A high-level IDaaS metric: if and when moving ID in the Cloud


Building metrics to decide how and whether moving to IDaaS means considering what variables and strategy have to be taken into account when organizations subscribe identity as a service contracts. Before moving any IdM to the Cloud, organization should balance costs and risks. Accordingly, metrics adopted should be enough flexible to be applied from both a company that is developing an IdM system and a company that already has a IAM in operation but is considering to move the ID to the Cloud. The metric introduced below is included into a coming IDaaS Best Practices helping companies to understand, evaluate and then decide if and how moving ID to the Cloud.

IDaaS: Measure Maturity

IDaaS metric definition starts from on-premise IdM/IAM acquisition and implementation costs. Take into consideration the following parameters:
1)  COSTS – IdM/IAM costs are mainly based upon Infrastructure, Personnel, Administration (Access, Help desk, Education/Courses, ..), Attestation and Compliance (including personnel certification and upgrading), Business Agility expenditures;
2) RISKS – Risks are based upon expenditures to cover by order:
2.1 Implementation risks (the risk that a proposed investment in technology may diverge from the original or expected requirements);
2.2  Impact risks (the risk that the business or technology needs of the organization may not be met by the investment in the IAM solution, resulting in lower overall total benefits);
2.3 System protection (perimeter defence, audit and surveillance).

The risk/confidence the company is dealing with depends mainly upon the combination of:
– IAM maturity, in terms of implementation, maintenance and evolution capacity;
– SOA maturity, to really understand policies by applied processes (privileges by user role, accreditations, de-accreditations, …) and dynamically acting into the organization;
– Adherence to the criteria that measure service provider(s) compliance with the identity ecosystem framework.

IDaaS Maturity2

Figure 1 – IDaaS Maturity Framework to IDaaS Best Practices

Accordingly, the metric should be based upon the organization maturity grade. The gauge proposed is made the simplest possible, designed to be flexible: if necessary, this metric can be enriched and applied to more complex systems (more parameters by maturity levels, more maturity levels according to the company’s policy). The metric measures what is the confidence/risk when organizations moves to IDaaS by adopting the following models:

1)    ID On-premise – ID is outsourced but infrastructure is kept inside the company. In this case ID personnel manage tools and infrastructure but expertise is coming from the outsourcer;
2)    ID Provider Hosted – A private Cloud for IDaaS is managed. Personnel managing the private Cloud (tools) are shared with the service Provider. In this case administration, tools and infrastructure are in the private Cloud and ID management is shared;

Flux IDaaS Schema2

Figure 2 – IDaaS properties and possible path to the Cloud

3)    ID Hybrid – IDaaS is in the Cloud although sensitive information is yet managed internally. ID Hybrid means subscribing private, community and/or public Cloud services. Tools and infrastructure are shared through the Cloud. ID administration is managed in the Cloud.
4)    ID in the Cloud – The ID is in the Cloud. Only personnel managing contract and service conditions (all aspects: policy, framework, SLA …) are kept internally.

These aspects are important on one hand considering what risk (and countermeasures) may be taken when moving the ID to the Cloud and on the other hand which takings could be expected in terms of cost savings. Companies have to balance the real business value of the risks based upon on-premise ID maturity and the eventual cost reduction, model by model. In the following picture, an example shows how 3 companies having 3 different levels of maturity for IdM, SOA and Ecosystem adherence, meet 3 scenarios in term of Cost/Saving and Confidence/Risk when decide to move to IDaaS.

Cost-Risk graph2

Figure 3 – IDaaS: 3 cases of companies having different level of maturity and risk

Company A – Company A manages advanced projects to implement and maintain high levels of maturity for IdM and SOA. Still, attention is paid to the Cloud identity ecosystem: the Company applies specific criteria to assess services provisioning in the Cloud. By applying IDaaS Best Practices based on Maturity levels, Company A might moderate the risks if decides to move ID in the Cloud. Criteria to adopt Cloud services are enough stable to manage on-demand and full provisioning IDaaS. Cost saving is another aspect should be taken into consideration. By externalizing IDaaS, the expected savings might be impressive (about 70% of CapEx invested) and, in this case, moving to the Cloud can be balanced with a path that further moderates the risk.

