Cost, complexity, and complacency have all contributed to the tremendous rut that most organizations face when it comes to authenticating users within both inward- and outward-facing applications. And as IT continues to progress within the cloud model, the traditional means of authentication are showing their age given the interconnectedness of applications and services these days. That's why an increasing number of enterprises and cloud providers are looking to authentication-as-a-service (AaaS) to increase security and manage authentication more fluidly.

"The cost and complexity involved in deploying strong authentication solutions in-house, combined with the elongated time to value, make a managed or cloud service model very appealing," says Frank Villavicencio, executive vice president for Identropy.

While AaaS offers up all the traditional SaaS benefits of scalability and outsourced expertise, the drivers for AaaS go beyond the bottom line, says Jim Reno, security architect and distinguished engineer for CA Technologies.

"As the community of users for applications and data expands to include customers and partners, and as cloud service use grows, AaaS gives enterprises the ability to more easily manage the wider and more diverse communities of users that are now a standard part of doing business," Reno says. "For example, users from partner organizations are more effectively managed in a cloud service than brought into internal systems. The service allows capacity to increase as needed, and allows management of those users by designated administrators in the partner organization. "

That's exactly the scenario that has lead the Department of Homeland Security (DHS) to implement AaaS within 70 different applications. DHS CIO Richard Spires this month updated Congress on the department's progress in cloud deployments. He told the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technology that AaaS has helped bridge the gap of authentication for both federal employees and contractors needing to tap into DHS applications. Currently DHS authenticates 250,000 federal employees and contractors using AaaS.

AaaS not only offers security and operational benefits, but it can also provide a differentiating edge for sensitive customer-facing systems, experts say.

"There also is an element of service differentiation and branding," says Ray Wizbowski, vice president of strategic marketing for the Security Business Unit at Gemalto. "Cloud-based applications want to be seen as a secure service, and leveraging an authentication service allows their users to experience the security with a branded token/app at every login."

This can be huge in verticals such as financial services and retail, where perceived trust is critical.

"Authentication processes directly influence consumers' perception of trust, especially in areas like online banking and retail," says Roman Yudkin, CTO at Confident Technologies. "The authentication process is often the aspect of security that is most visible to users.

As authentication methods change, AaaS also provides a smoother upgrade path to keep up with the latest attack trends. Many on-premise systems have suffered from obsolescence, but are too expensive and too ingrained in the IT fabric to upgrade quickly. That changes when moving to a services setup.

"Consumer sites like Google, which have introduced two-factor authentication using SMS, are great examples of using the new cloud platform to roll out huge capabilities nearly overnight. Google Apps supported two-factor using SMS, and suddenly 100 million people have an alternative to passwords," says Eric Olden, CEO of Symplified. "That's a great example of the power of the cloud versus legacy strong authentication like RSA."

But like any new deployment model, AaaS is not without its challenges. One of the difficulties Olden sees customers face is believing that services such as single sign-on (SSO) AaaS will offer an easy shortcut to securing identities in the cloud. Not so, he says, explaining that all the fundamentals stay the same.

"Too many people think SSO is the answer when, in reality, SSO is not security -- it's convenience. Companies that have made the cloud a central part of their IT infrastructure realize there are no shortcuts to security and trust in the cloud," he says. "They understand that they need a centralized identity and access management foundation for the cloud that provides classic fundamentals. [They need] AAAA: strong authentication, access control policy, auditing visibility, and administration of provisioning. We see far too many people ask for a SSO solution when instead they should be asking how to have a trusted cloud platform, starting with authentication and access control and auditing."

As organizations move down the AaaS maturity scale and continue to support cloud deployments, what they could find is that they need identity and access management (IAM) delivered as a service, not just straight authentication.

"As cloud computing evolves, a model of identity is required that does not depend on a single centralized user store or administrative domain. This is IAM-as-a-service, and it is a necessary step in the development of cloud computing," Reno says. "Not just enterprises, but cloud service providers will look to support users coming from other systems and being managed in different ways. So we see a big future for both public and private IAM service offerings."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.