If you work in IT, you’ll have heard of such terms as SaaS, PaaS and IaaS (Software-as-a-Service, Platform-as-a-Service and Infrastructure-as-a-Service). The common factor for these three is that they are all cloud services thus, unlike on-premises services, you do not have to install the software on your servers. Instead, a cloud vendor such as Amazon Web Services, Microsoft Azure or Google Cloud will provide the facility to run the service. In this blog, I explain the differences between cloud and on-premises services, and how to decide which is best for your organisation, with a focus on Ubisecure’s IAM (Identity and Access Management) solution (available in the cloud and on-premises, as well as a hybrid combination of the two).
Understanding “as-a-Service” models
To explain simply what the different cloud service types are, how they differ from traditional on-premises services and from each other, we can use the analogy of Pizza as a Service. This method was first introduced by Enterprise Architect, Aaron Barron. Then Paul Kerrison further developed the idea, modified the components and added CaaS and FaaS (Container-as-a-Service and Function-as-a-Service) to his concept of Pizza as a Service 2.0.
When preparing pizza, you always have the choice to prepare everything yourself. In this case, you buy all the ingredients from the grocery store to make and bake the pizza at home, using your kitchen utensils and oven. You can invite your friends to your place, serve beverages and the homemade pizza and have a conversation with your guests. In IT, this would be the equivalent to on-premises software deployment, where you own the hardware (electric or gas); on top of which you build the necessary virtualisation environment (oven); which runs the operating system/’OS’ (fire or heat). On top of the OS, you can execute the software (runtime is when software is running and this is equivalent to the actual pizza in our example).
Scaling is one of the most useful features of cloud services. It allows IT administrators to dynamically adjust the environment according to growing or decreasing demands by, for example, increasing the CPU power or lowering the memory resources of the servers (sometimes one drink is enough but on other occasions, you fancy more). And finally, the software has a set of functions (friends) that can be configured (conversation with friends).
As you can see from the diagram above, each aaS (as-a-Service) level utilises a different amount of resources from the cloud infrastructure. You (as an online service provider) can decide at which level you need and want to own, operate and maintain the environment where your services are being hosted.
IDaaS – IAM in the Cloud
Ubisecure IDaaS (Identity-as-a-Service) is a SaaS Identity and Access Management (IAM) solution. In other words, it is Ubisecure’s Identity Platform deployed as a turnkey, managed solution in the cloud. You can connect your applications to IDaaS in a fast, easy implementation, with only minor configurations. It offers core identity capabilities such as customer registration, login with MFA (multi-factor authentication), SSO (single sign-on), self-service account management – and more specialised identity capabilities like delegated user management.
Ubisecure IDaaS is available as public cloud IDaaS or private cloud IDaaS. With private cloud IDaaS, the whole cloud environment is dedicated to one online service provider (your organisation) and practically can include all the same features as an on-premises deployment. Public cloud IDaaS is a shared multi-tenant instance environment, with a core set of features and workflows from which clients can choose the best options for their environment.
Public cloud IDaaS is the fastest to deploy and most cost-effective identity solution. However, from the flexibility and customisation point of view, private cloud IDaaS can offer more variety in comparison to the public cloud solution. Ultimately, whichever you choose to start with – public cloud IDaaS, private cloud IDaaS (or on-premises) – will be based on your organisation’s requirements and regulatory context. Ubisecure has years of experience advising on the various deployments, so can help you figure out which is best for organisation.
IAM Deployment – Cloud vs On-Premises
Easy and fast deployment is one of the biggest reasons that cloud services are ever-growing in popularity. Conversely, in the case of on-premises deployment, you need to provide the computers and somebody has to install the software on them. This can take a long time, especially in a clustered environment with HA or HP (High Availability or High-Performance environment with redundant nodes for disaster recovery and performance reasons).
