Connecting IdM services to SURFconext Project Projectyear Releasedate Version : : : : SURFworks 2013 17-01-2014 1.0 Summary This research compares the currently available IdMaaS services and assesses the market opportunities for IdMaaS for the Dutch R&E community. We conclude that Dutch Research & Higher Education institutes are generally not ready for a complete cloud offering of IAM services. By and large they lack a clear policy for adopting cloud services and have a reserved position towards IdMaaS due to the sensitive nature of the data involved and their awareness to comply to privacy regulations. Therefore, IdMaaS will not be an alternative for the on-premise IAM services in the Dutch R&E sector in the short term (1-3 years). Nevertheless, IdMaaS is seen as an attractive option for realising additional IAM functions. Deze publicatie verschijnt onder de Creative Commons licentie Naamsvermelding 3.0 Nederland. Meer informatie over de licentie is te vinden op http://creativecommons.org/licenses/by/3.0/nl/ Colophon Programme line Part Activity Deliverable Access rights External party : : : : : : SURFworks SI-SDT Connecting Services 2013-521g – Connecting IdMaaS Services Public m7, Ludo Gorzeman, Peter Jurg, Ton Verschuren This project was made possible by the support of SURF, the collaborative organisation for higher education institutes and research institutes aimed at breakthrough innovations in ICT. More information on SURF is available on the website www.surf.nl. 2/38 6 Matters one should know about Connecting IdM services to SURFconext. Scenario What is it? With the rise of cloud computing we also see IAM-as-a-Service, i.e. IAM in the cloud, being offered by more and more suppliers. This research compares different IdMaaS vendors and assesses the readiness of the community for adopting this new service model for IAM. A comparative research on IdMaaS suppliers and the readiness of the community for adopting this new service model for IAM. Whom is it for? The target audience for this report consists of CIO’s, ICT managers, IAM functional application managers, and the members of the SURF Special Interest Group for Identity Management in general. How does it work? A shortlist of IdMaas suppliers were compared based on a number of criteria (both functional and non-funcitonal). The findings are presented in this report. Get an overview of the IdMaaS supplier landscape What can one do with it? More information Eefje van der Harst ([email protected]) 3/38 Contents 1. Background ................................................................................................... 4 2. Purpose and target audience ............................................................................ 5 3. Approach for this report .................................................................................. 6 4. Disclaimer ..................................................................................................... 6 5. Identity and Access Management-as-a-Service ................................................... 6 6. Customer perspective ....................................................................................10 7. Results.........................................................................................................11 8. Conclusions ..................................................................................................15 Annex: Longlist and shortlist of IdMaas suppliers .....................................................16 Annex: CA Technologies .......................................................................................17 Annex: Clavid .....................................................................................................19 Annex: CloudID ...................................................................................................21 Annex: Covisint ...................................................................................................23 Annex: iWelcome ................................................................................................26 Annex: Microsoft .................................................................................................28 Annex: Okta .......................................................................................................30 Annex: PingOne ..................................................................................................32 Annex: Sailpoint ..................................................................................................34 Annex: Traxion ...................................................................................................36 4/38 1. Background Federated Identity & Access Management is in everyday use for the majority of the research and higher education (R&E) community in the Netherlands. Over one hundred institutes with almost one million users can use over one hundred services through the SURFconext federation, resulting in more than 100.000 federated logins per day. SURFconext is a collaboration infrastructure that connects a number of basic building blocks for online collaboration: • federated authentication and authorisation, so that users can securely access all kinds of available services via the same account that they use at their own institution; • group management enabling access to content and functionalities, for example for a project team, to be managed centrally. These may be internal groups of the institution or groups from the SURFconext group management application; • a standard data interface for exchanging activities, reports, and group information (OpenSocial) with cloud applications; • cloud applications of various providers (for example Google Apps, Edugroepen, Sharespace, Liferay Social Office). SURFconext allows institutions to integrate internal and external online services, thus enabling them to offer users a collaboration environment within which they can access the online services that they require. Currently, an on-premise Identity & Access Management (IAM) facility, connected to SURFconext, is a common asset in the Dutch R&E community. With the rise of cloud computing we also see IAM-as-a-Service, i.e. IAM in the cloud, being offered by more and more suppliers. Hence the question arose if this new form of IAM is of interest to the Dutch R&E community and how it relates to SURFconext. Although IAMaaS would be the appropriate abbreviation for IAM-as-a-Service, in this report we will use the term IdMaaS (Identity Management-as-a-Service) since this is the common term used these days. 2. Purpose and target audience Commissioned by SURFnet and in close collaboration with SURFmarket, m7 conducted research into IdMaaS and the readiness of the community for adopting this new service model for IAM. The goal of the research is threefold: • describe and compare the currently available IdMaaS services; • assess the market opportunities for IdMaaS for the Dutch R&E community; • select the most promising top 3 among the IdMaaS vendors and assist SURFmarket to include these vendors in its dynamic procurement system. The first goal concerns this report. The result of the latter goal is to lower the threshold for both the vendor and the customer to reach a favourable agreement to procure an IdMaaS service. As a result of this research SURFnet wants to assess the suitability of IdMaaS for the smaller institutions with little know-how about IAM, that are not yet connected to SURFconext. Is IdMaaS for this type of organisation a suitable solution to connect to SURFconext as an Identity Provider? The target audience for this report consists of CIO’s, ICT managers, IAM functional application managers, and the members of the SURF Special Interest Group for Identity Management in general. 