You are on page 1of 5

IDC 1602


El i mi nat i ng Aut hent i cat i on Si l os and Passwor d
Fat i gue wi t h Feder at ed I dent i t y and Access
November 2013
Adapted from Worldwide Identity and Access Management 2012 – 2016 Forecast: Growth Driven by Security,
Cloud and Compliance, by Sally Hudson and John Grady, IDC #238553
Sponsored by F5 Networks

As enterprises continue to depend on the cloud for delivery of applications and more workers are
using multiple types of devices to access those applications, the need to control who has access to
what will grow. Too often, users suffer from password fatigue, having to create and remember many
log-on procedures in today’s siloed, multi-modal computing world. Critical to keeping company assets
secure is a strong approach to identity and access management, often using a software-as-a-service
(SaaS) delivery model. This Technology Spotlight discusses the growing need for security in today’s
cloud-based, mobile world of IT, and the rise of SaaS-based solutions. In particular, this document
describes cloud IAM and its challenges. After discussing F5 Network’s Cloud Federation IAM
architecture, this Technology Spotlight offers some guidance for enterprises looking for SaaS IAM
In today’s intelligent economy, digital identity has become the foundation for business transactions in
virtually all industries. As smartphones replace wallets, credit cards, PCs, boarding passes, and other
paper-based documents and technologies, the need to provide secure credentials is more important
than ever. In addition, enterprises increasingly are using less-secure social networking sites as a way
to bring consumers to corporate portals and services. From a security perspective, this combination is
a growing nightmare for businesses.
The need to keep corporate assets and identities secure has never been greater. Hackers and others
continue to find ways to attack enterprises and consumers. Attack vectors continue to increase in
number and are becoming more difficult to discover. The constant arms race between attacker and
defender means that enterprises must continue to expand their security spending to defend against
sophisticated attacks. And there is a time lag between the emergence of new threats and the
deployment of new counteracting products.
Similarly, enterprises continue to increase their dependence on Enterprise 2.0 tools, which is fueling
the BYOD (bring your own device) and consumerization of IT trends in business. Not only are
workers more self-sufficient, but these tools typically are less secure than enterprise-level tools. In
addition, the growing reliance on mobile and Web apps make it harder for organizations to provide
system-wide security.
IDC believes that cloud computing will continue to rise as the enterprise IT paradigm. Shared access
to virtualized resources over the Internet will continue to account for a larger portion of IT spending,
and keeping this access secure will be increasingly job number one for IT. As organizations look for
cost-effective ways to keep data and identities secure, they will increasingly turn to security software-
as-a-service (SaaS) to shift security spending from a capital expense to an operational expense.
©2013 IDC 2
Many enterprises use security SaaS technology in conjunction with on-premise security products,
such as Web and messaging security, as well as security and vulnerability management. This trend
will continue, as few enterprises are ready to go to a complete SaaS model for security and give up
complete control of on-premise technologies. In some cases, regulatory requirements mandate this.
Security SaaS will be a key enabler to enterprise mobility and cloud computing efforts. The
technology can provide endpoint control, secure content, and authorize mobile users accessing
corporate systems with an array of company-owned and personally owned endpoint devices. As for
cloud computing, security SaaS will become an inherent component of cloud technology from both
security vendors and cloud computing providers.
Identity and access management (IAM) will be a critical technology for maintaining security and
control of data and IT systems as they transition to cloud computing. In particular, the integration, or
federation, of internal IAM systems with cloud-based identity and access platforms will allow
enterprises to more easily leverage public and private cloud architectures. As such, IDC forecasts
that the worldwide IAM market will account for over $6.6 billion in license, maintenance, and SaaS
revenue by 2016.
Identity and Access Management in the Cloud
IDC defines IAM as a comprehensive set of solutions used to identify users of a system and control
their access to resources by associating user rights and restrictions with an established identity.
Solutions enable the administration of users and access rights, and provide for a complete set of
identity and access management life-cycle activities, including authentication, access control,
administration, and auditing.
To meet the challenges brought about by the overall consumerization of IT, cloud computing, social
business, big data, and a more mobile workforce, IAM software is more likely to be delivered as a
service. This is because there is a limited supply of trained security professionals. The need for
easier solutions will drive the shift from standalone products to SaaS.
