Identity as a service (IDaaS)

What is identity as a service (IDaaS)?

Identity as a Service (IDaaS) refers to cloud-based identity and access management solutions provided by a third party. Instead of running their own identity infrastructure, organizations can rely on an IDaaS provider to handle authentication, authorization, directory services, and other identity functions as a subscription service. 

In an IDaaS model, things like single sign-on (SSO), multi-factor authentication, user directories, and provisioning can all be managed in the cloud. This is often delivered via a web interface and APIs. In short, IDaaS is IAM in the cloud – examples include Okta, OneLogin, Azure AD (as a cloud directory and IdP), and Ping Identity. It frees organizations from maintaining on-prem identity servers and provides global, scalable identity management that easily integrates with SaaS applications.

How does it affect identity security

IDaaS can bolster identity security by leveraging specialized providers who focus solely on protecting identities. These services typically incorporate strong security practices (like robust encryption, frequent updates, dedicated threat monitoring) that individual companies might struggle to maintain on their own. 

IDaaS also simplifies the deployment of advanced security features – for instance, an IDaaS platform often makes it easy to roll out MFA, adaptive authentication policies, or passwordless logins across all integrated apps. This consistency reduces gaps where an attacker could otherwise find weaker entry points. However, IDaaS’s importance also means it is a high-value target – if the IDaaS itself is breached, all client organizations may be at risk. 

Therefore, when using IDaaS, companies must still practice good security hygiene (like managing the IdP admin accounts carefully and monitoring logs). Overall, IDaaS is important because it can elevate the baseline of identity security and convenience, especially in a time when users access many cloud applications and need a unified, secure login experience.

Case study

A prominent case involving IDaaS is the Okta breach of January 2022. Okta – a leading IDaaS provider – announced that hackers had compromised a third-party customer support engineer’s account, potentially affecting hundreds of Okta’s client organizations​. The attackers had remote access to a support engineer’s computer for five days, during which they could potentially view or use sensitive customer identity data and help reset user passwords. 

This breach was alarming because Okta manages authentication for thousands of companies (“the identity provider for the internet,” as it brands itself). Although the direct impact was reportedly limited, the incident underscored the ripple effect a compromise at an IDaaS provider can have. Companies relying on Okta had to trust the investigation and ensure no unauthorized changes were made to their identity configurations. The Okta case highlights the shared responsibility in cloud identity: while the provider must secure its platform, customers should have monitoring in place (e.g., alerts for unusual activity on their IdP) and contingency plans for such scenarios.

‍