Authentication-As-A-Service Gains Steam
Improved security, scalability, operational flexibility, and even brand differentiation
are driving AaaS
Ericka Chickowski, Contributing Editor
Dark Reading October 17, 2011
Cost, complexity, and complacency have all contributed to the tremendous
rut that most organizations face when it comes to authenticating users
within both inward- and outward-facing applications. And as IT continues
to progress within the cloud model, the traditional means of authentication
are showing their age given the interconnectedness of applications and
services these days. That's why an increasing number of enterprises and
cloud providers are looking to authentication-as-a-service (AaaS) to
increase security and manage authentication more fluidly.
"The cost and complexity involved in deploying strong authentication
solutions in-house, combined with the elongated time to value, make a
managed or cloud service model very appealing," says Frank Villavicencio,
executive vice president for Identropy.
While AaaS offers up all the traditional SaaS benefits of scalability and
outsourced expertise, the drivers for AaaS go beyond the bottom line,
says Jim Reno, security architect and distinguished engineer for CA
"As the community of users for applications and data expands to include
customers and partners, and as cloud service use grows, AaaS gives
enterprises the ability to more easily manage the wider and more diverse
communities of users that are now a standard part of doing business,"
Reno says. "For example, users from partner organizations are more
effectively managed in a cloud service than brought into internal systems.
The service allows capacity to increase as needed, and allows
management of those users by designated administrators in the partner
That's exactly the scenario that has lead the Department of Homeland
Security (DHS) to implement AaaS within 70 different applications. DHS
CIO Richard Spires this month updated Congress on the department's
progress in cloud deployments. He told the House Homeland Security
Subcommittee on Cybersecurity, Infrastructure Protection and Security
Technology that AaaS has helped bridge the gap of authentication for both
federal employees and contractors needing to tap into DHS applications.
Currently DHS authenticates 250,000 federal employees and contractors
AaaS not only offers security and operational benefits, but it can also
provide a differentiating edge for sensitive customer-facing systems,
"There also is an element of service differentiation and branding," says
Ray Wizbowski, vice president of strategic marketing for the Security
Business Unit at Gemalto. "Cloud-based applications want to be seen as a
secure service, and leveraging an authentication service allows their users
to experience the security with a branded token/app at every login."
This can be huge in verticals such as financial services and retail, where
perceived trust is critical.
"Authentication processes directly influence consumers' perception of
trust, especially in areas like online banking and retail," says Roman
Yudkin, CTO at Confident Technologies. "The authentication process is
often the aspect of security that is most visible to users.
As authentication methods change, AaaS also provides a smoother
upgrade path to keep up with the latest attack trends. Many on-premise
systems have suffered from obsolescence, but are too expensive and too
ingrained in the IT fabric to upgrade quickly. That changes when moving
to a services setup.
"Consumer sites like Google, which have introduced two-factor
authentication using SMS, are great examples of using the new cloud
platform to roll out huge capabilities nearly overnight. Google Apps
supported two-factor using SMS, and suddenly 100 million people have an
alternative to passwords," says Eric Olden, CEO of Symplified. "That's a
great example of the power of the cloud versus legacy strong
authentication like RSA."
But like any new deployment model, AaaS is not without its challenges.
One of the difficulties Olden sees customers face is believing that services
such as single sign-on (SSO) AaaS will offer an easy shortcut to securing
identities in the cloud. Not so, he says, explaining that all the
fundamentals stay the same.
"Too many people think SSO is the answer when, in reality, SSO is not
security -- it's convenience. Companies that have made the cloud a
central part of their IT infrastructure realize there are no shortcuts to
security and trust in the cloud," he says. "They understand that they need
a centralized identity and access management foundation for the cloud
that provides classic fundamentals. [They need] AAAA: strong
authentication, access control policy, auditing visibility, and administration
of provisioning. We see far too many people ask for a SSO solution when
instead they should be asking how to have a trusted cloud platform,
starting with authentication and access control and auditing."
As organizations move down the AaaS maturity scale and continue to
support cloud deployments, what they could find is that they need identity
and access management (IAM) delivered as a service, not just straight
"As cloud computing evolves, a model of identity is required that does not
depend on a single centralized user store or administrative domain. This is
IAM-as-a-service, and it is a necessary step in the development of cloud
computing," Reno says. "Not just enterprises, but cloud service providers
will look to support users coming from other systems and being managed
in different ways. So we see a big future for both public and private IAM
Have a comment on this story? Please click "Add Your Comment" below. If
you'd like to contact Dark Reading's editors directly, send us a message.