Company B – Company B has an intermediate maturity and work in progress projects through the IdM and SOA implementation. The ecosystem interface knowledge also is increasing although it is not yet disciplined. Confidence to move ID to the Cloud is low with respect the Company A and the risk is growing with the above IDaaS models. Considering the CapEx to implement internal IAM and BPM procedures, IDaaS cost saving is lower (about 30% of CapEx invested) then Company A. Company B should mitigate the risk by moving to the appropriate IDaaS model. The right path to subscribe IDaaS should be starting from the most proper IDaaS model to progressively increase levels of maturity.

Company C – Company C has a different challenge to get, with respect Company A and B. Company C is not organized to set defined levels of maturity for IdM and SOA. Still, there is not enough interest or experience to classify proper requirements and accountability mechanisms typical of an identity Cloud ecosystem structure. Identity and SOA cultures exist but they are jeopardized. In this case without CapEx to cover, it seems highly attractive saving soon by moving to IDaaS. However, cost saving only is not the best way, generally speaking, to move to the Cloud, neither to subscribe IDaaS contracts. The risk to move ID in the Cloud is really high. The Company C should ask for:

–      how IDs are provisioned, authenticated and managed (IdM, IAM);
–      who retains control over ID policies and assets (SOA);
–      how are stringent peer to peer security standards (ID ecosystem);
–      how and where are employed data encryption and tokenization (ID ecosystem);
–      how and where are employed federated identity policies (for example: check if they are regularly backed by strong and protected authentication practices) (SOA);
–      what about availability, identity data protection and trust on third parties (ID ecosystem);
–      how is employed transparency into cloud operations to ensure multi-tenancy and data isolation (IdM and ID ecosystem).

Could Company C provide the above answers before movingthe ID to the Cloud? This essential information should be an asset for any company that decide to migrate to the Cloud. Prerequisites above are only a part of the full requirements subscribers should assert before acquiring Cloud ID services. No Company can improvise to move to IDaaS: consequently, possible choices for Company C may be the following:
1) starting from the low risk ID on-premise model;
2) moving in any case ID to the Cloud being aware of the risk by trying to balance IDaaS cost saving (OpEx) benefit and Cloud environments introducing transient chains of custody for sensitive enterprise data and applications.

Defining the Metric
The metric that should best describe the above scenarios is based on the products of exponential functions depending upon parameters setting the organization maturity levels. In practice, the general mathematical relationship is the following:

Risk Formula2

Here is the meaning of variables and indexes:
R is the Risk/Confidence value defining the range maturity forward the IDaaS model above described;
Pcis the percentage of completion of each maturity range;
V is the variable corresponding to the magnitudes chosen to measure the maturity of the specified range. To calculate the level of IDM, SOA and Ecosystem maturity, 2 variables have been chosen: the project cost (Cm is the current cost and CM the estimated budget cost) and the project time completion (Tm is the current project time and TM the estimated project completion time);
N is the number of maturity ranges considered (IdM, SOA, Ecosystem …).
Constraints: the exponential function is a pragmatic risk estimation based upon the concept of density of probability. To compute the risk/confidence there is no average technique included: the max of the series of the calculated risks has been preferred with respect to the statistical averages models. Looking at the above metric, it requires the following constraint: 3 maturity ranges should be at least considered to estimate the best IDaaS model. They are: IdM, SOA and Ecosystem Framework. Further, the above metric is extensible and it is enough flexible to consider more ranges of maturity and, inside each one, more variables to be added to projects costs and times. Finally, R (risk/confidence) is computed as the max value among maturity series’ risks. In practice, consider the following test rates:

IdM Maturity: Percent of completion 30%, Cm = 25.000,00 $, CM = 75.000,00 $, Tm = 6 months and TM = 24 months
SOA Maturity: Percent of completion 40%, Cm = 55.000,00 $, CM = 90.000,00 $, Tm = 8 months and TM = 24 months
Ecosystem Framework Maturity: Percent of completion 15%, Cm = 10.000,00 $, CM = 30.000,00 $, Tm = 2 months and TM = 6 months

Risk/confidence outcomes based upon the above values are the following and the max value is:

Risk Formula Outcome2

Could the company accept the risk of 98% in moving to the Cloud with the ID system? What is the main pain looking at the maturity ranges and the risk rates? What is the appropriate IDaaS model could moderate the risk and reduce the costs? The solution in the figure below might be a measured solution to get confidence and awareness before subscribing an IDaaS contract.

