Defining “Identity as a Service”
What exactly do we mean when we say Identity as a Service? Recent discussions have made me realize that not everyone has the exact same definition of this term, and it can cause a great deal of confusion when discussing the subject.
Identity as a Service refers to the notion of making identity management capabilities available as an infrastructure service to all applications in a SOA environment. This enables enterprises to make identity a transparent, ubiquitous part of their applications (in this context, it is important to remember what we mean by identity; see my previous post), while maintaining consistency in the 4 A‘s of identity management – Authentication, Authorization, Administration and Auditing.
Identity as a Service enables the creation of an Enterprise Identity Layer that is the platform on which all identity-enabled enterprise applications are built. This is especially interesting for us at Oracle in the context of Fusion, where the vision is for customer to have a unified, seamless and intuitive way for managing identities in their entire Fusion deployment.
So What Does It Entail?
Oracle is hard at work trying to define the identity services that are needed for creating a true enterprise identity layer. There are some really good identity framework projects out there (Higgins, Bandit, OSIS) that focus on the core identity services needed for any identity-enabled application on the web – identity attribute sources, authentication (with identity selectors) and RBAC. These frameworks focus on the delivery of user-centric identity technologies and methodologies. But enterprise environments are far more complex and regulated, so the identity services needed are consequently greater in number, and more sophisticated. Below is the high level straw man we started our project with. It identifies what we believe are the services that an Enterprise Identity Layer needs to offer to the applications environment (click it to see a bigger view).
A Different Definition
Some folks I talked to at Collaborate pointed out that one of the reasons for their confusion has been the emergence of another definition for Identity as a Service. This definition comes to us courtesy the world of Software as a Service. Wikipedia defines Software as a Service (SaaS) as a software application delivery model where a software vendor develops a web-native software application and hosts and operates (either independently or through a third-party) the application for use by its customers over the Internet. Customers pay not for owning the software itself but for using it. They use it through an API accessible over the Web and often written using Web Services or REST. (You can read the rest of the Wikipedia article here).
In the SaaS context, Identity as a Service actually is used to describe a hosted identity management offering, very similar to hosted HR offerings (in fact, there are companies looking to provide the natural convergence of the two as a single offering). This is a natural outgrowth of the emergence of identity service, in that it requires the enablement of web services by the host that expose identity management capabilities to their customers. Fischer International is a vendor that has really latched on to this definition in a big way (I think they have trademarked the acronym IaaS).
Whatever term we standardize on (Identity as a Service, Identity Fabric, Identity Layer), the move towards the delivery of identity capabilities as services in a SOA environment is the real story here. At Oracle we are working with our customers to define the Identity Services Framework that we believe is needed in enterprise environments. As always, your participation and input is welcome.
I like what you are saying here. We need to talk some more about this. One of the true values of this approach is that identity services need to work consistently across all identity vendor offerings.
By the way, here are the links to both the Burton Group report and Reference Architecture Technical Positions that further illustrate this concept.