Managed Service Providers (MSPs) traditionally operate and maintain all or part of their customers’ IT services, including applications, operating systems, and networking infrastructure. They provide high-value services requiring technical knowledge and experience that their customers either don’t have or can’t afford. This includes managing availability and performance, keeping software up to date and providing the technical knowledge and experience to keep their customers’ IT services secure and available. MSPs have enjoyed a good return for providing these services, but that world is changing.
The rapid growth of cloud-based software-as-a-service (SaaS) applications is putting the squeeze on the MSPs’ business. Where previously enterprise customers would purchase various office automation and line-of-business (LOB) applications and have MSPs operate them, they can now obtain equivalent applications in the cloud. These require little or no technical experience to install and operate. They provide reduced complexity, potentially better availability and performance, and are often cheaper than those delivered by MSPs. Customers assume that cloud-based SaaS apps are sufficiently straightforward to manage by themselves and that therefore they do not need the expertise of an MSP.
MSPs need to adapt to this changing environment in order to attract and keep customers. They need to leverage their technology expertise to deliver more value to their customers. A compelling way to do this is to add customizable, standards-based Identity-as-a-Service to their offering. This gives the MSP a way to generate more revenue, increase customer satisfaction, retain existing customers, attract new customers and creates a framework for new opportunities to provide additional high-value services.
Identity as a Service (IDaaS)
Cloud-based IDaaS services are a relatively new addition to the cloud SaaS world. Vendors in the market today typically provide capability in one of three areas: end-user social identity (Google), application-centric identity (Auth0), or enterprise identity (Okta, Microsoft, Onelogin). For an MSP serving enterprises, this last category is the most interesting.
Conventionally an enterprise-focused IDaaS offers a directory service, browser-based authentication (username and password-based login), integration with on-premises Active Directory, and single sign-on (SSO) to cloud-based SaaS applications. Just this basic capability provides substantial value to the customer. Identity data (users and groups) can be managed by non-IT staff, and the ability to get single sign-on to their cloud-based applications improves the end-user experience, decreases help-desk calls, and reduces the security problems associated with having multiple usernames and passwords.
Why IDaaS for MSPs?
IDaaS has several characteristics that make it an excellent opportunity for MSPs, particularly for MSPs that are also providing private cloud and hybrid cloud (a combination of private and public cloud) services to their customers.
Demand – IDaaS is one of the fastest growing segments in cloud computing, with Gartner predicting a 55% compound annual growth rate (CAGR) and a total market size of $US 7.3 billion by 2019.
Security – Security continues to be the number one inhibitor of cloud adoption, and effective identity management is the foundation of security. By providing a secure, robust identity system for their customers, MSPs can address cloud security concerns and accelerate their customers’ migration to the cloud.
Value – Identity services are high-value. Simplifying end-user access to low cost cloud SaaS applications adds value while increasing end-user satisfaction and enhancing overall security. Adding user self-service functions adds further value by streamlining the password reset and application access request processes and therefore reducing IT help desk costs.
Revenue – IDaaS can provide a significant and reliable new revenue stream for MSPs. Vendors such as Okta, Microsoft and OneLogin offer IDaaS on a per-user/per-month basis with list prices ranging from $US 6 per user/per month. Added-cost features such as multi-factor authentication, mobile device integration, and automated identity provisioning can lift the list price to $15 per user/per month.
Stickiness – Identity is a fundamental component of security and application infrastructure, and properly implemented, provides a way to create and maintain long-term relationships with enterprise customers. Active Directory is a prime example of how sticky identity services are in the enterprise.
Service Opportunities – Because few enterprises will simply lift and shift their entire IT service catalog into the cloud, a hybrid (part on-premises, part in the cloud) environment will be the norm for most enterprise customers. This creates several high-value services opportunities for MSPs:
- Reviewing existing identity systems and processes
- Developing a modern cloud-focused identity strategy
- Integrating on-premises identity services and applications
- Developing and implementing customized identity data models and workflows
Reduce vendor lock-in – MSP managing SaaS applications for their customers risk losing them if they switch SaaS vendors - the customers may simply work directly with the old SaaS vendor. Providing the underlying identity services (including single sign-on) helps insulate MSPs and their customers from the effects of vendor changes, albeit that there may be a migration process.
Why Not Public Enterprise Identity Services Like Microsoft Azure or Okta?
There are several vendors providing capable IDaaS solutions in the public cloud that are mature and relatively easy to set up and use. While for many customers these services provide a workable approach, identity is a service where one size does not fit all, and your customers may be better served by a privately hosted IDaaS solution for various reasons, including:
Regulatory or corporate policy requirements – Many organizations simply can’t put their sensitive identity information in the public cloud, either because of corporate policy or government regulations. These customers may need complete control over the geographic distribution of their identity data, or may simply need dedicated infrastructure. MSPs can address both of these concerns by hosting IDaaS in their own data center.
Better performance – Public cloud identity services are designed to meet the needs of a huge number of concurrent users while using the minimum possible amount of computing resources in a handful of globally distributed data centers. This means that most customers will receive adequate, but not great performance. By hosting IDaaS in their own data centers, MSPs can provide reduced latency and better performance to those customers who need it.
Flexibility and customizability – In order to achieve the scalability they require to be profitable, public IDaaS providers need to reduce identity to the lowest common denominator. But, although identity is a core software infrastructure service, it is not a one-size-fits-all proposition. Beyond simply adding attributes to a user object, enterprises often need to model organizational structures, projects, and cross-organizational relationships that can’t reasonably be represented by a simple users-and-groups identity model. MSPs can provide this additional customizability when they host IDaaS services for their customers.
What Should MSPs Look for in an IDaaS System?
