With the rapid rise of cloud computing and mobile technology, the IT environment of enterprises is becoming increasingly complex, and the network boundaries are blurring. The boundaries of user identity in application systems cannot be determined unilaterally. There is an urgent need for a unified identity management platform based on the cloud (IDaaS). IDaaS is an inevitable product that has gradually emerged and been widely applied in mobile office, SaaS services, and PaaS platforms. Enterprises are gradually accepting cloud and mobile technology, and they need the ability to go beyond traditional network boundaries and traditional identity and access management (IAM) solutions.

1. What is IDaaS

IDaaS (Identity as a Service) is the concept of a cloud-based identity authentication service platform based on SaaS services, which can be understood as SaaS + IAM.

Gartner defines IDaaS as 'the integration of functions such as management, account configuration, authentication and authorization, and reporting.' Cloud-based IAM can manage both SaaS applications and internal applications simultaneously.

Gartner points out that the main driving force for the growth of IAM cloud security services comes from the increasing demand of small and medium-sized enterprises, including expanding the basic IAM functions and providing services for an increasing number of employees accessing SaaS applications and internal web applications. More and more small and medium-sized enterprises are beginning to deploy IAM cloud services to replace the original internally deployed IAM tools, while large enterprises tend to use IAM in a hybrid cloud and internally deployed manner.

Gartner states that the core aspect of IDaas is:

IGA: Provide users with cloud application and password reset functions.
Access: Standard user authentication, single sign-on, and authorization, supporting standard federation authentication protocols (SAML, OIDC, etc.).
Intelligence: Identity and Access Log Monitoring and Reporting.

2. What are the advantages of IDaaS

One of the main advantages of IDaaS is cost savings. The deployment of software such as Microsoft AD, IBM TIM TAM on the enterprise local site may bring many costs. Your team must maintain servers, purchase, upgrade, and install software, regularly back up data, pay for hosting fees, monitor additional local sites to ensure network security, set up VPN, and so on. With IDaaS, the cost of subscription fees and management work is greatly reduced.

In addition to saving costs, other advantages of IDaaS include improved network security, saved time, faster login speed, and fewer password resets. Whether users log in from the open WiFi at the airport or from the office desk, the entire process is seamless and secure. The improvement in security can prevent the company from facing hacker attacks or vulnerabilities that may颠覆 its business. And in response to the rapid increase in the throughput of IAM services due to the rapid growth of the company's business in the future, the follow-up of new technologies, and various system security incidents that arise at any time, it is entrusted to professional IDaaS service providers to complete.

3. IDaaS Application Scenarios and Challenges

3.1 Microservices Architecture

With the microservices architecture of IDaas, it can integrate CI/CD for rapid iteration, introduce gray release in product version release to conduct small-scale trial operation of the release of key business modules, and adapt to the rapid growth of service business; for example, if the login volume suddenly increases, it is only necessary to expand the SSO service without expanding all services.

3.2 Consumer Identity Authentication

The IDaaS service provided for the main customer group of consumer applications has the following characteristics

# 1. The user base is massive, with millions or even billions of users.
# 2. User registration is simple; users can register successfully by providing the minimum amount of user data.
# 3. Convenience of user login operations, providing a variety of identity authentication methods, such as face, fingerprint, SMS, voiceprint, telecommunications three factors, FIDO, etc.
# 4. Deep integration with Internet services, providing third-party authentication for leading Internet applications such as WeChat, QQ, Alipay, Taobao, Weibo, Douyin, Google, etc., and the ability to seamlessly integrate with WeChat Mini Program, DingTalk Mini Program internal applications.
# 5. Intelligent recognition of repeated registration, low-frequency attack recognition, and intelligent recognition of effective users.
# 6. The same user can exist repeatedly in different applications, and can provide user association capabilities.
# 7. Mass data auditing capabilities of user operation behavior, based on big data user behavior analysis capabilities.
# 8. Internet user analysis capabilities, such as classification, aggregation, and user portraits.
# 9. It is necessary to ensure availability 7x24 hours a day.
# 10. Promotions, flash sales, Double 11, sudden events, and other sudden bursts in the login process require rapid expansion of services at the second level.
# 11. Gray release, cache degradation and traffic shaping.

3.3 Identity authentication for employees

IDaaS services are provided for the application of the main service entity group for the company's employees, with the following characteristics

# 1. Complex user organization structure, different applications do not have a unified organization structure.
# 2. Complex user roles and positions, with excessive role allocation, overlapping and兼职 situations, and temporary allocation and recovery of various permissions.
# 3. Convenience of user login operations, providing a variety of identity authentication methods, such as face, fingerprint, SMS, voiceprint, telecommunications three factors, FIDO, etc.
# 4. Deep integration with Internet services, providing third-party authentication for leading Internet applications such as WeChat, QQ, Alipay, Taobao, Weibo, Douyin, Google, etc., and the ability to seamlessly integrate with WeChat Mini Program, DingTalk Mini Program internal applications.
# 5. Intelligent recognition of repeated registration, low-frequency attack recognition, and intelligent recognition of effective users.
# 6. The same user can exist repeatedly in different applications, and can provide user association capabilities.
# 7. Mass data auditing capabilities of user operation behavior, based on big data user behavior analysis capabilities.
# 8. Internet user analysis capabilities, such as classification, aggregation, and user portraits.
# 9. Can provide full business life cycle services such as entry, departure, transfer, part-time, and retirement.
# 10. Global group companies, global access capabilities, multi-center federation authentication capabilities.

3.4 Identity authentication for suppliers

IDaaS services are provided for the application of the main service entity group for suppliers, with the following characteristics

# 1. Suppliers have a large number of users, and the change frequency of suppliers is high.
# 2. Suppliers have a high turnover rate of employees.
# 3. Suppliers have strict permission control.
# 4. Suppliers have complex networks, can be accessed from the internal network, and can be accessed directly from the external network or through VPN.
# 5. Difficulty in controlling account distribution, how to control the sharing of account passwords.
# 6. Control of zombie accounts of suppliers, account control of employees who have left, and control of permission changes.

3.5 Identity authentication for the Internet of Things

IDaaS services are provided for the application of the main service entity group, with the following characteristics

# 1. The number of Internet of Things devices is extremely large, and the growth rate is extremely fast.
# 2. The network bandwidth of Internet of Things devices is unstable, and the network speed is slow.
# 3. The Internet of Things devices have a large number of heterogeneous operating system types, and the system computing power is limited.
# 4. The security protection capabilities of Internet of Things devices themselves are weak, and they are easily bricked.
# 5. Internet of Things devices are assigned unique IDs that cannot be forged or tampered with.
# 6. Global connectivity of the Internet of Things network, authentication, and authorization capabilities.
# 7. Low-power devices, without system devices providing device shadows, unified management.
# 8. Encryption, authentication, and authorization for communication between devices and third-party servers.