5/38 3. Approach for this report A small number of organisations connected to SURFconext was visited to learn their interest in and expectations of IdMaaS. Suggested by SURFnet and SURFmarket, we interviewed the responsible persons for either ICT or IAM of the following organisations, two academic hospitals and three universities: • Leids Universitair Medisch Centrum (LUMC); • VUmc; • Hogeschool Utrecht; • Universiteit Maastricht; • Technische Universiteit Delft. We discussed their view on cloud computing in general, their current IAM service and features lacking, and assessed their willingness to move (part of) their on-premise IAM service to the cloud. In a seminar at the end of November we presented the results of our study and provoked discussion about the usefulness of IdMaaS for the SURF community. Based upon desk research1 we compiled a longlist of some twenty IdMaaS vendors (refer to Annex: Longlist and shortlist of IdMaas suppliers). We studied their websites to find out what IAM functions they provide (refer also to the next chapter for a description of the IdMaaS services) and posed a number of questions about non-functional features by e-mail. Based upon a number of criteria we compiled a shortlist of ten vendors. Next a questionnaire was sent to these vendors, followed by—if we got any response—a meeting or teleconference to discuss their answers. Finally we filled out a template per vendor (refer to the annexes) and submitted it to them for review. A compilation of our findings is included in the chapter on results. 4. Disclaimer IdMaaS is a young industry, consisting of well-known players with fully developed IAM suites for on-premise use moving to the cloud and newcomers deploying in-house developed solutions or combinations of existing solutions (open source and commercial). Hence this report is a snapshot of a rapidly changing vendor landscape, where a first wave of takeovers and mergers is not unlikely. 5. Identity and Access Management-as-a-Service In the last few years many vendors of IAM suites have decomposed their offer into several smaller modules that offer particular IAM services. This trend obviously follows the trend of the last 5-10 years of performing IAM projects step by step. In the last 2 years the decomposition of IAM into several services has led to cloud offers for some demarcated IAM services. For example federation, single sign-on and provisioning to public cloud applications are services that are offered from the cloud. However, in the last year we see that more sophisticated services, especially self-service, access governance, and risk-based access, are also offered from the cloud. In this document we use a decomposition model for IAM that is depicted in Figure 1. 1 The Forrester Wave report on Enterprise Cloud Identity And Access Management, Q3 2012, proved an inspiring document for our research. 6/38 Figure 1 Decomposition of IAM functions At the bottom of this picture we start with the underlying processes for registration, change and exit for identities that are already in place in the majority of organisations, Dutch higher education and research included. Therefore, we exclude the registration functionality for staff and students in our comparison assuming this is already in place as an on-premise process. For smaller organisations looking for a solution to connect as identity provider to SURFconext however, this functionality would be required as part of the IdMaaS offering. Usually though, their registration needs will be met by the guest registration functionality of the IdMaaS supplier. In larger organisations guest registration is sometimes a more diffuse process, where different parts of the organisation have their own process for it. So guest registration often can be improved by a central software solution that enforces one way of doing this. Below we discuss the other services in the picture and their role in IAM. We distinguish services that have a 10 year or more history, which we call classical IAM services, and IAM services that became popular in the last 2-3 years, which we call modern IAM services. 5.1. Classical IAM services 5.1.1. Identity Vault / life cycle management An identity vault is a central user repository that contains the information necessary for account and role provisioning. So from here users get their account and basic access rights in different systems. On top of the identity vault the processes for life cycle management can be implemented. This defines existence of accounts and access rights for users depending on the state of their identity. Whether or not to implement a central Identity Vault mostly depends on the number of users and expected changes. Generally it is cost effective to implement a central Identity Vault for a couple of thousands identities. 5.1.2. User provisioning This service provides the provisioning of account information to all applications and authentication databases (see below) that need a user account in order to provide access to a user. 5.1.3. Role and group assignment Which systems are appropriate for a user is defined by the roles a person has or to which groups a person belongs. Roles can be job description, department, location or other information, often provided by HR. Groups often have a more ad hoc character, like a project group. Life cycle management also handles changes in roles and groups and translates them into changes in access (if needed). Other approaches for access management like access request management and identity and access governance are described below. 7/38 5.1.4. Delegated admin Delegated admin can be used for distributed user account management within an organisation. Admin users can for example create and remove users, change access rights or perform self-service tasks on behalf of users. 5.1.5. Single sign-on (SSO) Single sign-on is a mechanism that allows the user to log in only once to have access to several services without logging in again. This service is mainly a technical implementation. The biggest challenge is to integrate desktop and web-SSO. 5.1.6. Strong authentication This provides a central service for 2-factor authentication or otherwise stronger authentication methods than username and password that can be applied to several applications. 5.1.7. Self-service This is a central service by which end users can change or reset their password and maybe also change some personal information (this might be viewed upon as part of delegated admin, with delegation to the users themselves). 5.1.8. Access request management Besides the information in HR (job description, department, location, etc.) users within an organisation will have specific tasks for which they need specific access. This can be established by so-called access request workflows. Line managers and application owners will have to approve requests by employees. It is utopian to think that such workflows can be used to manage all access rights in all applications. A lot of rights will still be entered in the applications without any workflow. In that case, Identity & Access Governance (see below) can help. 5.1.9. Reporting and auditing Reporting and auditing is useful for obtaining insight in access rights, delegated admin activity, self-service activity, provisioning, etc. 5.2. Modern IAM services 5.2.1. Federation Federation can be used to enable web-SSO, i.e. SSO for web-based services. It may also serve to let people from another organisation login to your services with the account from their own organisation and vice versa. 