Moreover, IAM can be broken down into subcategories, creating an even greater need for expertise
or easy-to-implement solutions. These include Web single sign-on (WSSO) and federated single
sign-on (FSSO); host/enterprise single sign-on (ESSO); personal portable security devices (PPSDs);
user provisioning, including roles-based access control, privileged identity management, and fine-
grained entitlements; advanced authentication; legacy authorization; and software licensing
authentication tokens (SLATs).
The IAM technology stack is common to all enterprise solutions, including SaaS offerings, and serves
both internal and external applications and users. In particular, the authentication layer provides the
functionality to authenticate users to established identities. The identity and policy administration
layer defines and applies the IAM policies of the enterprise, including policies established to identity
and vet entities and provide, change, and remove credentials used throughout the IAM life cycle.
The access management layer provides the functionality and services necessary to provision
resources to established identities, store and maintain these provisions, and provide access to
provisioned resources. The reporting layer provides reporting on IAM administrative activities,
including additions, changes, and deletions to directory entries and access rights.
Finally, the analytics layer provides the ability to analyze IAM activities using current and historical
data for determining resource usage trends and authentication and access violation patterns.
Adding to the challenge of enterprise security is the increasingly broad range of structured and
unstructured data that is moving across the network and the many types of devices used to access
the network. Security solutions must now handle access from smartphones, tablets, PCs, and other
©2013 IDC 3
form factors, often with different operating environments. Provisioning once access is granted now
includes enterprise applications, mobile apps, social media, streaming video, and traditional data.
This creates a highly complex environment in which the enterprise must control who has access to
what and when.
IDC sees six key trends further driving adoption of IAM solutions. These include 1) an increasing
amount of digital information, 2) the continued rise of cybercrime, 3) continued economic pressure, 4)
virtualization of the datacenter, 5) continued growth of the mobile workforce, and 6) the rise in
industry and government regulations.
The Challenges of Cloud-Based IAM
The cost of compliance and the efficiency of IAM solutions are difficult to measure, and this will
continue to be a problem with SaaS delivery. In recent IDC studies, nearly all enterprises interviewed
stated that operating costs and lack of budget are the most significant challenges to effective and
efficient IAM operation. But there still is a need for stronger access management and better
performance across the organization, as well as heavy pressure in many industries to meet
regulatory challenges. On top of that is the fact that IAM in a virtualized, employee-owned, mobile
world is complicated.
Perhaps the biggest challenge with SaaS-based IAM is the creation of separate IT silos that need to
be kept secure. Most SaaS applications, mobile apps, and enterprise solutions have their own
procedures for username, password, and access control enforcement. As a result, these procedures
must be coordinated, or better yet, integrated. They also introduce potential lapses in security and
can reduce productivity. Risks increase when users suffer from the resulting password fatigue
stemming from too many login requirements. New-account creation is more time consuming, but
worse are the risks caused by delayed account deletion.
But the need for organizations to connect a significant number of different systems, from enterprise
applications to third-party apps hosted in other environments, continues to grow. Provisioning them
for access is a difficult process that demands some sort of automated workflow across these silos.
Typically adds, changes, and provisioning of users are done manually, so decentralization of access
management can be a nightmare because many organizations lack the right tools. Redundancies in
identity stores across the enterprise also are a challenge. The biggest issue many organizations have
is coordinating access in a changing environment. As projects and the personnel involved change,
the need to automate becomes imperative.
In addition, reporting and auditing can be a problem, particularly in industries that require proof of
compliance. Regulations such as PCI DSS, SOX, FFIEC, FISMA, NIST Special Publication 800- 53,
HIPAA, and NERC CIP are creating a greater need for integration of IAM. Coupled with this is the
move toward adopting public, private, and hybrid cloud, as well as incorporating mobile devices within
IT infrastructures in a secure fashion.
It's imperative, therefore, that providers of IAM solutions, particularly SaaS-based solutions, provide
proof points that best measure value based on the overall strength of the core security solution. This
includes the degree of automation and life-cycle management, simplicity in administration, and the
ability for the solution to scale across access devices and internal, external, and hybrid IT
Considering F5 Networks
F5 Networks newest foray into cloud-based security solutions is its Cloud Federation architecture,
which provides enterprises with an alternative to adopting and managing SaaS providers’ IAM
solutions. With Cloud Federation, F5 Networks provides unified access management and high-
©2013 IDC 4
performance application delivery for users wherever they are, and on any device. It provides a single
policy management solution to manage users as part of the entire application delivery life cycle.