Ballot Cost-Risk graph2

Figure 4 – Snapshot based upon the above maturity rates and risk/confidence values


Companies could apply a systematic approach by adopting the gauge above exploited. The metric can help in deciding whether balancing risks and OpEx advantages is appropriate in subscribing an IDaaS contract forward security and business benefits.  Looking at the cost saving for Company C, the above cutbacks could be modest (about 20% or less with respect the actual CapEx) although the ROI would be faster. It depends upon the IDaaS strategy the Company decides to implement.


[1] N. Piscopo – Applying MaaS to DaaS (Database as a Service) Contracts. An introduction to the Practice http://cloudbestpractices.net/profiles/blogs/applying-maas-to-daas-database-as-a-service-contracts-an
[2] N. Piscopo – Best Practices for Moving to the Cloud using Data Models in the DaaS Life Cycle
[3] N. McEvoy – IDaaS Identity-as-a-Service best practices http://CanadaCloud.biz
[4] E. Baize et al. – Identity & Data Protection in the Cloud
[5] F. Villavicencio – Advantages of a Hybrid Co-Sourced IDaaS Model
[6] Identity in the Cloud Outsourcing Profile Version 1.0 – OASIS Committee Note Draft 01 /
Public Review Draft 01
[7] N. Piscopo, N. McEvoyIDaaS – Introduction to the Identity in the Cloud
[8] WG-CloudIDSec IDaaS (Identity as a Service) www.cloud-identiy.info

Disclaimer – This document is provided AS-IS for your informational purposes only. In no event the contains of “A high-level IDaaS metric: if and when moving ID in the Cloud” will be liable to any party for direct, indirect, special, incidental, economical (including lost business profits, business interruption, loss or damage of data, and the like) or consequential damages, without limitations, arising out of the use or inability to use this documentation, regardless of the form of action, whether in contract, tort (including negligence), breach of warranty, or otherwise, even if an advise of the possibility of such damages there exists. Specifically, it is disclaimed any warranties, including, but not limited to, the express or implied warranties of merchantability, fitness for a particular purpose and non-infringement, regarding this document use or performance. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies/offices.

Media Brief: Canadian Cloud Success Story: BoardSuite and Tenzing Successfully Partnering for Mission Critical SaaS Hosting

Canada Cloud

oscar-jofreAn interview with Oscar A Jofre Jr., Founder, President and CEO BoardSuite

By Howard Oliver, What If What Next

Howard: Tell us about BoardSuite. and your involvement with it.

Oscar:  BoardSuite is a (www.boardsuite.co), freemium on-demand board portal that allows organizations the ability to manage, organize and share their confidential corporate information in a secured environment. We confidently provide board members and advisors with access to their organization’s portal wherever they are, whenever they need it, securely and reliably.

As an on-demand, SaaS-based portal, BoardSuite is designed to protect an organization’s sensitive information at the board of directors’ level, while facilitating necessary workflow processes safely and securely, regardless of user location. The portal sends notifications and provides guidance on good governance in response to actions taken in the system by role-based permissions. As such, it is an invaluable tool for ensuring effective and transparent corporate governance.

As a board…

View original post 1,600 more words

BYOD Executive Summary

bant-app1BYOD (Bring Your Own Doctor) will explore the impact of ‘Personal Clouds’ on E-Healthcare, and the potential for this ongoing trend of the ‘Consumerization’ of IT for helping tackle big industry issues.

Faced with growing resource scarcity challenges in particular the baby boomer retirement ticking bomb, Canadian Healthcare has the opportunity to pioneer world-class innovations in Healthcare to address these issues simply by harnessing what it already occurring. The proliferation of smartphones combined with the ubiquity of social networks like Facebook and Linkedin means that individuals themselves have never been better equipped and able to use technology for sharing information.

BYOD will explore how these new trends and tools can be used today in Canadian Healthcare through the lens of the ideas of Eric Topol, a famous author in this field via books such as the Creative Destruction of Medicine. He describes the exploding use of smartphones for everything “Personal Cloud” in nature, i.e. ‘All information about me, on my device of choice’.

