure 2. IAM Delivery Models and the Average Functional Depth Provided by the Market
Source: Gartner (July 2016)
The number of circles in each functional category indicates the average functional completeness of offerings in the market. There are exceptions, and the market is dynamic.
Full-featured IGA, access management and authentication can be delivered on-premises, in traditional software and appliance forms, and from the cloud, particularly with cloud dedicated hosted models. Web-centric IDaaS vendors generally limit feature sets to those that can be configured and leveraged by many customers, rather than features that must be customized or result from specialized integration. This is why IGA functions are more limited for these web-centric vendors, as are the authorization and authentication features.
Managed IAM services (which are not shown here) are vendors' outsourced operations and management of customer-owned on-premises implementations. They are options to self-managed models and IDaaS. Managed services' functional depth is generally equivalent to other on-premises options. Managed services provide the ability to let someone else manage IAM day to day, but allow for customization and integration, if required. Gartner recommends using products that lend themselves to configuration, rather than customization, to reduce the levels of effort and cost, as well as vendor lock-in.
Use a Responsibility and Cost Comparison Framework to Ensure Appropriate Comparisons Between On-Premises Software Implementations and IDaaS
When Gartner clients are taken aback by the prices for IDaaS, it is often without knowing their organization's TCO for existing or planned IAM software implementations. IDaaS vendors' rates, usually expressed in cost per user per month, or costs per transaction, include all of their costs plus profit. These vendors are betting that economies of scale for their repeatable implementations can offset some costs that buyers would incur by doing their own one-off software implementations. The "Magic Quadrant for Identity and Access Management as a Service, Worldwide" contains high-end budgetary estimates for some common IDaaS use cases and implementation sizes. Figure 3 shows the responsibilities that are primarily the IDaaS vendor’s, the buyer's or are shared between the vendor and buyer.
Figure 3. Vendor versus Buyer Responsibilities for IDaaS
Source: Gartner (July 2016)
Table 1 depicts these responsibilities in detail and describes the cost categories that organizations should analyze in total when comparing the organization's own costs for managing current or planned on-premises software implementations versus IDaaS. Many of these costs are for labor. Organizations should consider fully burdened labor costs, including recruitment, training, salaries and benefits. Hidden costs must be exposed (and estimated, if true costs can't be determined), such as those spread over different groups in the organization — for example, operations and the help desk, or shadow support within business units.
Table 1. Cost Categories for Comparing Organizational Costs for Managing IAM Software Deployments Versus IDaaS /Organizational Cost Categories for Managing IAM Software Deployments / IDaaS /
IAM program management and governance, including IAM vision, strategy, plan, build-and-run phases for IAM architecture development / Buyer still owns the IAM program, along with the vision, strategy and plan phases for IAM architecture. Build-and-run phase architecture development will be a shared responsibility, with more falling on the buyer as customization and complex integration requirements increase.
IGA data modeling, entitlements cataloging, service requests, fulfillment process design, product selection, planning and implementation / Buyer owns all but the implementation. Some of these functions may also be outsourced to the IDaaS vendor's professional services team or to a third party.
Access management process modeling, access policy development, authentication method selection, federation planning and design, and implementation / Buyer owns all but the implementation. Some of these functions may also be outsourced to the IDaaS vendor's professional services team or to a third party. Buyer owns and supports any third-party authentication technologies that the IDaaS vendor does not provide, but will integrate with the service. Some IDaaS vendors provide some support for third-party authentication integration.
Planning for reporting and monitoring, IAM infrastructure log data, and applications log data collection, report or dashboard creation / Buyer owns the planning function. IDaaS vendor provides some level of canned log data collection, reporting and dashboards as part of the service. Buyer is responsible for customization, and is usually responsible for extract, transfer and load (ETL) functions to move data from the IDaaS provider to security information and event management (SIEM) systems or other analytics platforms.
IAM software purchase and maintenance, or subscription costs, including personnel costs related to acquisition / Included in IDaaS rates. Transition of an existing software implementation to a hosted environment may involve the transfer of licenses, or the buyer may continue paying subscription or maintenance.
Infrastructure (e.g., servers, storage, network and facilities) and ongoing operating expenditures (opex) for hosting, managing and monitoring IAM and related infrastructure costs / Included in IDaaS rates, except for the support of IDaaS vendor's on-premises components used to bridge any enterprise-owned identity repositories or access management functions to the IDaaS. VPN connections may also be needed. These enterprise-owned components and processes will continue to be cost components.
Disaster recovery and business continuity support / IDaaS vendors will operate service to specific SLAs. However, any on-premises components will need to be replicated or re-created to support recovery operations.
User support / IDaaS support is included in rates, but buyers are likely to need to help vendors isolate problems in enterprise or IDaaS-owned components.
Software upgrade planning and implementation costs / Buyers are included in planning for some features, but IDaaS vendors handle most upgrades.
IAM test environment, including software, infrastructure and facilities to test new and modified IAM implementations prior to going into production / Some IDaaS vendors include a test environment in their per-user subscription rates. Other vendors charge separately for test environments.
Source: Gartner (July 2016)