5.2.2. Identity and Access Governance (IAG) This is a service that will retrieve access rights from several applications, gather them and present the consolidated rights for review. Access rights can be labelled as low, medium or high risk and a manager can get an overview of what type of access their employees have (risk, license costs, etc.). He can then approve, change or withdraw access rights. With this approach access rights can still be entered in the applications themselves, but managers are alerted when new employees come in or access rights are changed. IAG can also help to detect violation of segregation of duty. 5.2.3. Cloud provisioning Cloud provisioning is not much different from account and role provisioning, but uses API’s of Cloud Providers and open standards to provision and deprovision accounts and roles. 8/38 5.2.4. Identity-based device management Linking device management to identity management ensures that life cycle management is effective for personal devices and enables an organisation to define personal access rights for devices. It may also be used for risk-based access. 5.2.5. Risk-based access Risk-based access enables organisations to make access decisions on the behaviour of users. For example the location of a user should not suddenly change when a user is accessing services or a user should not access systems at unusual hours. 5.2.6. Social logon Social logon helps organisations to diminish user account management for individual users. They can login with a social media account. Since trust and security are not at a high level here, this mechanism is mostly used for providing customers access to (semi-) public information. For example for marketing purposes: an organisation wants to provide information to potential customers and at the same time wants to keep track of the activity and profile of those customers. Most IdMaaS cloud providers currently have a main focus on the modern IAM services, forming the biggest opportunity as most organisations have the classical IAM services already in place. Most of them are able to offer the classical IAM services from the cloud as well, though. Device management turned out to be an exception. Though device management is offered as a cloud service by many service providers, these services are quite often not part of the IdMaaS offering, but available as a separate service from the same supplier or from specialised suppliers. We will use the picture above in the annexes to this document to indicate what services are offered by the different IdMaaS providers. Furthermore, we will describe how the IdMaaS offering relates to the SURFconext service. Apart from a functional comparison of the IdMaaS suppliers, we looked at a number of non-functional aspects2: ● What privacy (data protection) regulations apply to the IdMaaS service? The EU Directive, the Safe Harbor Principles, or otherwise? ● Will the supplier comply with the International Standard for Assurance Engagements (ISAE) 3402 or Statement on Standards for Attestation Engagements (SSAE) 16 for their service auditor's statements3? 2 For more information (in Dutch) refer to the checklist for contracts with cloud providers (http://www.surfsites.nl/cloud/download/ChecklistContractueleAfspraken.pdf) and the best practises on privacy for cloud providers (http://www.surfsites.nl/cloud/download/cloudBPG.pdf). The latter explains the standards for the certifications mentioned. 3 ISAE 3402 provides an international assurance standard for allowing public accountants (an independent third party) to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization’s system of internal control over financial reporting. Hence ISAE 3402 provides assurance over outsourced business processes. ISAE 3402 includes the IT environment of the service organization and its security. SSAE 16 resembles ISAE 3402 and differs only for the specific case of US customers of service organizations. Hence it is not relevant for Dutch higher education institutes. Note that ISAE 3402 reports can be of type I or type II, the first being a snapshot, the latter reporting over a longer period with a minimum of 6 months. 9/38 ● ● ● ISO 27001 certificate4? This will ensure that the service is secure and will be audited regularly. What SLA is offered? For a service that enables users to log on a good uptime of the service, short response times when a disruption occurs and a globally acceptable performance are important SLA parameters. Is data escrow supported? If so, an exit or migration to another supplier will be easier, because such a service can make sure that the customer’s data will be available, even if the supplier is bankrupt or suffers from a large calamity. We did not include the costs of the IdMaaS offerings in our research. But we did ask the vendors for their cost models. On what parameters are their tariffs based? Apart from an one-time set-up fee, the license costs can be based upon the following parameters: ● number and type (internal or external) of users; ● number of authentications per period of time; ● number of connected cloud applications; ● number of administrators in the cloud platform; ● the two-factor authentication methods used; ● support level. 6. Customer perspective None of the organisations interviewed has defined a policy for the cloud yet, although some are in the process of defining one. And some collaborate in the SURF Cloud Taskforce, hence the topic has their interest. Main reasons for adopting cloud services in general are an improvement of the quality of the services offered, increased agility, and a change from a capital expenditures to an operational expenditures cost model including reduced manpower for application management and support. But due to the sensitive nature of IAM (accounts, personal data, access to licensed content and services) the migration to a completely cloud-based IAM service is unlikely in the short term. All organisations claim to hold on to a local registration process for employees and students, a local identity store including lifecycle management, and—due to the sometimes very extensive on-premise application landscape—to a mainly local provisioning process. The academic hospitals interviewed even claimed that they cannot move their identity store to the cloud because of the data protection regulations in force. But the authors of this report do not think this is true, because IdMaaS can be considered to be a technical solution for IAM that has to adhere to the same legislation as on-premise IAM. To summarise the viewpoint of the organisations interviewed, IdMaaS is not considered to be an alternative for the basic, classical IAM functions. At the seminar, however, the majority of the institutions indicated an interest in IdMaaS because their current onpremise IAM solution is bound for replacement in the near future. Nevertheless, IdMaaS is seen as an attractive option for realising additional IAM functions, such as strong authentication, improved self-service, guest registration (especially in the context of virtual organisations or collaboration teams), provisioning to cloud applications, and possibly in the longer term social logon and identity-based (mobile) device management. This was confirmed during the seminar, where two third of the attendants showed their interest in IdMaaS within a three-year term. On the other hand, a quarter of the audience thinks that IdMaaS may not be a solution for them, 4 Though ISAE 3402 covers IT security, it is not very specific about the security measures and its relevance for IT security depends on the third party who issues the report and the auditor of the customer who verifies it. ISO 27001 is a pragmatic certification that ensures that certain measurements are taken and therefore may offer additional assurance. 