Example applications of these ‘Personal Cloud EMRs’ includes ZenVault, and other similar earlier work includes the Microsoft Healthvault service, and this presentation summarizes the key features and technical architectures of how the service is achieved.

The more personal control of personal data is as inevitable as it sounds, and when occurring hand in hand with the equally inevitable progress of online Identity systems, will see the approach also become far more streamlined and technically superior to traditional ‘offline’ approaches. Via open standards like OAuth and REST, the Cloud is becoming a smoothly integrated data sharing environment in a manner that internal corporate IT has always struggled to achieve.

When E-Health is discussed it’s often with the conclusion that a big part of the challenge is having GP’s use record systems. They’re simply too busy treating patients to be concerned with the administrative record-keeping of it and also they’re adverse to new tools.

BYOD addresses this quite fundamentally, by simply empowering the user to do it for themselves. Who better and more motivated to keep their personal data up to date?

Instead GPs can be provided access to online tools that help them too – Google Apps for email for example to submit updates to the record via email, or social networks to help build online support communities for patient groups, among just a few of an infinite range of new and novel applications of the Cloud.

In short and in conclusion, the big part of the E-Healthcare challenge isn’t whether a GP can use a shiny new EMR but whether patients have access to GPs at all, and what they can do about it if they don’t. BYOD offers one shining light simply through more user empowerment and engagement and harnessing of market forces.

Unified Cloud Communications showcase for Ontario Province

ontario_flagWe have now started a project to provide a white paper response to this request from the Province of Ontario.

They are looking for thought leadership on a range of topics headlined by their WAN (Wide Area Network) strategy, looking for insights on how best practices in this are changing due to Cloud Computing and other related developments.

Key topics include:

  • Telecomms modernization – Migrating legacy voice to VoIP
  • Core network – MPLS with meshed core, wireless WAN connections, RAS/VPN & firewalls
  • Procurement – A common contract model
  • Service Management – Service desk for incidents, release management

This is all applied to be applied to a landscape of 1,600 locations, 124,000 LAN ports, 500 boardroom video conference units, as well as a broader community of 444 municipalities and a multitude of colleges, universities, school boards, hospitals and community health centres.

These are pretty standard features of networking technology that have been around for a while, so the focus on where new innovations are relevant is conveyed through a couple of key points made in the RFP:

  • “A network of and a set of access services that will support initiatives such as UCC, cloud computing, data centre consolidation, mobility, etc.”
  • “A procurement strategy and operating model using industry best practices with respect to service acquisition, deployment and operations.”

The headline term I use to describe this field is ‘Unified Cloud Communications’, and we will be submitting our response as a CCN white paper that is also promoted widely, so it’s a great vendor promotional opportunity.

Contact me if you’re interested in contributing to this paper.

2013 – The Year of the (Trusted) Cloud

sme-cloudEvery year has threatened to be “the year of the Cloud” but my main prediction for 2013 IT industry developments will be that yes, this is the year that it cements its role as the most major of technology disruptions.

It’s hard for Cloud to be defined in such a delineated manner, as it has been underway as a technology trend for many years, there is a wide spectrum of categories of what’s involved which are all continually evolving and also customer adoption has also been underway for many to various extents.

So it’s already been the Cloud for quite some time and so a bit late to make it the Year Of.

Probably the best context is Crossing the Chasm terms, where we can be thought of as still being in the Early Adopter phase of the cycle, while it is a large-scale, slow moving process.

Hence it could be considered The Year of the Cloud when we cross this chasm, when the mass market moves to also migrate the bulk of their IT systems. This scale of shift is what drives the analysts to start the describing the $$ many billions growth markets, and despite the various technical challenges we see now ultimately the trend is inevitable and so it’s an investors paradise, really.

As Telus described in this news release last year here the primary concern users have about the Cloud is data security and compliance, and so we can see addressing this is the principle requirement for this large scale adoption.

So in short with this being a key area of the Cloud industry that will mature in 2013, combined with an already general ongoing acceptance and steady adoption, there will be an explosive accelerating effect that will propel progress across the chasm.

With an irrefutable capability to assure Cloud environments to meet regulatory compliance needs will provide the foundation that makes 2013 The Year of the Trusted Cloud.

