KuppingerCole Executive View: Service Layers Managed IAM

KuppingerCole Executive View
iC Consult Service Layers
Report No.: 80129
Service Layers Managed IAM
Service Layers delivers a comprehensive managed IAM solution, based on best-of-breed IAM products. The solution is well-architected, following modern concepts including DevOps, container-based deployments, and microservices architectures. It thus can be run and operated on various infrastructures. Service Layers provides full operations support across global regions. With this solutions, customers can balance their need for individual IAM approaches with a managed IAM service supporting hybrid requirements.
by Martin Kuppinger mk@kuppingercole.com August 2019
1 Introduction ………………………………………………………………………………………………………………… 2
2 Service Description ……………………………………………………………………………………………………….. 3
3 Strengths and Challenges ……………………………………………………………………………………………….. 4
4 Copyright ……………………………………………………………………………………………………………………. 6
Related Research
Buyer’s Guide: Consumer Identity and Access Management Solution – 80111
Architecture Blueprint: Hybrid Cloud Security – 72552
Advisory Note: Cloud Services and Security – 72561
KuppingerCole Report
by Martin Kuppinger | August 2019
KuppingerCole Executive View
iC Consult Service Layers
Report No.: 80129
Page 2 of 7
1 Introduction
Cloud services have become a reality for most of the businesses over the course of the past years. For most businesses, “cloud first” has become the norm, not the exception anymore. In consequence, more and more of the business workloads are shifting to the cloud, into as-a-service deployment models. The reality of business systems today is hybrid for most organizations.
This evolution requires other IT services such as IAM (Identity and Access Management) to follow that trend. This critical IT capability should run where the critical services run that need to be supported and protected. There is no way to split identity services into disparate services for the “old” and “new” IT. There is a need for a hybrid IAM. While this tended to be an on-premises IAM with some support for cloud services, it is about to shift to cloud IAM with strong support for existing on premises business services with more and more business workloads shifting to the cloud.
Over the past years, a growing number of IDaaS (Identity as a Service) solution has appeared on the market. However, many if not most of these are focused on some part of IAM, which is supporting Single Sign-On (SSO) of users and adaptive authentication schemes. Unfortunately, IAM is not done with authenticating a user. It is about managing the identities and their entitlements, it is about authenticating, and it is about authorizing access. IDaaS services that are just SSO and authentication services lack the depth that is required for successfully securing and governing business applications. A comprehensive approach on IDaaS requires a broader coverage.
However, as the shift of business workloads is a long-term journey for most businesses, moving from on-premises IAM to IDaaS while delivering comprehensive support for IAM capabilities across all target systems, independent of their deployment model, is a multi-step journey as well. Running comprehensive IAM capabilities as a managed service is one of the options organizations have on that journey.
Many of today’s investments into IDaaS don’t follow a well-thought-out strategy, but are tactical: There appear some new cloud services, thus connectors or SSO are added. However, when looking at the mid-term IT strategy (commonly a “cloud first” or “cloud preferred” approach) and the mid-term IT reality, which is hybrid for most organizations, a well-planned approach must be taken.
Part of this approach is to start with a clear focus on and acceptance of the hybrid reality of IT. While “cloud first” might be the strategy, the reality is different. Moving to an “IDaaS first” approach is a consequent in the shift to as-a-service models. Thus, businesses need to decide when to best make this step and how. Here, managed IAM comes into play, which allows having a high degree of individuality for the specifics of an enterprise, while being run as a service.
While there is not the single one approach to modernize IAM the right way, managed services are a viable option that balance the challenges of fulfilling organization-specific requirements, supporting complex hybrid environments, and allowing for a gradual step towards an easy-to-manage IAM, without the trade-off in depth and breadth of capabilities most IDaaS solutions still have.
One of the emerging players in this market is iC Consult with their subsidiary Service Layers, that builds custom, managed IAM services based on leading-edge IAM products.
KuppingerCole Executive View
iC Consult Service Layers
Report No.: 80129
Page 3 of 7
2 Service Description
iC Consult, the leading German IAM system integrator, provides a managed IAM service via his subsidiary Service Layers. Based on a combination of ForgeRock and Ping Identity solutions, Service Layers complements this with a range of other technologies for delivering integrated, customized services from various IaaS (Infrastructure as a Service) infrastructures such as AWS (Amazon Web Services) or Microsoft Azure. However, Service Layers also can operate these services from on-premises platforms of the users.
With this service, Service Layers addresses common customer challenges. Rolling out a standard on-premise IAM service is commonly challenging, with many projects stalling. Setting up and operating IAM infrastructures in global environments is another challenge, even for multi-national organizations. Furthermore, businesses are under pressure. The Digital Transformation mandates also IT, and specifically IAM with focus on Digital Identities and the Digital Consumer, to become more agile and adapt quickly to changes, in a well-managed approach. Beyond that, one of the threats to organizations is the frequent change in the IAM vendor landscape, with mergers & acquisitions, start-ups and so on. Such changes have a massive impact on a company’s infrastructure. Building on a managed service can mitigate these threats, by continuing to deliver defined services and capabilities without the business having to run a migration project by itself. Finally, the managed service approach run by Service Layers, with individual instances and customization per tenant within a well-defined framework, allows customer finding the balance between individuality and a standard-based, managed infrastructure.