10/38 because their business processes are not generic enough and they are unwilling or unable to adjust to more generic processes. A remarkable finding was the fact that the modern Identity & Access Governance approach does not have the attention of Dutch Research & Higher Education at the moment, so a cloud offer for this functionality is currently not on their wish list. 7. Results This chapter contains the results of our research of the IdMaaS vendors on the shortlist. We describe the current state of affairs in the IdMaaS landscape in the context of the Dutch situation. Not all suppliers responded to our questionnaire or to our request to review our findings. If so, it will be mentioned in the annex concerned. The IdMaaS market is young, but rapidly developing. During our research we came across several suppliers that were not on our initial longlist. Some suppliers build their offering based upon their own intellectual property; some use products from the wellknown classical IAM vendors. Some suppliers offer their service since a number of years, but the majority introduced their IdMaaS offering in the last two years. Not surprisingly, the set of IAM functions offered and their maturity strongly varies per supplier. A number of suppliers mainly focus on offering as many out-of-the-box connections to cloud applications as possible, usually presented through a user or admin dashboard. Choose your cloud application, click and go is the adagio here. Others try to cover as many IAM functions as possible, trying to compete with onpremise IAM suites. Still others offer a wide variety of two-factor authentication options. Whereas the IAM functions offered are easy to find on the suppliers’ website, the nonfunctionals are harder to obtain. But where an SLA is important for any cloud application (“*-as-a-service”), for IAM a number of specific non-functional requirements are critical, due to the nature of the data concerned. Here information security standards, like ISO 27001, and third-party audit formats like ISAE 3402 and SSAE 16 come in. Together they provide an indication how safe your user’s data and privacy are in the suppliers cloud platform. Of course, the suppliers are aware of these issues and some are in the process of regionalising their cloud (data centres) in order to adhere better to the Dutch and EU data protection regulations. When it comes to the positioning of the IdMaaS offering with respect to SURFconext there is a varying degree in overlap of functions offered. Actually the majority of IdMaaS suppliers offer technical services that can be used to build a federation like SURFconext. They offer authentication using SAML (and OpenID connect), web SSO for cloud applications and social logon, just like SURFconext offers. However, they only provide technical solutions, whereas SURFconext offers a complete federation with central facilities that make connecting to a large number of services a breeze and a trust framework that helps to diminish the burden of arranging agreements with many service providers. Using an IdMaaS supplier, institutions will have the technical possibilities of a federation, but will not have the federation itself. In general this makes the IdMaaS services less attractive because the added value is limited. However, there are still some areas where SURFconext does not offer functionality and IdMaaS providers do. Some examples: • Two-factor authentication; • SSO to cloud applications not included in SURFconext; • Guest registration; • Device management; • Provisioning to cloud applications; • On-premise provisioning, identity vault and SSO. 11/38 A general observation across all suppliers is that support for the group API of SURFconext is lacking. The consequence is that group information used in the SURFconext connected cloud applications will not be available in the cloud applications connected to the IdMaaS supplier’s platform. SSO, however, between the supplier’s and SURFconext domains won’t be a problem. One of the non-functional aspects that will be of interest to a prospective customer of an IdMaaS service is the supplier’s ability to execute: how many comparable organisations are among the supplier’s customers; how easy is it to set up the service and how long does it take for the service to be operational; how well is support organised; is the supplier already active or not on the Dutch market, etc. And with respect to the latter aspect: is the supplier inclined to connect to SURFconext? Note however, that the ability to execute is beyond the scope of our research, partly due to the lack of response on the subject from a number of vendors. In the annexes a short description of the supplier and its offering is given. The table below summarises our findings for the functional and non-functional aspects. The table shows that—not surprisingly—federation techniques and SSO are supported by all suppliers. Identity & Access Governance, device management and to a lesser extent access request management are still rather rare. Auditing and reporting are generally implemented in a basic form. Those suppliers rated “mature”(blue) for this function usually provide an interface for a Security Information and Event Management system. A remark about provisioning needs to be made. Although the table shows that user and cloud provisioning is generally well supported, suppliers indicated that in practise provisioning is far from trivial. Some suppliers claim to provide provisioning to cloud applications only if they support standards like SPML and SCIM, for which support in applications is not very common at the moment. And some interpret provisioning as justin-time provisioning5, while generally ahead-of-time provisioning6 is required. For the latter usually custom interfaces need to be implemented. Overall, the classical IAM functions show better support than the modern ones. Discussions with suppliers showed that many of them are still developing their solutions and have support for many of the modern IAM functions on their roadmap. On the non-functional side, the fact that not all suppliers indicate to adhere to the EU privacy regulations shows their sometimes limited interest in de Dutch (European) market. Support for data escrow is provided by the majority of the suppliers, which should ease a (periodic) change of IdMaaS supplier, e.g. after a tender. The approach taken and the sometimes meagre response from the vendors prevent us from appointing a top 3 of best suppliers. Moreover, the choice for a suitable IdMaaS solution strongly depends on the specific IAM functions required by an organisation. 5 Just-in-time (JIT) provisioning creates a profile for the user in the application at the time of first login. 6 Ahead-of-time (AOT) provisioning creates a profile for the user in the application before the first login. 