For a more detailed discussion of this topic, check out our latest TRANSFORM e-magazine, which explores these Cloud Security best practices in detail, and how they might be applied to high-growth sectors like E-Health.

Anatomy of the Cloud Management Tools ecosystem

solution designRecently I’ve been helping review startups in the Cloud Management Tools category, and my main advice was that this is a broad sector and so focus needs to be sharpened to a granular level of specific niches within the overall space.

A good introduction to this broad base is conveyed in this Network World article – 16 of the Most Useful Cloud Management Tools.

They describe a growing ecosystem of players across a number of main capability areas:

  • Provisioning and automation
  • Enterprise Cloud Management
  • Cloud Metrics and Cost Optimization
  • Application Transformation & Migration
  • Cloud Service Brokerage

Provisioning and automation

The principle function of automating deployment of apps to Cloud providers is met by Cloud industry stalwarts like Rightscale through to distributed computing experts Gigaspaces.

Options like enStratus also add security controls like Key Management. See the relevance of this here.

Puppet Labs provides this type of automation and specializes in automating the developer lifecycle and thus ‘DevOps’.

Enterprise Cloud Management

A critical battleground will be where these new options meet with the existing incumbent supplier base that currently services the traditional IT management field, vendors such as BMC, Computer Associates, HP, IBM and VMware.

The biggest Cloud consideration for CIOs is how they adapt and address their sunk-cost legacy estate and so this is a critical decision-making zone.

Cloud Metrics and Cost Optimization

A very popular and fast-moving is the suite of startups catering for all aspects of managing your Cloud, covering functions like forecasting and planning, cost tracking, optimization analysis and chargebacks.

For example Israeli startup Newvem collects data from customers’ use of Amazon and comes up with plans to better utilize the service more efficiently.

Cloudability does so across multiple providers and offers an API for interfacing to existing management systems, Cloudyn offers a reserved instance calculator and Cloud Cruiser is enabling IT organizations to implement an internal chargeback billing model.

Application Migration Management

Especially for legacy systems the process of actually getting the application into the Cloud service can be challenging, and there are many aspects to this too, ranging from surrounding applications in virtual “containers” to re-writing software to use Cloud portability extensions like JClouds.

Cloud Service Brokerage

The conclusion to the increased portability of applications and a granular billing environment for their use is a widespread rise of Cloud Service Brokers.

For example Gravitant is a startup in this area who provides all of these Cloud Management Tool functions, as well as an e-marketplace system for automating procurement across multiple Cloud suppliers.

Cloud Management Tools – Programming your ‘Cloud OS’

cloud-brokerAs Michael O’Neill writes here, a quickly brewing sector of the Cloud market is ‘Cloud Management Tools’ (CMT) – Technologies that help you plan for and manage your use of Cloud services.

It’s a hot sector because it spans a number of dimensions of Cloud adoption, such as the link Michael provides, tracking your Amazon costs.

There will indeed be growth of an ecosystem of different tools, catering for the end to end process of migrating to the Cloud, such as estimating, forecasting and simulating costs, migrating legacy apps and so forth. Start-ups like Gravitant recently netted $3.8m in VC for their platform that offers this functionality as part of a Cloud Service Brokerage.

Their Cloud Matrix platform is an example of a suite of CMT, offering a catalogue framework for organizing virtualized resources into self-service menus and other automations.

Planning your Cloud OS

Migrating to the Cloud represents a de-coupling of your business systems software from the legacy and proprietary hardware that it used to run on, with the Cloud layers of IaaS, PaaS and SaaS offering the means to plan a more logically separated IT environment.

Your CMT platform will also play a key role in the most critical aspect of Cloud computing architecture: Portability and interoperability. Being able to ‘shop and ship’ your IT workload back and forth across Cloud providers as economics and availability needs dictate.

Thus although IaaS is part of the same overall Cloud, you will actually be migrating and deploying your apps to the PaaS layer, acting like a “Cloud OS” to abstract your application from the details of this underlying layer.

This includes contractually too – Buying a 24 month contract is ‘hard-wiring’ your service design in the same way buying a fixed number of physical servers does.

Instead the future of IT is about empowering IT and business users with dashboards for ‘click and build’ control over IT resources as they need them, that is powered by a middleware that automates procurement of the services from across multiple Cloud providers.

