Educause Security Discussion mailing list archives

Re: IAM solution - cloud-based?

From: "Ben Singh (OculusIT)" <ben_singh () OCULUSIT COM>
Date: Wed, 26 Jun 2019 22:13:22 +0000

Jared,
Do you have a DIA with redundant links that have different upstream providers?
If not, if your non-redundant link is down, your cloud-IAM will be down for campus users and services that local 
datacenter services depend on it will also be down.


  1.  Get more than 99.9% uptime commitment from cloud-IAM providers. I would target 99.999% and back down to 99.99%. 
(The problem is that AWS or similarusually only commits to 99.9%.)
  2.  Make sure you have as much network redundancy as possible to AWS VPCs or similar.

Just because it is an on-prem solution doesn’t mean it better from an availability standpoint. Risks for on-prem are 
datacenter (network (load balancers, firewalls, routers, switches), server, virtualization, OS, storage, etc) 
availability.

Many legacy IAM vendors are quickly trying to rearchitect/rebuild their products from on-premise to multi-tenant cloud 
solutions.

Generally, we would recommend a cloud-based IAM solution with some redundancy risk analysis. There are only a few 
exceptions where we have recommended an on-premise solution. Those exceptions include when a college is in a remote, 
poorly connected location with no network redundancy (such as a remote island). Please connect with me if you want a 
comparison or recommendation from our experiences with various vendors in this space.

Ben Singh
Higher Ed IT Architect
OculusIT

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jared Evans
Sent: Wednesday, June 26, 2019 2:56 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IAM solution - cloud-based?

Hello all,

I am wondering if anyone has their Identity and Access Management instance running exclusively in the cloud.  This is a 
critical piece of infrastructure maintaining the level of access users have to various resources.  What has your 
experience been when there are Internet connectivity issues, either a full or partial outage?  Is this a type of 
functional service that's better off being on-premises?

--
[https://docs.google.com/uc?export=download&id=0B06ctamGLs2hSzVkWTREblhkS0E&revid=0B06ctamGLs2hcERDbFA5bHFLY01XU0VLV2Z0Z3VGR1dQY25ZPQ]
Jared Evans
Information Security Officer
Gallaudet Technology Services
Gallaudet University
jared.evans () gallaudet edu<mailto:jared.evans () gallaudet edu>

Current thread:

IAM solution - cloud-based? Jared Evans (Jun 26)
- Re: IAM solution - cloud-based? Mahmud Rahman (Jun 26)
- Re: IAM solution - cloud-based? Ben Singh (OculusIT) (Jun 26)