12/38 The legend reads: Traxion Sailpoint Ping Okta Microsoft iWelcom e Covisint CloudID Clavid CA Modern IAM device mgmt risk-based xs social logon federation IAG cloud provisioning Classical IAM SSO 2FA selfservice access req mgmt reporting & auditing LCM user provisioning roles & groups DA guest registration 13/38 Non-functionals Adhere to privacy regulations Third-party audit conformity ISO 27001 SLA 99.5 99.5 99.9 99.9 Escrow support Table 1 Comparison of IdMaaS suppliers Some more background information: • • • • • All providers offer good functionality for cloud provisioning, federated login and SSO for cloud applications. Additionally they all offer good functionality for onpremise SSO. Clavid is an exception, they only provide authentication, not provisioning. Covisint is the most experienced IdMaaS provider as they were an IdMaaS provider avant la lettre in the automotive industry. Their offer is highly standardized though, so customizations may be expensive. In terms of overall functionality they have the best score. Okta and CA seem not very interested in the Dutch educational market. That is what we deduce from the fact that they were not very responsive. Traxion indicated that their focus is not on education anymore. For specific types of functionality we would recommend the following suppliers: o Two-factor authentication: Clavid and iWelcome. o SSO to cloud applications not included in SURFconext: all. o Guest registration: Covisint and iWelcome. o Device management: Covisint. o Provisioning to cloud applications: all but Clavid. On-premise provisioning and identity vault are functions that most suppliers do not offer (yet) in a way that can meet the rather complex business rules of the Dutch higher education community, but that appears to be a matter of time. Instead, at the moment, most suppliers do provide simple provisioning tools. If an institution plans to make provisioning simpler though, most suppliers are able to help out. 14/38 8. Conclusions Dutch Research & Higher Education institutes are generally not ready for a complete cloud offering of IAM services. By and large they lack a clear policy for adopting cloud services and have a reserved position towards IdMaaS due to the sensitive nature of the data involved and their awareness to comply to privacy regulations. Therefore, IdMaaS will not be an alternative for the on-premise IAM services in the Dutch R&E sector in the short term (1-3 years). For federation and SSO the institutes mainly use SURFconext. SURFconext might also offer strong and step-up authentication in the near future. Thus the overlap between the IAM functions offered by SURFconext and IdMaaS suppliers will likely grow. On the other hand some IdMaaS vendors try to connect as many cloud applications to their platform as possible, whereas SURFconext generally connects (niche) applications for the R&E community. Depending on the need for cloud applications, the SSO domain of the IdMaaS solution may be of interest. On the other hand several cloud IAM providers support the modern IAM functionalities the institutes are looking for. However, the core business of the providers lies mostly in functionality that is offered by SURFconext. Furthermore Dutch cloud IAM providers are inclined to provide additional features outside of the regular cloud spectrum, like guest registration and improved self-service. One of the modern IAM functions, identity-based device management, is rarely part of the IdMaaS offering today. This function is mainly the domain of specialised suppliers. That may change in the near future, though, since this feature is on some IdMaaS suppliers’ roadmap. Support for the group functions supported by SURFconext seems entirely lacking among the current IdMaaS suppliers. Moreover also within SURFconext not many applications support this yet. On the SURFconext side it would be worth investigating the future of this function. The approach taken and the sometimes meagre response from the vendors prevent us from appointing a top 3 of best suppliers. Moreover, the choice for a suitable IdMaaS solution strongly depends on the specific IAM functions required by an organisation. The factors mentioned above make the Dutch R&E market less attractive for the IdMaaS vendors. They could try to target the smaller institutions and sell them the whole IdMaaS package (including the connection to SURFconext as an identity provider), but the volumes will be low. Dutch R&E institutes adopting IdMaaS must be aware that cost effectiveness will only be achieved if they are willing to adjust—actually simplify—their business processes so that technical implementation becomes less complex. Institutes will probably only do this in the context of a cloud-based strategy, where increasingly on-premise applications are replaced by cloud-based or SaaS solutions. Such a strategy will eventually take away the necessity for on-premise IAM anyway. Because IdMaaS is a young and rapidly developing industry, a reiteration of this research in one or two years is recommended. Then the current mismatch between the demand and supply side of IdMaaS for Dutch R&E may be reassessed. 15/38 Annex: Longlist and shortlist of IdMaas suppliers The following suppliers were included on the longlist and shortlist for this project, based on the criteria below: Supplier Capitar CA Technologies Clavid CloudID Covisint Gluu iWelcome Lighthousegateway Microsoft Okta Ping Sailpoint Salford Software Simeio Symantec Symplified Traxion Vasco Data Security Verizon Shortlist (y/n) n y y y y n y n y y y y n n n n y n n Explanation (if not on shortlist) Not ready in time for this report Did not satisfy shortlist criteria Did not satisfy shortlist criteria Not a general-purpose IdMaaS solution Did not satisfy shortlist criteria Did not satisfy shortlist criteria Did not satisfy shortlist criteria Not a general-purpose IdMaaS solution Did not satisfy shortlist criteria Criteria for the shortlist7: Functional criteria: ● Is provisioning supported? ● Is SSO supported, both for on-premise and cloud applications? ● Is strong (two-factor) authentication supported? ● Is guest registration supported? ● Is self-service and access request management supported? ● Is access governance provided? Non-functional criteria: ● Does the vendor adhere to the EU privacy or Safe Harbor principles? ● Did the vendor respond to our questions? Applying these criteria resulted in omitting vendors with a single or very few IAM functions. Hence organisations seeking only a very limited set of IAM functions in the cloud should evaluate the IdMaaS landscape based on their own criteria. 7 Note: because there is a federation in place (SURFconext), the list of criteria is not a generally applicable list for IdMaaS, but tailored to the situation in the Netherlands. 16/38 Annex: CA Technologies Supplier CA Technologies, USA, is a well-known company with a wide range of software and SaaS solutions. Their SiteMinder product was one of the first IAM products. Review of this annex received: no. Product: CloudMinder URL: http://www.ca.com/us/cloudminder-identity-management.aspx CloudMinder is—as the name suggests—the SaaS version of CA’s existing IAM products like IdentityMinder and SiteMinder. In fact it is a suite of products just like the onpremise versions. It provides an interface to an on-premise AD or LDAP user store and does provisioning to both on-premise and cloud applications (using SCIM). An overview is given in the picture below. Figure 2 Overview of CloudMinder Guest registration is part of the offering as is role management. A complete set of self service and delegated administration functions is available, including access request management. SSO includes on-premise and cloud applications. Various two-factor authentication options are offered as part of CloudMinder Advanced Authentication. Social login is supported. No information about our non-functional requirements could be obtained. 17/38 The picture below summarises the main features of CloudMinder: Figure 3 CA's IdMaaS functional decomposition Legend: Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? With its track record in IAM CA offers a robust and mature cloud-based service that could add value for an organisation in addition to SURFconext. 