Once upon a time, ordering software would involve a physical delivery with a manual setup and availability on designated machines. The rise of cloud technology changed all that, with subscription-based SaaS growing 300% during 2012–2018.
This shift in business model, from owning software to renting it, also meant a change in provisioning. Instead of relying on internal resources and expertise, organizations could simply tap into their external partners and providers. The SaaS expansion has continued to accelerate through 2024, with a projected 20% growth in spending ”driven by applications being modernized by independent software vendors to run in a SaaS-based consumption model.”
Alongside the expansion in business environments is a similar expansion in attack surface. SaaS users, from employees to entities, require access from beyond the traditional security perimeter. What’s more, the increase in applications also means a rise in logins and passwords. This means a growing risk of password fatigue, contributing to the 78% of surveyed Americans reusing passwords across multiple applications. Meanwhile, the likes of Deloitte highlight how “managing cyber risk has never been more challenging,” with abuse of credentials accounting for 44.7% of data breaches in 2023.
With SaaS continuing to grow at pace, organizations must look for ways to maintain security while allowing access. IAM can be the solution, so what’s holding things back?
SaaS growth: Why IAM is lagging behind
While many business functions have embraced SaaS, cybersecurity with IAM has been lagging behind.
One key reason for this was the cost of migration: replacing existing solutions is always expensive, and integration with existing systems has always posed interoperability challenges. This is doubly true for technology that’s the heart of enterprise IT: the identity governance, the directory, the access management – keeping AD can often seem like the simplest option.
Another reason was the pace of innovation in IAM: with cybersecurity threats evolving at breakneck speeds, vendors stepped up to the plate and aggressively innovated in IGA, PAM and access management. In other markets, new SaaS startups brought incredible R&D firepower to unseat the on-premises incumbents. Meanwhile, in cybersecurity (and IAM in particular), the pace of innovation was much more even between SaaS and on-prem solutions, the impasse leading to a preference for the status quo – and a remarkably strong showing for on-prem technologies to this day.
But now the gap between what’s doable on-premises and in SaaS is wide enough that every vendor needs to reinvent the service to their customers. The cloud technologies underpinning SaaS solutions are more flexible, resilient and effective than what on-prem has to offer, while the subscription-based business model is more attractive than ever.
The challenges for traditional IAM in a SaaS-first world
The average employee reportedly uses 10 different apps every day. That’s a lot of time and effort spent on creating and remembering login details. Risks rise when that employee is a senior executive with elevated privileges. Without close monitoring, the business is vulnerable to cases of password compromise. To compound the vulnerabilities, many traditional IAM frameworks aren’t built or optimized for today’s cloud-first world. Businesses end up using different tools to manage separate lifecycles, policies and processes. Workers and entities regularly log in remotely, using identities across hybrid environments. The resulting silos and inconsistencies leave vulnerabilities for threat actors to exploit – especially because “most organizations adopt cloud computing in a haphazard way – a few SaaS applications, a few workloads in IaaS.”
Shadow IT is another risk. While subscription-based platforms offer many efficiencies, it’s also easy for users to sign up for a free trial of an unsanctioned service. Without downloading a program and triggering a request for admin privileges, it takes only a few clicks to upload potentially sensitive information to cloud-based systems.
This non-standardized and inconsistent approach clearly limits scalability and governance while simultaneously presenting risks to the business. However, with the right IAM as SaaS solution, organizations can thrive and harness the many technological and operational benefits available.
Technology-led benefits of SaaS
Speed and agility are two obvious changes from those distant days of physically ordering software. Let’s explore some of the areas where gains can be found.
Automated technology
As businesses scale, workflows are needed to maintain efficiencies within the core stack. Of course, when managing enterprise levels of complexity, there are multiple challenges around integration, visibility and security. But when implemented correctly, intelligent automation has been found to “achieve a typical cost saving of 32%.” IAM can show who has access to what, when and why – freeing up resources that would normally be spent on traditional service desk-based controls. What’s more, by automating IAM processes, there’s less risk of error from manual data input.
Faster and more secure access
Organizations can offer access to resources at the right time with IAM. Approvals can be granted based on verified identity with security hardened through multi-factor authentication. Rather than relying on usernames and passwords, users benefit from a more streamlined experience, simply needing to produce something that they ‘know,’ that they ‘have’ in their possession or that they physically ‘are.’