CMT – Canada Cloud Roadmap

The objective of showcasing these different categories of the Cloud industry is to help accelerate innovation in those areas. As Gravitant demonstrates the field attracts significant investor interest.

Therefore we will be updating the Canada Cloud Roadmap with this major category and begin development of further expertise in this area as a means of supporting more new start-ups in this track.

RFI = Request for Innovation

Innovation2In procurement terms RFI usually stands for Request for Information, an initial stage before a full RFP is published (Request for Proposal).

But, what if instead it stood for “Request for Innovation”?

What if governments published specifications for new innovations in the same way they expressed intents to buy?

Procurement Commercialization

Well actually they do, and this forms the basis of our ‘Procurement Commercialization’ practice.

The light bulb moment for me occurred while reading an RFP and I saw that not only did they state a specific requirement for an immediate purchase but they also asked for inputs on longer term future direction too, inputs that could directly be used for designing new products and services, that didn’t yet exist.

In short, they were embedding Request for Innovation into an RFP.

Then as I researched this field further I found that using procurement this way, to drive new innovations, was a new science already underway most notably ‘Forward Commitment Procurement‘.

So with our goal of building a world-leading Cloud Computing industry I realized that the prime materials needed to achieve this already existed – In the RFPs being published by the Canadian Government for their various IT needs.

Read more here in Procurement Commercialization.

UMA Personal Clouds and the X Internet

A popular spot where the Cloud and Identity domains intersect is the idea of “Personal Clouds”, which would be ideal services to build via a concept of the `X Internet`.

With open standards like SAML providing the building blocks of interconnecting identity systems between applications, then those applications will be better enabled to exchange this personal data.

This will power a revolution in online e-business models – For example your grocery provider could sell you online loans and mortgages, underwritten by your bank providing them your salary details via an online web service query.

The key factors are of course Privacy but more specifically Consent. Technically it`s not difficult for the banks to provide out data like this, they`ve been doing it for decades to ATM machines et al.

In this scenario the challenge is the wild west of the Internet but where it can be tamed to some degree through the adoption of shared authentication systems, and then shared consent flows too, like agreeing to allow your bank data to flow..

An open initiative focused on this level of information design includes the UMA group at Kantara, which is defining these types of exchange mechanisms.

As described here in this UMA use case, a scenario of Personal Clouds is based on the abstraction of a federated identity system of ‘Relying Parties’ and other actors, to a level where they are owned and operated by the individual.

In short your cell phone could be your ‘Identity Provider’ (IdP) and respond to data requests about you, fuelling a general explosion of the Internet and apps across an ever-expanding universe of smart phones, laptops, TVs and more.

This represents a distributed computing evolution of the Cloud, with data and privacy equally abstracted – Aka, the “Internet of Things” or from another perspective the X Internet.

PACR : GovCloud Audit framework for the Public Sector

PACR is the name for a new OASIS group we are helping start, standing for Public Administration Cloud Requirements, aka ‘Government Cloud Computing’.

The need for this framework can be seen in a number of government procurement areas, the idea is to help others re-create the ‘G-Cloud’ type model implemented in the UK.

In the case of the E-Health Cloud strategy for Canada, on page 45 they note:

“It is important to note that health care specific cloud requirements and standards have yet to be developed, but could potentially be leveraged from other industries.”

This is the purpose of the PACR group, to provide a single point for accessing this collection of resources. You can read more about the project agenda here and the work items that will be produced.

For the E-Health Cloud document this is one part of the major section 8 – Privacy and Security Concerns and Considerations, and encompasses aspect such as:

  • Cloud Sourcing – Using standardized GovCloud reference models like ‘Private Cloud’ or ‘Public Cloud’ to specify the appropriate Cloud configurations.
  • Industry reference documents, such as the Cloud Controls Matrix from the Cloud Security Alliance to ensure best practices for security are applied
  • Due diligence of Cloud Providers – Governments need a standard way to assess Cloud providers and rate them against their information security requirements.
  • Location of PHI (Personal Health Information).
  • Risk Management Frameworks and Transparency – The report recommends that Cloud buyers should consider the development of a formal risk management framework specific to cloud computing environments.

This framework and its associated tools and methodologies can be used as part of the initial cloud provider due diligence and subsequent monitoring and compliance process.