18/38 Annex: Clavid Supplier Clavid AG is a privately-owned Swiss company with IAM services based on in-house developed software as its core product. Since 2007 Clavid runs an OpenID identity provider with users from over 50 countries. The company’s main focus is on two-factor authentication and SSO. Review of this annex received: yes. Product: Clavid URL: http://www.clavid.com/ Clavid runs its IdMaaS service since 2012. Three operational models are offered: pure cloud, on-premise maintained by Clavid, or on-premise maintained by customer. For this report we only take the cloud mode into consideration. Their architecture is depicted in the following figure: Figure 4 Overview of Clavid Clavid features two main elements: the Internet Identity Provider and Authentication as a Service. The Internet Identity Provider connects to an on-premise user store (AD, LDAP, HR system). It offers provisioning to on-premise but not to cloud applications. Guests can be registered in the Internet Identity Provider. Roles are not supported. Selfservice for selection of two-factor methods, login settings, password reset, usage history is supported. Delegated administration is not supported. SSO is one of the main distinctive services of Clavid, covering both on-premise and cloud applications, even with the possibility of protocol translations between e.g. SAML and OAuth. 19/38 Two-factor authentication is Clavid’s main focus, so an extensive set of protocols, tokens, and methods is supported. Even SURFnet’s tiqr! The required authentication strength (using NIST levels8) and corresponding method can be configured per application. On the non-functional side the following applies to Clavid: ● Clavid runs in a Swiss data center and adheres to the Swiss privacy regulations, which pose less restrictions upon data processing than the EU Directive. ● Clavid is certified for ISAE 3402. ● No SLA details are available. ● Third-party data escrow is supported. The picture below summarises the main features of Clavid: Figure 5 Clavid's IdMaaS functional decomposition Legend: Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? Clavid’s main strength lies in their support for strong authentication and is rather unique in the extent of their features. The number of out-of-the-box interfaces with cloud applications is rather limited. But any standards-based application can be coupled rapidly. Clavid has realised a (test) connection to SURFconext already. A demo showed a federated login with username and password through SURFconext for a test application connected to Clavid’s SSO platform. And subsequently a second-factor authentication through Clavid to gain access to the test application. A nice example of step-up authentication. 8 U.S. National Institute of Standards and Technology. The levels are specified in their standard SP 800-63-1. 20/38 Annex: CloudID Supplier CloudID is a privately-owned Dutch company that offers services built around their service called LionGate. CloudID operates in different markets and focuses on larger organizations. Review of this annex received: yes. Product:LionGate URL: http://www.cloudid.nl/en/liongate/what-is-liongate/ LionGate exists since 2010 and started as a solution that uses an identity store (for example Active Directory) of an organisation to perform authentication for cloud applications and also offers some access rights management for cloud applications. LionGate was originally built on the open source version of A-Select, but now uses Asimba, an A-Select fork, and in-house developed software. Figure 6 Overview of LionGate LionGate connects well to popular cloud applications like Google Docs, Salesforce.com, Exact Online, Microsoft Office 365, Zoho and SAP Business ByDesign. It offers provisioning and federated authentication and single sign-on. CloudID positions LionGate as a solution that has a great ease of use. LionGate also makes it possible to make use of several authentication methods for different applications. For one of their customers they also developed tight integration of LionGate with Citrix XenApp. On the non-functional side the following applies to LionGate: ● CloudID ensures that LionGate is run from Dutch data centres. ● No SLA details are available. ● Third-party data escrow is supported with a preferred, independent, provider. ● CloudID does not comply to ISAE 3402 and is not yet certified for ISO 27001. 21/38 The picture below summarises the main features of CloudID: Figure 7 CloudID's IdMaaS functional decomposition Legend: Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? An interface from CloudID to SURFconext is possible as SURFconext may serve as an IdP from LionGate’s perspective. 22/38 Annex: Covisint Supplier Covisint, USA Covisint is a subsidiary of Compuware Corporation (USA) and had its initial public offering at the end of September 2013. It is the oldest IdMaaS supplier with over ten years of operation. Started out in the automotive industry Covisint today is present in other sectors like healthcare, energy, travel, manufacturing, financial services, life sciences, and public sector. Review of this annex received: yes. Product: Covisint Cloud Identity Service (CIS) URL: http://www.covisint.com/idm CIS is based on Covisint’s own software. Covisint claims CIS is being used by 80,000 organizations, managing over 18 million identities. The architecture of CIS is displayed in the next figure: Figure 8 Overview of CIS Central element is the IDBridge, that performs the synchronisation of identities (accounts) between a local identity store, e.g. an Active Directory or LDAP server, and CIS. Furthermore the IDBridge takes care of the provisioning to local and cloud applications, both just-in-time (JIT) and ahead-of-time (AOT), using SPML or custom bulk uploads. 23/38 Registration of guests is available in the cloud IdP. CIS supports roles and groups. A number of default roles, mainly administrator roles are available, e.g. Application Configuration Administrator, Individual Service Admin, Organization Service Administrator, Security Administrator, User Account Administrator. Additional roles can be configured. Self service is offered, e.g. self-service registration, password reset, and access requests. Delegated administration allows administrative users to delegate authorisation to manage organisations, departments, applications, service packages (a set of applications or services) and users. A number of default workflows is offered. CIS provides for SSO across on-premise and cloud applications, optionally extended with desktop SSO (for Windows computers). CIS offers two-factor authentication as an optional add-on that can be enabled for all applications, not for individual applications. CIS offers a number of default reports: federation reports (use of federated applications), administrative reports (about usage or security), and audit reports. In addition, CIS is able to provide access and location information to an enterprise’s Security Information and Event Management (SIEM) system. CIS offers the ability to deliver secure access to data to a user’s mobile device. All key system functions are available via API’s for (mobile) app(lication)s. Delegated authentication to social media IdP’s (social logon) is supported. On the non-functional side the following applies to CIS: ● Covisint adheres to the EU Safe Harbor Principles. It also has a data center located in Frankfurt. ● Covisint is SSAE 16 certified. ● The minimum SLA is 99.5% and up to 99.999% SLA is available. ● Third-party data escrow is supported. The picture below summarises the main features of CIS: Figure 9 Covisint's IdMaaS functional decomposition Legend: Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? As with all IdMaaS suppliers, CIS will have to be connected to SURFconext in order to be able to add value for the Dutch R&E community. CIS being a very feature-rich and 24/38 mature offering, it can form an interesting complementary service next to SURFconext. And since Covisint is a leader in the IdMaaS industry according to Gartner rapid adoption of new standards, trends and response to customer demand by Covisint is very likely. 