The Service Layer target and approach is to build on best-of-breed products, fully automate the infrastructure deployment and management (“infrastructure as code”) and the configuration (“configuration as code”), which allows for rapid deployment and customization. Unlike other IDaaS vendors’ common approach, Service Layers uses dedicated instances for each customer, so no runtime components are shared across multiple customers. Thus, Service Layer can automate the infrastructure and configuration management, resulting in a cost reduction for operations compared to traditional, manual operating models.
The entire approach builds on a modern architecture, based on microservices and containers. Microservices allow for defining small, functional blocks with well-defined APIs and flexible reusability. Such microservices as well as the pre-configured services of the best-of-breed applications used then are packaged into containers, based on Kubernetes. These can be run on various types of infrastructures, including private and public cloud environments.
Based on that, Service Layers delivers a managed service platform that not only consists of a tool but includes the entire runtime environment, spanning
• Underlying cloud infrastructure and operations environment
• Functional components, based on best-of-breed products with extensions by Service Layers
• Customizations
• Defined processes for efficient operations of the entire infrastructure
KuppingerCole Executive View
iC Consult Service Layers
Report No.: 80129
Page 4 of 7
Service Layers targets both large enterprise clients as medium-sized businesses. Data centers and operations are available in various regions, including GSA (Germany, Switzerland, Austria), Russia, China, and the U.S. Especially the ability to provide an IAM Managed Services offering from one single source with hosting locations in China and Russia is considered being a unique selling proposition.
Amongst the customers count manufacturing businesses, which frequently have factory plants in some or all of these regions and countries as well as a large customer base, and which need consistent IAM and CIAM services and operations across these regions.
Due to delivering the service based on a microservices and container-based architecture, Service Layers also integrates a consistent DevOps approach, allowing for agile delivery and enhancements of the service. This includes features such as CI/CD pipelines, auto-scaling and more. As mentioned ahead, Service Layers focuses on full automation of both the delivery pipeline and operations, by making use of common, modern DevOps infrastructure components. These include, amongst others, Gitlab, Helm, Docker Containers, Kubernetes, Swagger, and many more. For various functional capability enhancements and customizations, additional established infrastructure components such as Elasticsearch or PostgreSQL are used.
While Service Layers provides a high degree of re-use amongst customers and thus efficient delivery, data is fully segregated and deployment and configuration options remain flexible due to separated instances for each customer. Customers can decide about
• the deployment model and cloud to use
• the level and availability of support and
• the amount of customization
On the other hand, Service Layers standardizes operations, patch management, and other services across all customers, based on their automation approach. Furthermore, each customer instance is supported by a defined project team for both customization and operations. 3 Strengths and Challenges
Service Layers and thus iC Consult is one of several system integrators that starts delivering IAM services in a managed service offering. They have a strong focus on optimized delivery and customizations, balancing standard implementation and customer-specific requirements well. A specific strength is their globalization strategy, focusing on typical regions starting with manufacturing customers while strategically extending the coverage towards a variety of target industries, including financial services and others. However, the service is also relevant to customers operating only in a single region.
From an architectural perspective, Service Layers consequently builds upon state-of-the-art concepts such as DevOps support, microservices architectures, and container-based deployment. This is the foundation of a flexible and future-proof service.
KuppingerCole Executive View
iC Consult Service Layers
Report No.: 80129
Page 5 of 7
Basing the offering on well-established products that count amongst the best-of-breed offerings in their respective IAM market segments gives customers a good assurance of building on a stable environment. However, despite the architectural approach chosen by Service Layers, there remains a risk of changes in the underlying product infrastructure impacting the customer implementation. From a technical perspective, we’d appreciate seeing even more clearly defined abstraction between the underlying technical services – currently ForgeRock and Ping Identity – and the customer user interface and APIs used for customization. This would allow Service Layers to flexible change the underlying technology platforms, with little to no impact on customer implementations.
In sum, Service Layers provides an interesting option for deploying and running IAM in global environments, for customers of different size, with a well-thought-out architecture and operating model. For organizations that are facing the challenge of running an IAM that fits to their hybrid IT, we recommend evaluating Service Layers.
● iC Consult has long-standing experience in deploying, customization and operations of IAM
● Well-selected best-of-breed products as foundation
● Modern, future-proof architecture based on containers and microservices
● Flexible customization based on microservices architecture
● Variety of deployment and operations options
● Support for various global regions
● Service Layers is still a relatively small unit of mid-sized system integrator iC Consult.
● Abstraction of underlying best-of-breed products might be implemented even more consequent.
● New service with yet a limited, but renowned number of customers, incl. DAX-30 companies.
KuppingerCole Executive View
iC Consult Service Layers
Report No.: 80129
Page 6 of 7
4 Copyright
© 2019 Kuppinger Cole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations, and predictions in this document represent KuppingerCole’s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
KuppingerCole Analysts AG
Wilhelmstr. 20-22
65185 Wiesbaden | Germany
Phone +49 (211) 23 70 77 – 0
Fax +49 (211) 23 70 77 – 11
KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.
KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authorization, Single Sign-On, Federation, User Centric Identity Management, eID cards, Cloud Security and Management, and Virtualization.
For further information, please contact clients@kuppingercole.com
The Future of Information Security – Today