Customer-oriented features – The most important aspect of any IDaaS system is the set of identity services it provides to your customers. At a minimum an IDaaS system should provide a cloud-based directory service, the ability for end-users to login (authentication) and single sign-on to cloud-based SaaS applications. In addition, it should also offer add-on services, configurable on a tenant-by-tenant basis, including:
- Multi-factor authentication
- Self-service password management
- Integration with on-premises identity systems like Active Directory
- Fine-grained, policy-based authorization services
- Provisioning and synchronization of identities to applications both in the cloud and on-premises
- A customizable data model allowing each tenant to define new attributes and new classes of object
- Customizable workflows to support on-boarding, off-boarding, access requests, and other identity-related processes
Multi-tenanted – It is not uncommon for software developers to install their traditional single-tenant enterprise application software on a cloud-hosted virtual machine and call it “cloud”. Each customer gets a new virtual machine and a new copy of the software. This approach completely negates the cost and efficiency advantages of computing in the cloud, and it creates a huge administrative burden on the operator to boot. It is critical for a cloud identity platform to be architected from the ground up as a multi-tenant service, leveraging common software infrastructure to increase efficiency and reduce costs.
Standards-based identity services – The IT industry through its various standards bodies such as the IETF and OASIS has invested significant effort to define standard identity-related protocols that are effective, secure and work well on the public internet. These protocols have been heavily reviewed and vetted by experts, and have broad support from application developers and programming tools. Any system that uses proprietary protocols is likely less secure, and certainly more difficult to integrate and support.
Integrated out of the box – Some identity software vendors provide an entire suite of products and leave it to the MSP (or their consultants) to build a custom system. The problem with a made-to-order system like this is not primarily that it takes longer to implement (which it does), but that it is a one-off. Every time the vendor upgrades one of their products, the MSP has to go through the potentially risky process of upgrading pieces of the system. If business requirements change, all of the custom scripts and integration modules may need to be rewritten. And if a new group of consultants to update the system, the MSP has to pay for their learning curve. A complete product that is integrated out of the box suffers from none of these disadvantages.
Comprehensive API set – Identity is a platform service, meaning that it is consumed not just by end-users, but by other applications as well. Exposing all of the platform’s capabilities, including configuration, through a set of web APIs makes the platform easier to extend and integrate with other applications. A complete set of APIs also makes the identity platform easier to automate, which can significantly reduce operational costs.
Self-contained – There are many platform services available from public cloud vendors that allow cloud application developers to create cloud-based applications faster, cheaper, and more reliably. Amazon Web Services (AWS) for instance provides more than 70 such services, and adds new ones every few months. It is tempting for application developers to use these services whenever they can. But any MSP, and particularly MSPs implementing private clouds, should think carefully before accepting such external dependencies. Most of these platform services are charged for on a per API-call or per-MB basis, which creates a substantial hidden operating expense that is beyond the MSPs ability to control. Further, customers who are concerned about the privacy and sovereignty of their identity data will certainly not want their identity data leaked to external service providers with whom they have no contractual relationship.
Customizable on a tenant-by-tenant basis – As covered earlier, enterprise identity is not a one-size-fits-all service. Each customer will need at least some level of customization to support their own needs. The areas that most need customization by enterprises include the ability to:
- Add new attributes to objects like users and groups
- Add new kinds of objects, like departments and projects
- Create new relationships between identity objects
- Extend the role and permissions models
- Insert and customize workflows into identity operations
- Define and customize the production of reports
- Source and transform identity data from other cloud or on-premises systems, including Active Directory and HR applications
- Target and transform identity data to other cloud and on-premises systems
Scalable, robust, and efficient cloud architecture – Cloud service architectures need to support scaling both vertically to support large tenants, and horizontally to support more tenants and higher transactional loads. Cloud services need to replicate critical identity and configuration data in multiple locations to mitigate the risk of a virtual machine or disk failure causing data loss. And finally, cloud services need to be efficient to minimize operating costs.
Easy to install and operate – As a rule, MSPs have competent network operations people on staff who are fully capable of installing, configuring, and operating complex enterprise applications. But even so, it is still important for a cloud identity service to be easy to setup and operate and it should automate (or support the automation of) most common administrative tasks. For instance, adding a new tenant should be a simple API or command-line exercise and not require administrators to manually provisioning new virtual machines or configure load-balancers except in extraordinary circumstances. A cloud identity service should also expose performance and debugging information that can be consumed by common cloud management tools to enable operations staff to monitor and manage the service with little additional effort.
In this whitepaper we’ve described some of the business and technical challenges that MSPs face from cloud SaaS applications, and how adding Identity-as-a-Service (IDaaS) can be a high-value addition to an MSP’s application portfolio. We’ve also shown how privately hosted IDaaS can solve the problems some organizations have with moving their identity services to the cloud. Finally, we’ve identified some of the key functions and characteristics of an IDaaS solution that MSPs should look for.
Cobalt Cloud Identity
Cobalt Cloud Identity from ViewDS Identity Solutions is a software package for MSPs that answers these challenges. Cobalt is a multi-tenant cloud identity platform that an MSP can install and run in its own data center or in the public cloud infrastructure-as-a-service (IaaS) environment. It has been designed and built specifically for the cloud. It consists of a comprehensive and evolving standards-compliant identity and access management capability. It is built on proven, globally-deployed, identity server technology that has architectural advantages for cloud applications.
It encompasses the four capabilities required to deliver an IDaaS platform:
- An identity store. This holds details of identities together with their entitlements.
- Authentication. The ability to recognize and authenticate a user.
- Authorization. Enables the system to determine what a user can and cannot do.
- Integration. The ability to synchronize information with external (to Cobalt) systems.
Gil Kirkpatrick, CTO, ViewDS Identity Solutions