Hybrid IT wave creates opportunities for MSSPs, Part 2: Identity and access management

Up to this point, managed security service providers (MSSPs) have focused their services on the traditional enterprise infrastructure. While it is not uncommon for MSSPs to extend existing services to protect cloud data and services, most are still missing opportunities to address enterprise security needs in a hybrid IT environment.

This is part 2 in our 'Hybrid IT opportunities for MSSPs' series. In part 1, we discussed the need for MSSPs to be integrated into an organization's daily processes to help steer its overall security posture – at least in relation to the services provided. We also discussed the need for MSSPs to maximize automation, intelligence and orchestration to combat the cyber-skills shortage, deliver customized services, address the complexity of information security tasks, and provide scalability and efficiency.

Over the next several installments of this series, we will highlight some specific opportunities where MSSPs can generate more revenue and add value to their trusted partner relationships with customers, starting with identity and access management (IAM).

The 451 Take

The goal of IAM is to give the right user the right access, at the right time; and while the technology and controls have been around for a while, some would argue that IAM's day has come and gone. We feel this is not dissimilar from what happened with data loss prevention when it first came out, or even ERP systems, smartphones, or electric cars. All of these were great ideas, but either the markets or the technologies weren't ready when they were first released. However, now each has hit its stride, or is in the process of doing so. Regardless, we continue to see organizations struggle here. For that reason, service providers have an opportunity to bring in a new wave of development and service offerings to help organizations put this problem to bed. IAM can be tricky, no doubt, but this underscores the opportunity.

Information security professionals and executives from a wide variety of industries and company sizes recently took part in our Voice of the Enterprise: Information Security, Workloads and Key Projects study. Our research team asked: "What information security threat do you think is inadequately covered today by your organization?" The most common response was that organizations believed they were inadequately equipped to prevent or detect insider espionage.

That response was followed by concerns over hackers with malicious intent, compliance, cyber-warfare and, finally, deficiencies discovered from internal audits. When considered broadly, each of these fears has roots, whether directly or indirectly, in properly managed access. This means these organizations are lacking the ability to fully know who did what, when, and with what data – clear deficiencies in access controls, auditing and monitoring data access.

Given that organizations are concerned about unauthorized access, whether through misuse of employee credentials and improper access controls, or hijacking of accounts and malicious insiders, the question is, how is the changing landscape of IT affecting this, and what opportunities does this present service providers?

Hybrid IT is an approach that purposefully and deliberately utilizes a combination of internal and external services, blending the best of flexible cloud-based platforms and services with on-premises traditional IT, to respond faster to the needs of the business and to minimize costs.

These highly diverse environments require comprehensive and granular access controls, and these controls should be consistent throughout. We will first address the complexities involved in access management, then take a look at potential solutions that providers can offer for these problems.

Complexities of managing access

Assigning the right people to the right level of access at the right time sounds like a simple task, but organizations in every industry and of every size struggle with identity and access control.

As a fundamental building block to almost any defense-in-depth security program, organizations are realizing that the halfhearted attention given to identity and access control in the past is resulting in a significant risk for the enterprise, and this is really where the first complexity lies: existing directory services inside the enterprise are a mess. This ultimately means that any attempt to integrate with a cloud platform, or otherwise, will need to be front-ended by some sort of cleanup exercise.

The mess itself is not necessarily a reflection of the organization, so much as it's a symptom of the challenges associated with access control. For example, every organization has various type of users that need different levels of access including internal users, contractors and partners. Not only must user access levels be managed, but the classification levels of every resource (data, applications, APIs, networks, etc.) must also be determined and managed.

Also, the enterprise is continually changing – users are hired or terminated, or change roles, or new data is created – all of which requires diligent management to avoid users receiving more rights than needed to perform their job, or resources being made available to unintentional users. The reverse of this can also be true, when users need access to resources legitimately, but controls prevent it. This all speaks to the fact that the process of managing access must be ongoing, rather than coming from a 'one and done' mindset.

Hybrid IT – with its always-on nature, available to users whenever and wherever they want, and delivered from multiple platforms – introduces additional challenges. In a world where resources can be created, moved and destroyed rapidly, it can be daunting to maintain a valid inventory of which resources need to be secured.

Furthermore, the tools for defining and controlling access in the cloud are generally different from those on-premises, and manually managing user identities across all those platforms can be challenging at best. Doing so requires knowledge – not only of the access controls and the underlying schema of who should have access to what, but also of the individual cloud systems, to ensure that access is consistent throughout the stack. Outside expertise could be a huge help here.


Identity and access management as a service (IAMaaS) is relatively new compared to other as-a-service offerings. As a result, the delivery model varies greatly among the few providers that offer such services today. Providers looking to add IAMaaS to their portfolio have an opportunity to create distinctive offerings and build unique intellectual property in this area.

Opportunities for service providers range from professional services to stand-alone products and new technology. While not exhaustive, the list below is intended to give security providers an understanding of the opportunities with IAMaaS, and where it might fit into existing service portfolios.

  • Professional services. Most organizations need help with the fundamentals of access control – ensuring that proper, unified (on-premises and in the cloud) access processes exist, that access levels are documented and understood, and resources are correctly identified and classified. Service providers report they often find existing directory services, such Active Directory or LDAP, configured improperly and unable to integrate with any type of identity federation services successfully. This creates an opportunity for additional services and expertise to repair or modernize. These cleanup operations can be time-consuming, so an initial review with the customer is wise, to properly determine the scope of work necessary for success.

  • Managed services. The delivery of IAM as a managed service is taking on various shapes and flavors. While some providers' offerings in this area are as simple as single sign-on services, others are focused on pieces like network access control – controlling access of devices to network resources. That said, we see an opportunity for service providers to offer robust IAM service products that include more components of IAM, such as automated provisioning, lifecycle management for users, roles and resources, as well as web-based user self-service, delegated administration, request workflows, and auditing and reporting – all of which can be utilized in both cloud environments (IaaS, SaaS, etc.) and traditional IT environments. Pair these with the above-mentioned professional services, and organizations will have a one-stop shop for access control.

  • Other opportunities. These include application access lifecycle management, mobile access management, robust and dynamic access policies, multi-factor authentication, and identity federation. A few providers have extended access controls all the way down to the physical level, integrating buildings and rooms with virtual resource access controls, which could create a new dynamic for IAMaaS as well.

  • Existing 'off the shelf' products. These products, architected for service provider environments, are in short supply. Providers with development skills and resources have an opportunity to create IAM packages to enable other MSSPs, or to use internally to distinguish their managed security services in the marketplace. This could be of great benefit to enterprises globally, but admittedly it's the long game.

IAM is about protecting the organization's riskiest assets – its people. Unfortunately (or fortunately for security service providers), most enterprises are struggling with identity management and access control – especially in multi-cloud or hybrid IT environments – providing MSSPs with opportunities to deliver a valued service that also has a high ROI for both the customer and the service provider.

Aaron Sherrill

Senior Analyst

Dan Thompson

Senior Analyst

New Alert Set

"My Alert"

Failed to Set Alert

"My Alert"