25/38 Annex: iWelcome Supplier iWelcome, Netherlands iWelcome is a relatively young Dutch company, which has its roots in the IAM consultancy and implementation company Everett. Review of this annex received: yes. Product: iWelcome URL: http://www.iwelcome.com iWelcome is a single-tenant cloud-based IAM solution, launched in 2011, combining several open source products with custom solutions. Figure 10 Overview of iWelcome iWelcome provides a broad spectrum of functionality, both for authentication and provisioning. For authentication most industry standards (SAML, OpenID, OAuth2, etc.) are supported and a connection to the SURFconext Federation already exists. Strong authentication can be realised through the iWelcome Authenticator App (iOS, Android, Blackberry and Windows Mobile), Yubikey or generic OATH based solutions. Risk-based access can be configured based on IP-range, location, device, etc. Access governance is currently very limited in functionality and restricted to accounts in iWelcome’s own Identity vault. In terms of provisioning, iWelcome supports SCIM, SPML and custom connections through SOAP and/or REST APIs. It maintains both its own identity vault and connections to external LDAP/AD directories. Guest accounts can be added to the cloud identity vault and provisioned back into the local directories. Groups can only be managed through the local directories. iWelcome supports both self-service for the end user and delegated administration. As for reporting and auditing, all activity is stored in log files, which are parsed into reports on the web-based dashboard and accessible for third-party applications through an API. On the non-functional side the following applies to iWelcome: ● iWelcome is ISO 27001 certified ● The SLA guarantees 99.5% availability, upgradable to 99.9% ● iWelcome is solely hosted in European data centres ● Third-party SaaS and data escrow is not yet available. 26/38 The picture below summarises the main features of iWelcome: Figure 11 iWelcome's IdMaaS functional decomposition Legend: Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? iWelcome is currently already connected to SURFconext and provides additional functionality in terms of provisioning, access control and strong authentication. It boasts guest account functionality tailored for higher education. 27/38 Annex: Microsoft Supplier Microsoft, USA Their on-premise IAM product is called Forefront Identity Manager (FIM) and was released in 2010. It is the successor of Identity Lifecycle Manager (2007). For many organisations Microsoft’s Active Directory is their main (and only) IAM product. Review of this annex received: no. Product: Windows Azure Active Directory (WAAD) URL: http://www.windowsazure.com/nl-nl/solutions/identity/ Windows Azure is Microsoft's cloud application platform, launched in 2010. In 2012 WAAD was introduced as Microsoft’s IdMaaS offering. WAAD is currently a free service for which an SLA is not available. A paid-for version is in the pipeline, however. WAAD supports a pure cloud scenario (accounts are registered and stored in the cloud AD) as well as a hybrid scenario, where an on-premise AD is connected to WAAD. The latter scenario is most likely for our constituency and provides for SSO across on-premise and cloud applications, optionally extended with desktop SSO (for Windows computers). WAAD is relatively new and still undergoing major development, closely related to improvements to Microsoft’s Active Directory Federation Services module as part of the Windows Server platform. Improvements include risk and context-based access control. Some IAM functions will be realised in the future with third parties’ products, e.g. for access governance and self-service and management capabilities. The current set of multi-factor authentication (MFA) solutions supported is rather limited: X.509 certificates and phone-based (voice, text message, app), called Active Authentication. MFA can be configured per user, not per application. Support for third-party solutions is on the roadmap as is configuring MFA on a per-application basis. Microsoft is rapidly connecting more and more cloud services to WAAD, from over 200 at this moment to a planned 1000 halfway 2014. Hence WAAD will act as a broker for access to cloud applications (like SURFconext) and includes identity synchronisation in order to perform provisioning into the cloud or on-premise applications. Guests can be registered in WAAD. Support for groups is still limited. Existing groups in the on-premise AD can be provisioned to cloud applications if they support the new Graph API (not to be mixed-up with the Facebook Graph API!). The same API can be used to define groups in WAAD. Simple reporting is currently available, but the feature set will be extended in the near future. Social logon is only supported in Azure for Microsoft Live. Microsoft has a separate cloud service for mobile device management, called Windows InTune. On the non-functional side the following applies to WAAD: ● Microsoft adheres to the Safe Harbor Principles when it comes to privacy regulations. Regional localisation (e.g. Western Europe) of WAAD is planned due to customer demand. ● WAAD is SSAE 16 certified. ● Data escrow is possible through the API provided. Service escrow is not an option. 28/38 The picture below summarises the main features of WAAD: Figure 12 Microsoft's IdMaaS functional decomposition Legend: Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? In order to benefit from the cloud services connected to WAAD, a connection between WAAD and SURFconext has to be made. This seems well possible. At this moment WAAD does not offer much added value beyond the existing services of SURFconext. But due to the many improvements in the pipeline or on the roadmap this may change in the near future. 29/38 Annex: Okta Supplier Okta is a privately-owned company based in the US. Okta was founded in 2009. Okta is one of the first providers of IAM from the cloud. Review of this annex received: no. Product: Okta URL: http://www.okta.com Okta integrates with existing directories and identity systems, as well as thousands of on-premise, cloud-based and mobile applications, to enable IT to securely manage access anywhere, anytime and from any device. A number of very big IT companies use Okta as their identity solution. Figure 13 Overview of Okta On the non-functional side the following applies to Okta: ● Okta is SSAE-16 certified. ● Okta uses Amazon Web Services as its hosting provider; Amazon is ISO 27001 certified. 30/38 The picture below summarises the main features of Okta: Figure 14 Okta's IdMaaS functional decomposition Legend: Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? An interface from Okta to SURFconext is possible as SURFconext may serve as an IdP from Okta’s perspective. 