Unless Your ID Cloud Vendor Can Fulfill These 5 Requirements, Proceed With Caution


I recently participated in a panel discussion covering "What to Look for in an Identity Cloud Provider" with two of my colleagues here at ForgeRock, which was hosted by the Cloud Security Alliance. With widespread confusion about cloud, hybrid, privacy, MFA, governance, and so much else, I found this discussion a useful primer on the basics of a cloud identity service as well as what's important to look for before signing the dotted line with a vendor. I thought I'd summarize the talk here, but I encourage you to view the full session, which goes into much more detail.

Selecting a cloud vendor to help host your identity-related functions — such as user authentication, authorization, single sign-on, federation, and identity management — can be a business booster and a way to streamline efficiencies. Plus, it can help improve your overall security and give your organization a competitive edge through the delivery of a more seamless digital experience for your users — both your internal employees and your consumers. But, not all identity clouds deliver the same capabilities. The way some are architected and operated can actually impact the capabilities you're looking for and may not meet your expectations for performance and scalability.

What follows are some highlights from the talk. It covers a few of the considerations to ask for, nag, cajole, and anything else you need to do to get assurances from the vendor before you sign the bottom line.

Consideration #1: Capabilities in the Cloud

It may be assumed that all ID cloud vendors offer the capabilities you're looking for, but mileage varies.

For example, some vendors focus on customer identity and access management (CIAM) solutions, which provide the capabilities you need to reach, enroll, manage, and otherwise deliver that great online experience for your end-user customers. Other vendors focus on internal or workforce-related scenarios, which optimize around the security of employees, gig workers, contractors, and work-a-day types gaining access to your applications, networks, and data.

While there is significant overlap between CIAM and workforce identity and access management (IAM), when you get down into the weeds, key differences exist and you need to be able to plan for multiple user journeys all within a single identity cloud solution so that you can accommodate current and future scenarios. The cloud service should enable you to easily design user journeys, from registration and authentication to the ways users prefer to access services (MFA, passwordless, one-time password, magic link, and others). It should enable self-service flows, such as password resets, forgotten usernames, and preferences. Bottom line: why run two identity solutions in your organization when you can just run one that covers all your applications and the needs of all your users?

Consideration #2: Hybrid IT

A recent survey from Threatpost1 shows that the use of a hybrid cloud environment is on par with the use of public clouds (AWS, GCP, Azure). In other words, organizations are straddling applications that span both on-premises and cloud deployments. It's not just a pure-play cloud world. This isn't really surprising. ForgeRock's own research2 shows that 86% of respondents expect hybrid cloud will be their reality for at least the next five years.

Given this reality, you should determine if your identity vendor has capabilities that can be deployed to secure applications on-premises, in the cloud with a public cloud provider of your choice, or through a hybrid or multi-cloud approach. You should opt for an identity cloud architecture with deployment options that include a combination of private and public clouds, infrastructure as a service (IaaS), and platform as a service (PaaS).

Consideration #3: User Experience

In a world where the only interface many users will have with your organization is through digital channels, having an identity cloud solution that can deliver the ultimate seamless experience for your users — regardless of where they are coming from or what device they are using — can be a game-changer.

You should plan for the platform to secure and orchestrate seamless omnichannel user journeys for easy access, regardless of what device users are on. Think of an omnichannel experience like curbside pickup, where a user places an order through a web browser from the comfort of home, then engages in the mobile app for payment and coordination of the pickup within a defined time window. Many different identity, compliance and security, and ecommerce functions need to be simultaneously engaged and work together seamlessly to deliver a satisfying user experience and outcome.

Consideration #4: Security and Compliance

It was once taken for granted that anything "cloud" was scary and suspect on the grounds that security could not provide parity with a self-managed, on-premises solution. Now it's widely recognized that as long as your cloud SaaS vendor has the security controls in place, you can achieve the same level of security and compliance in the cloud as you do on site. But there's the rub…you have to know what your identity cloud vendor is doing in this area.

You need to work with your cloud service provider to ensure your data is never commingled with other customer data. This not only prevents accidental data spillage, but also prevents "noisy" and "nosey" neighbors impacting your performance or accidentally or maliciously accessing your data.

In terms of compliance, look for the vendors that have done the hard work upfront on SOC2 and ISO27001. That way, you can be assured that at least the base-level security plumbing is in place. But also look to your own internal compliance needs and seek out a cloud vendor that can isolate your data in certain geos so you can satisfy data residency laws for regional regulatory requirements such as General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Consideration #5: Predictability, Scalability, and More

The nuts and bolts of the cloud solution — the way it's built and operated — underpin the way it's going to perform for you. You should review the cloud service provider's upgrade process. Does the vendor allow for zero-downtime upgrades so that a patch or upgrade does not impact service-level agreements (SLAs)? When it comes to identity-related services, even a small downtime window for upgrades can mean big user impact.

You should also seek out a vendor with an industry-standard 99.99% SLA and a history of exceeding that standard. Too many cloud providers "intermingle" client data, making it very difficult to extract and restore your particular backup in the timeframe that you need it. If disaster strikes, be sure the cloud service has the ability to restore your specific environment from an encrypted backup, within an acceptable SLA, in case of a mishap or misconfiguration.

And there are more…five more that we've identified and put into a white paper you can download here. Watch the full video here.

  1. Threatpost Cloud Security, The Forecast for 2022, eBook, page 26.
  2. ForgeRock: IAM for Hybrid Enterprise