Continuous updates
SaaS means already-stretched IT service desk teams don’t have to manually complete upgrades. Any patches can be rolled out centrally at a time that minimizes downtime. Security postures are hardened, and businesses are able to quickly respond to Zero Day threats with remote patching. Overall security, maintenance and infrastructure is managed by the SaaS and IAM providers, helping to free up internal resources even further.
Operations-led benefits
By outsourcing to SaaS and IAM providers, businesses also realize multiple benefits to their operations. Some of the more tangible ones are:
Increased identity-based self-service
Access to SaaS applications can be managed with automated, identity-based policies and technologies, reducing the risks of standing privileges and supporting a PAM approach for elevated users. Licenses can be provisioned and deprovisioned so that users and entities gain just-in-time access that supports Zero Trust strategies. Information can be centralized and shared based on identity-based permissions, which can be updated dynamically to respond in real-time to potential and actual threats.
Greater cost control
By reducing capital expenditure, businesses can take advantage of more predictable pricing models that come with subscription-based SaaS and IAM. The flexibility of monthly payments can be a useful alternative to spending where budgets need to factor in TCO, especially where seasonal demand means resources are only maximized at certain periods of billing cycles.
Scalability
Autonomous workflows have been found to save businesses an average of 26,660 worker hours each year. Within IT environments, automation also ensures consistent and repeatable operations, freeing up workers to focus on value-added edge cases. However, traditional IGA tools require users to be registered and have access managed manually – reducing scalability. However, implementing IAM as SaaS means IGA can be managed dynamically and configured centrally, aggregating user identities to streamline and automate approvals.
Improved governance
Adopting IAM with SaaS can also support organizations with their governance. For example, granting access rights based on roles proves standardized and secure onboarding and offboarding. This will be crucial in the immediate future, as regulations continue to evolve and place new pressures on governance. For example, PCI DSS v4.0 will be fully enforced on March 31, 2025. Among the changes is an increased focus on granularity and Principle of Least Privilege, which relates to Requirement 7 and the need to “Review all access by application and system accounts and related access privileges.” (pdf)
Why now’s the time for IAM to adapt the SaaS approach
IAM may be behind in adopting a SaaS approach, but solutions are now available to help businesses get ahead. That’s because the surrounding elements that go toward a 360-degree IAM solution are in place. SSO can be delivered through a SaaS model, allowing users to access cloud-based apps and resources using one login. Context-aware access, powered by machine learning, can be granted to authorized users only. Zero Trust can be enforced, with admin rights delegated at a granular level.
MFA has already proven to be a business-critical tool for tackling cyberattacks. Add advanced authentication, and businesses gain increased adaptability. Risk factors are assessed in real-time, with measures and policies dynamically applied and enforced. This allows for a consistent and seamless experience across devices and applications. Users can log in with biometrics and identity-based factors, allowing organizations to go passwordless, and solving risks around password-related breaches.
Of course, when managing privileged accounts, the chosen solution must balance security with agility. That can mean configurations requiring an extra authentication factor before logging in, or connection permitted through secure networks only. These can help with the many privilege-based challenges facing enterprises, such as privilege creep or standing privileges, that attackers can use to gain access and move undetected through networks.
IAM SaaS: Now is the right time for organizations
The benefits of SaaS are clear, established and proven over time.
From a technology perspective, SaaS allows for increased automation, self-service and better user and customer experiences thanks to automatic updates. Operationally, it enables more predictable and controllable costs, resource gains from outsourcing, improved scalability, plus a solution to the ongoing cybersecurity talent shortage. Governance and compliance teams get access to certified and audit-ready systems and documentation.
For business to continue benefiting with IAM, users need access at the right time – but only for enough time. That’s a challenge in increasingly dynamic environments, with changing regulations placing added demands on CISOs and IAM program leaders.
SSO and MFA have proven to be essential components to addressing these threats while simultaneously enabling organizational flexibility and agility. It’s now a case of making them available from one platform with a single pane: an SSO MFA subscription to solve the challenges from disjointed systems and lack of integrations. In other words, delivering IAM solutions with a subscription-based As-A-Service model – whole IAM as SaaS.