31/38 Annex: PingOne Supplier Ping Identity, USA Ping Identity is an international company, primarily based in the USA with offices in Canada, Australia, Japan and the UK. It was founded in 2002 and has a strong focus on single sign-on solutions. Review of this annex received: no. Product: PingOne URL: https://www.pingone.com PingOne was launched in 2012 as a cloud based SSO platform. PingOne provides authentication to both cloud-based and on-premise applications based on either SAML or a lightweight REST API. It supports strong authentication through onetime passwords in text messages. PingOne provides no functionality for risk-based access control, access governance or access request management. PingOne does not have its own identity vault, but does support user and group provisioning from on-premise directories to applications through SCIM and a number of SaaS-specific non-standard protocols (e.g. Salesforce, Google, Workday, etc.). Groups can be created and managed inside PingOne, but only for access control purposes, not for further provisioning. Guest registration support was added just recently. PingOne provides basic reporting through the web-based management portal, but has no support for auditing. On the non-functional side the following applies to PingOne: ● PingOne is SAS70 type II certified, the predecessor of SSAE 16. ● PingOne does not advertise an ISO 27001 certification. ● The SLA guarantees 99.9% availability, reporting includes availability and response-time statistics as well as incident history ● PingOne is hosted in the USA and does not adhere to the Safe Harbour Principles. Note that PingOne does not collect or store privacy-related user data, it is merely a transport channel ● Third-party escrow is not available. The picture below summarises the main features of PingOne: Figure 15 Ping's IdMaaS functional decomposition 32/38 Legend: Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? From a technical point of view, PingOne can easily be connected to SURFconext. PingOne’s main focus is on single sign-on and federation, which overlaps with SURFconext. Its rather basic support for user provisioning—lacking an internal identity vault—and strong authentication do not offer much added value over the functionality already provided by SURFconext. 33/38 Annex: Sailpoint Supplier Sailpoint is a privately owned company based in the US. Sailpoint is one of the pioneers in Identity and Access Governance software and already has a rich customer base with their on-premise solution. Review of this annex received: yes. Product: IdentityNow URL: http://www.sailpoint.com/solutions/sailpoint_products/identitynow IdentityNow exists since 2013 and is Sailpoint’s first cloud offering. Figure 16 Overview of Sailpoint IdentityNow provides an integrated set of governance, provisioning and access management services for the business applications. Rich application connectivity options allow IdentityNow to securely manage cloud and on-premise applications. Furthermore IdentityNow provides SSO for cloud and on-premise applications, accessed by PCs, tablets, and smartphones. It offers an appstore or portal to achieve this and uses SAML and OAuth as technology standards. IdentityNow integrates with on-premise ‘Integrated Windows Authentication (IWA)’ to enable single sign-on after a Windows login (desktop SSO). On the non-functional side the following applies to IdentityNow: ● SailPoint completed a SSAE 16 audit. ● Sailpoint has all its data in the Amazon cloud and Amazon is ISO 27001 certified. ● Customer data remains primarily within the EU, as EU Amazon AWS locations are utilized for hosting within the EU. Additionally, SailPoint adheres to Safe Harbor Principles and is Safe Harbor certified. ● Sailpoint can offer 99.9% availability. ● Third-party data escrow is supported. 34/38 The picture below summarises the main features of IdentityNow: Figure 17 Sailpoint's IdMaaS functional decomposition Legend: Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? An interface from Sailpoint to SURFconext is possible as SURFconext may serve as an IdP from Sailpoint’s perspective. 35/38 Annex: Traxion Supplier Traxion is a privately-owned Dutch company that claims to be market leader in the Benelux for IAM. Traxion provides consultancy, implementation and operational services based upon third-party IAM software. Although Traxion is a well-known player in the educational market, their focus has shifted towards the manufacturing and transport industries. Review of this annex received: no. Product: IAM4Cloud URL: http://iam4cloud.com Note: Traxion brands IAM4Cloud for educational institutes as IAM4Education. In this document we will use IAM4Cloud. IAM4Cloud is operational since 2011. It consists of various third-party products like FIM (Microsoft), OpenAM, Symplified, and CloudMinder (CA). IAM4Cloud supports various usage scenarios, ranging from on-premise hosted services via hybrid to pure cloud services. For this study, the hybrid scenario with the user store on premise is most relevant and depicted in the figure below. Figure 18 Overview of IAM4cloud IAM4cloud features a broad range of interfaces to connect with the on-premise user store: AD, LDAP, webservices, or a local Access Manager. Provisioning to both onpremise and cloud applications is supported, but according to Traxion’s experience provisioning proves to be a custom solution for most applications. The two provisioning modes, just-in-time (JIT) and ahead-of-time (AOT) are supported. Within IAM4Cloud the provisioning rules for applications are generally related to group memberships. When a user is added to a group the applications will automatically be assigned to the user. Other authorisation models are optionally supported. 36/38 Guest registration is supported in two ways: in the on-premise identity store or in the cloud (Virtual Organisation scenario). Groups are essentially used to exercise control over the packages of applications users are allowed access to. Self-service, by way of a user portal, is provided for password reset and access request management combined with delegated administration. SSO is supported both for on-premise and cloud applications. Legacy (on-premise) applications can be added to the SSO domain thanks to the Symplified (proxy) product. Thanks to the Microsoft technology used, desktop-SSO can be supported as well. Support for two-factor (2FA) authentication is implemented in step-up mode, i.e. after validating the username and password a second factor authentication method can be configured per user, not per application. A number of third-party 2FA methods are supported, like Entrust, RSA, the Belgian eID, biometrics, et cetera. For reporting the default (basic) FIM reports are used. Custom reports are available on request. The platform supports all standards-based integrations with third-party monitoring and security information and event management (SIEM) tools. While the products under the hood support identity& access governance (IAG) to varying degrees, IAM4Cloud does not offer IAG as a standard option. Nor does it offer identitybased device management or social logon. On the non-functional side the following applies to IAM4Cloud: ● Traxion gives no guarantees as to where in the cloud the IAM4Cloud service is running. On request a single-tenancy version of IAM4Cloud can be realised in one of the UK of NL data centers, thus adhering to the EU privacy rules. ● Traxion is not certified for SSAE 16 or ISAE 3402. ● No SLA details are available. ● Third-party data escrow is supported with a preferred, independent, provider. The picture below summarises the main features of IAM4Cloud: Figure 19 Traxion's IdMaaS functional decomposition Legend: Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality 37/38 How does it compare to SURFconext? An interface from IAM4Cloud to SURFconext is very well possible due to the modular character of IAM4Cloud. Depending on the organisation’s demand for IAM functions IAM4Cloud may well be in a position to deliver. The non-functional requirements need some more attention in that case, though. 38/38
© Copyright 2024 ExpyDoc