To wrap up my thoughts on SaaS, I wanted to take a moment and discuss why I do not believe that SaaS is good for IdM and a little bit of how it could be made to do so.
I have a lot of trouble getting my head around the idea that I should (or ask some one to) trust an out side source with holding and processing my organization's identity data. Frankly, it scares the crap out of me. In this situation there would be terribly few controls over who accesses my servers and when. What happens when an upgrade goes in? How do I know what's going on? Basically, how do I guarantee the security of my implementation when it lives among people that "don't wear my company's shirt"?
Aside from this, I'm relying on a whole lot of infrastructure to make sure that my IdM applications stay up and running. What happens if there's a networking issue between my organization and the data center? How do I ensure scalability? What's the assurances on hardware availability?
These are the top two things that are on my mind when considering IdM and SaaS. Now I personally dislike it when someone comes to me with issues and does not have any ideas on how to remediate them. (I also think it's a downer) So here's some quick thoughts:
As far as security goes, one would have to assume that we can lock down the boxes and grant temporary access to the host/implementers for upgrade purposes. At a more basic level at some point there must be some level of TRUST between application owners and system administrators. If that trust is not there, then there's a more basic problem that needs to be addressed. I seem to recall a couple of years ago an article that discussed the need for trust between System Administrators and Application owners. I'll have to see if I can find the reference.
Hardware availability falls under the same umbrella. Great care needs to be taken when choosing a SaaS host that they have good failover and DR solutions. As far as scalability goes, I would suggest that if at all possible, test SaaS in a controlled pilot setting, possibly between the data center and the DR data center as a means to test availability, security and failover capabilities. Know that everything works in a way that fits the company's IdM mandate, GRC requirements and IT standards before looking for that SaaS provider.