Cloud vs. On-Prem: Where to Deploy Your CIAM?
Cloud computing in its various forms — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) — has changed the way companies deliver their businesses. Cloud service providers (CSPs) achieve economies of scale by sharing their resources between many customers. They offer on-demand services that their customers can utilize more or less of depending on their needs. With a pay-as-you-go pricing model, customers are only charged for what they consume. This alleviates businesses from having to care about the underlying infrastructure.
Businesses can obtain almost any kind of software as a cloud service these days, including Consumer Identity and Access Management (CIAM). However, CIAM is unique, and organizations should seek to understand the underpinnings of this vital service. Operating CIAM in the cloud brings many implications that don't apply to other cloud-based services, including complying with regulations and meeting security requirements. Therefore, organizations should make an informed decision about which delivery model is best for their CIAM platform. In this blog post, I provide some insights that should help you do so.
CIAM as a Service vs. CIAM Not as a Service
When deciding whether to procure CIAM as a cloud service or not, an organization may look into an Identity as a Service (IDaaS) solution. IDaaS is a cloud-based CIAM solution hosted by a third-party provider with the same pros and cons described below. The provider's business model relies on economies of scale, which means that the solutions they offer must fit the needs of many customers. Consequently, IDaaS, and SaaS in general, cover the basic needs of a broad audience but may lack the customization options required to implement your specific use case. An established CIAM product typically has an extensive range of features and integration options readily available.
When buying a CIAM product, make sure to choose a long-term option that can adapt to future requirements. First, ensure the product is based on open standards. Second, investigate support for integrations and customizations to satisfy current and future needs for business rules, security requirements, and compliances. You must be able to solve today's problems and have an eye on the future when choosing a CIAM solution. You don't want to replace whatever you pick any time soon.
Costs and money are always factors. A CSP can share the costs for hardware, software, and maintenance over many customers who pay — depending on the plan — for what they consume. Thus, cloud services are considered operational costs, whereas on-premises deployments imply capital costs. The latter requires an organization to invest in hardware and software and pay for replacements, licenses, and maintenance. Moreover, the organization must employ and perhaps educate staff to manage and monitor the infrastructure. On-premises deployments require planning, upkeep, investment, and, consequently, a budget. When deploying in the cloud, it may be hard to foresee and plan the costs for resources as those costs are based on unforeseeable consumption. In particular, unmanaged cloud resources can lead to high costs with little warning.
Maintenance not only includes replacing broken parts but also applying (security) patches. In a cloud environment, the CSP handles that kind of maintenance — which may or may not be a good thing, depending on the timing. On-premises solutions, on the other hand, give an organization complete control over the infrastructure, its configuration, and maintenance. It's up to the organization to keep track of and apply patches or upgrade any software. Good logging and monitoring support of the software are important for the operational tasks in this case. And having full control over the deployment can be important regarding security and compliance. When deploying on-premises, an organization can customize the infrastructure and related policies to meet specific needs, including data sovereignty.
Because of its central role and importance, an organization should consider basic security principles when deciding where to deploy the CIAM system. These basic goals can be summarized as the CIA triad:
Keep in mind that cloud service providers serve many customers and are, thus, more attractive targets for attackers compared to an on-premises deployment. Also, a company may suffer collateral damage from an attack or incident targeting another customer at the same cloud service provider (or data center). For example, an attacker may exploit a customer's misconfiguration and manage to escalate to other customers sharing the same cloud service provider. An attack or breach may violate any, some, or all of the below goals.
Data should only be disclosed to authorized parties. In a cloud environment, customers trust the cloud service provider to manage and secure the data. However, there is a risk of unauthorized parties accessing the data an organization stores in the cloud. For example, this may be through employees or subcontractors of the cloud service provider. Business critical information, which could include data managed by the CIAM system such as user, customer, or business partner information, may be too valuable compared to the risks. Nevertheless, more and more businesses are moving to the cloud since the benefits outweigh the risks.
To mitigate some risk, encrypt the data at rest and in transit. Once again, a cloud service provider may not fulfill these requirements. Sometimes, such requirements result from legal compliance rules, and an organization may be forced to deploy the CIAM on-premises.
A privacy-aware design for deploying the CIAM system that includes the end-to-end flow from client applications to the backend APIs helps further mitigate confidentiality-related risks in any deployment platform. Such patterns are the Token Handler Pattern for browser-based apps, the Phantom Token Approach, or the Split Token Approach. Check if the CIAM system supports those design patterns.
Integrity protection measures ensure that data is accurate and complete. This means data cannot be modified or deleted by unauthorized parties. It's vital that the data a CIAM system provides or bases its decision upon is accurate. When deploying in the cloud, particularly when storing data in the cloud, an organization is, to a certain degree, dependent on the cloud service provider to guarantee that integrity is maintained.
If the CSP cannot present satisfactory assurance or an organization cannot accept the risk of the CSP not living up to its promises, then on-premises deployment is likely the preferred option.
A CIAM system must, by nature, ensure that the data it provides is accurate and cannot be manipulated, as this would result in an access violation and privilege escalation. When running OAuth 2.0 and OpenID Connect, ensure that the CIAM system supports security best current practices no matter where it's deployed.
The CIAM system requires high availability, as in, its services should be accessible the vast majority of the time. How much downtime an organization may accept is based on a risk analysis and is business-specific. While on-premises deployments enable offline access over a certain network, like the office or VPN, cloud-based services are accessible from everywhere over the internet. Consequently, in cloud deployments, the internet connection becomes a critical factor.
Redundancy and reliability typically increase availability. When deploying in the cloud, the cloud service provider takes responsibility for many aspects of availability, such as hardware failures, redundant setups, scalability, and monitoring. Cloud service providers typically offer services like auto-scaling to enable customers to scale their deployed applications automatically based on certain thresholds.
Independently of whether the CIAM platform is deployed in the cloud or on-premise, it must support a scaling mechanism such as clustering so that an organization can increase the availability of the services if demands change.
Though it may be pretty easy in a cloud environment to serve a global audience, an organization may operate under specific legal regulations. In particular, personal data or personally identifiable information (PII) are subject to regulation. A CIAM almost certainly processes such data. Some regulations require personal data to be stored in a particular geographical location. In such a case, an organization must request assurance from the cloud service provider that they comply with the regulations. When deploying on-premises, an organization must itself provide accurate technical, physical, and organizational controls to protect the data.
In the end, choosing a CIAM solution will depend on the individual requirements and how an organization weighs the pros and cons after a thorough risk analysis. Sometimes the solution is not one or the other but results in a cloud-managed solution such as a private or hybrid cloud.
Make sure to choose a long-term solution that can handle future requirements. For example, choose a cloud-native product that can be deployed on any cloud or on-premises. Base your CIAM solution on open standards and products that have great extensibility and are customizable to fit your current and future needs.
If you aim for high security, check out security best practices and dedicated profiles (FAPI 1.0 - Part 1, FAPI 1.0 - Part 2, or the FAPI 2.0 Security Profile) that help to mitigate common application-level risks. Verify that the CIAM solution supports your requirements. Whichever deployment option you ultimately decide on, the Curity Identity Server supports your choice.