Our on-premises software can be deployed by a partner from Ubisecure’s network of trained SIs (System Integrators), who have training and experience on how to install, configure, maintain and support Ubisecure’s Identity Platform. You can choose a partner from small and agile organisations, to big international players with considerable resources and the capability to provide 24/7 technical support. Some will also have local and vertical specialisms. Each one of these Ubisecure SI partners is certified to help you to operate your IAM solution in the way that’s right for you.
For IDaaS, the preparation of the infrastructure and the installation of the actual Identity Platform software is provided by Ubisecure. This simplifies the deployment work, allowing faster and frictionless implementation of an IAM system for your online services. In the case of private cloud IDaaS, an SI usually handles the actual Identity Platform configuration and maintenance work. Public cloud IDaaS is completely hosted by Ubisecure, including the configuration and maintenance, which further simplifies the solution.
Ubisecure also offer hybrid IAM deployments, placing the majority of the IAM features in the cloud and connecting to an on-premises IdP (user directory). Find out more about when/why hybrid IAM deployments may be used.
Which one should we choose – on-premises or IDaaS?
Now we know that from the scalability and deployment point of view, IDaaS offers an attractive option to implement an IAM system, but there are other points to consider as well. Let’s take a look at some of the considerations you might want to take into account before choosing which deployment model would suit you best.
IDaaS provides great flexibility and scalability – common for cloud services. It is an agile solution that adjusts quickly to your current needs, saving time and money as you pay only for what you use.
On the other hand, an on-premises solution allows more customisation capabilities than IDaaS. It allows you to modify the environment to your preference, for example by utilising java scripting etc.
IDaaS has a very predictable cost structure. You pay a monthly operating expense (OpEx) that includes everything from the servers and software, to IT maintenance and support. Initial capital expenditure (CapEx) is not required.
An on-premises solution requires up-front costs for the hardware and software licences, electricity bills, rent of the server room, maintenance and IT support costs. However, for some businesses, this on-premises arrangement is worth the additional up-front costs, as their monthly costs that would accumulate from IDaaS over time would increase the TCO (Total Cost of Ownership).
Which is more cost-effective/manageable will depend on your specific environment.
On-premises solutions are often said to be safer than cloud solutions. While this can be true for some solutions (the highest level security measures require a certain level of resources to implement, which are not necessarily available to all organisations), it is important to realise that cloud service providers (like Ubisecure) ensure extremely robust high-security measures. In addition, IDaaS is fully managed with a high availability system, with stand-by nodes for failure situations.
IDaaS is a hosted service, which means that you don’t need to worry about the maintenance and compatibility of the environment, or upgrades and possible patches of the software. As your IDaaS provider, Ubisecure takes care of all of this for you. In this way, you always have the latest version with all the new features available to you.
Ubisecure SI partners take care of the upgrades for on-premises Identity Platform users. This should be scheduled and planned separately case by case, as it requires time and resources.
On-premises customers have full control over the data, hardware and software and can decide on all configurations, upgrades and system changes. They do not have to rely on any external factors, such as internet connectivity, to get access to the system.
Ubisecure IDaaS uses Amazon Web Service as the cloud provider. With IDaaS, you can choose the geo-location within Europe for where to store and process your data.
The main difference between an on-premises and an IDaaS Identity Platform solution is the location where it resides – in your data centre or in the cloud. Generally, cloud services have been gaining popularity over on-premises solutions for quite some time already. It has been predicted that IDaaS will be the chosen deployment option for more than 80 per cent of new IAM purchases globally by 2022 (source: Gartner Magic Quadrant for Access Management, August 2019).
However, there are still online service providers that prefer an on-premises solution, such as banks who have the necessary resources to implement their own highest-level security procedures to protect their customers’ personal information. Also, an on-premises solution might be your choice if you value certain customisation options, high control of your data and lower long-term TCO.
Ubisecure can help you look at your options and decide which is better for your specific organisation’s context. Get in touch.
Also watch our short video on cloud vs on-premises IAM with Ubisecure’s VP Customer Success, Keith Uber: