Series: Trends in Identity and Access Management - Move to IAM SaaS
IAM vendors provide solutions with different delivery models.
Some are purely on-premise applications (the application has to be installed on servers in the customer’s data center); many on-premise applications can also be delivered as a “Managed Service” where the installation and management of the application is outsourced to the vendor or their partner. This type of service can also be considered as SaaS in a private cloud.
A third type is the SaaS model in a public cloud where an application instance is shared across multiple customers. A fourth type is a SaaS model where the vendor provides individual application instances for each customer. There are only a few vendors that provide a subscription based or on-demand IAM SaaS service. Even within this small set of truly SaaS providers, there is a vast difference in their application architecture and deployment model.
A small snapshot of questions to ask SaaS vendors to determine if they are a right fit for your business needs:
Where is the solution hosted (geographically as well as whether it is private or public cloud - who is the cloud vendor)
Why is this important? Regulations such as GDPR and other Privacy acts such as the California Consumer Privacy Act may require data to be maintained in a specific geography. Regardless of whether the service is in a public or private cloud - make sure they have good Business Continuity and Recovery Strategy (BCRS).
How is the SaaS solution architected?
Why is this important? Does each customer get their own instance or is it a shared instance? Shared instances could lead to problems if any of the other customers consume all of the available processing resources
What is the methodology used for applying version upgrades/patches?
Why is this important? Is there a non-Production instance provided to test out product upgrades/enhancements? How long is the period between applying changes to Test and to Prod? This will impact your testing resources.
Is the SaaS vendor willing to share their Security Audit report?
Why is this important? This gives confidence that the vendor is following security best practices required to maintain security of your data.
Does the SaaS application have capabilities to connect to your on-Premise or legacy applications for managing Access, SSO or for provisioning accounts?
Why is this important? If the vendor’s solution only provides SSO or provisioning ability to other SaaS applications, this may not meet your requirements. Also, vendors may have certain components that have to be installed on-Premise (example: to allow for SSO integrations with legacy applications or for provisioning connectors) - something to consider if you are looking for an all-cloud delivery model.
Does the SaaS solution have all the capabilities provided by on-Premise applications? Especially in the areas of approval or re-certification workflow definition.
Why is this important? Based on your requirements, it is important to ensure that the SaaS vendor has the functional capabilities to support your use cases. You should also draw a roadmap of how your program will develop so that you have a clear picture of what functionalities you would require in the next 2-3 years and ensure that the SaaS vendor has it in their product roadmap in the time-frame you require.
Organizations may have other questions that are of particular concern, such as Branding, Vanity URLs, availability of connectors to specific applications, frameworks and standards followed by a vendor for Access control, Privacy or Provisioning, API protection, and API integration. If you engage Formmi to help with your IAM assessment, we help ask the right questions and choose the solution that best fits the organization’s processing and budget requirements, as part of that engagement.
And, especially for those customers choosing to go with a SaaS solution, we have our flagship FastIAM service which is a guaranteed fixed-cost, fixed-time implementation. We don’t think that the cost of implementing a product should be more than the cost of the product itself!