Cloud Federation architecture differs from multi-factor authentication in that it does not add another
security silo that needs to be managed by IT. While multi-factor authentication is a separate solution
that manages different authentication processes in its own silo, F5’s architecture creates a federation
between SaaS providers and the datacenter to create a silo-less system for IAM.
F5’s Cloud Federation architecture uses Security Assertion Markup Language (SAML) -- an XML-
based open standard data format for exchanging authentication and authorization data between
parties. As a result, the architecture eliminates the need to separately manage independent user
accounts across SaaS and internal solutions, and enables single sign-on (SSO), particularly in Web-
based environments.
Essentially, Cloud Federation inserts a layer of dynamic access and identity management services
that provides federation and unification of credentials across cloud and datacenter resources based
on enterprise authority. This approach is less disruptive than adding another siloed tool or service for
authentication. This layer also provides single-sign on capabilities, mitigating security and efficiency
concerns caused by password fatigue.
IT can govern all policies for sign-on credentials, such as password length, history, interval of change,
and composition. This federation of identity and access management can alleviate loss of control and
resulting security threats. It's designed to improve the overall experience for end users by reducing
the number of credentials they must manage to conduct business. Most important, in today’s multi-
device world, the architecture provides a consistent method for IAM.
The Cloud Federation architecture enables enterprises to provide stronger authorization solutions to
end users, including two-factor authentication, geo-IP location enforcement, and device inspection.
By adding F5’s Local Traffic Manager (LTM) and Access Policy Manager (APM), the architecture
provides a platform for:
 SAML integration between organizations' private IAM systems and external SaaS providers
 Consistent, multi-factor authentication for all users across all systems accessed via the F5 LTM +
APM devices
 A single point of management for all services accessed
 A unified application delivery tier that enables enterprises to control and enforce security and
access policies regardless of application deployment — or user location
But F5 Networks does face some challenges. The company has already sold its solution based on
the architecture providing the needed federation and integration while delivering simplification.
However, established vendors with competing solutions will try and persuade enterprises otherwise.
Similarly, the company will face challenges from the SaaS solutions vendors, who will tout their own
IAM approaches.
Conclusion and Essential Guidance
IDC estimates that cloud services spending will ultimately account for a large proportion of all IT
spending. The key advantage of cloud services will be the ability of IT organizations to shift resources
from maintenance to new initiatives. But when this trend is added to the growing reliance on Web
applications and social media, and associated multiple form factors and data types, it makes it harder
for organizations to provide system-wide security.
©2013 IDC 5
As organizations move to the cloud and associated SaaS offerings, they will look at security SaaS as
a way to shift the growing cost of security from a capital expense to an operational expense. Critical
to the success of security as a service is identity and access management to manage who can
access what and when.
But IAM as a service creates challenges for enterprises, most notably that these technologies can
create silos of sign-on and authentication procedures, creating inefficiencies and potential security
leaks as users take it upon themselves to avoid password fatigue by reusing the same password for
multiple applications. Enterprises looking for expanded IAM in cloud-based networks need a way to
automate the integration, or federation, of multiple internal and external systems.
For organizations looking for comprehensive IAM solutions for their cloud-based networks, IDC
recommends asking themselves the following questions:
 Does the organization have access and authorization policies that are consistent with SaaS and
cloud-based solutions?
 What are the regulatory issues facing the organization and how must IAM support compliance?
 What traditional and SaaS applications need to be linked together, and who needs access?
 How will the organization measure performance and benefits of IAM?
 Which IAM approach will be most effective in helping the organization ensure appropriate security
without increasing end-user complexity?
 What IAM options do the existing SaaS providers offer, and what third-party solutions are
Because SaaS and security vendors will claim that their solutions will meet organizational needs, it's
imperative that any enterprise work with a trusted partner who will help assess what is really needed.
IDC recommends that businesses look for IAM providers with broad industry experience providing
solutions for internal and external networks, and in public/private clouds.
In addition, enterprises should look for standards-based IAM solutions to ensure compatibility and the
ability to create secure application federations. To the extent that F5 Networks can meet the
challenges described earlier, the company’s Cloud Federation architecture has a significant
opportunity for success in this strategically important market.

This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein
are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor
sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by
various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.
Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires
prior written approval from IDC. For permission requests contact the Custom Solutions information line at 508-988-7610 or Translation and/or localization of this document requires an additional license from IDC.
For more information on IDC visit For more information on IDC Custom Solutions visit
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015