Successful digital transformation requires a robust, adaptive, scalable and secure means of collecting, managing, authenticating, provisioning and leveraging digital identities in support of a wide range of applications and use cases. The right Identity and Access Management (IAM) foundation can make or break an enterprise digital transformation program and these services are rapidly moving towards the cloud.
We’ll address the question of cloud-based IAM readiness by exploring the following considerations:
- Readiness in terms of progress towards the next generation of Enterprise IAM
- Level of preparedness to integrate, migrate and co-exist
- Key enterprise requirements
- Cloud IAM readiness–IDaaS vs. IAM suites
- Are your solution providers ready?
Moving to the Next Generation of Enterprise IAM
Identity and Access Management is moving forward rapidly on its own, but is also a critical part of how most applications and services are accessed and secured. This next generation of IAM stretches beyond the enterprise to the Internet, becoming borderless rather than defined by the enterprise perimeter, and involving a scaling up that grows from thousands or tens of thousands, to hundreds of thousands or potentially millions of personal identities as well as an untold number of objects or ‘things.’ The following figure is our characterization of the some of the major architectural shifts from the legacy systems to the next generation of IAM.
Be Prepared to Integrate, Migrate and Co-Exist
The transition from traditional to next generation IAM is clearly non-trivial and is not going to happen overnight. While the cloud-based component of this movement is just one component, it is a core element and will take place over time. The movement to cloud-based IAM can also simplify this process in the long-term if properly managed.
But moving IAM services to the cloud for a large enterprise in a substantive way is easier said than done. The challenge for most enterprises is that the bulk of their identity management services and data sources currently reside within their premises, are connected by their networks and are hosted in their data centers.
This means that most large enterprises will have to dedicate significant resources towards migrating, integrating, coordinating and, at least initially, co-existing with legacy systems, processes and data sources. Coupled with the current feature trade-off between on-premises and cloud-based IAM solutions, the move to identity in the cloud will not be as simple as a snap of the fingers but a journey that must be well understood before it begins. We’ll next look at key enterprise IAM requirements and use that as a foundation for assessing how prepared an organization is to move their identities to the cloud.
Enterprise Cloud-IAM Requirements
TechVision has conducted in-depth interviews with several large end-user organizations and we are also leveraging our experience in leading over 500 end-user IAM consulting engagements over the years to provide a starting point for assessing enterprise cloud-based identity requirements. The first observation is that virtually every enterprise is planning to move significant part of their IAM program to the cloud. In fact, most have already started with at least a point cloud IAM service to address a specific use case. Second, they are at an inflection point in determining how rapidly, and to what level they should move their IAM infrastructure off-premise. Key next generation enterprise requirements that continue to resonate and are driving IAM decisions include:
- Greater Flexibility via an Extensible, Inclusive and Adaptable Access Management Solution: This should be a foundational element for all enterprise IAM programs and should support access to all major applications and resources with multiple authentication standards. Extensibility is key as the scope and characteristics of managed objects will be constantly changing.
- Migration, Integration and Co-Existence: Large organizations, in particular, have a complex set of identity management systems, data sources, security requirements, and existing processes that need to be included in and supported by the cloud-based identity service. Managing the current environment while moving towards the desired future state is a key area of focus for most enterprises.
- Integrated Identity Governance and Administration (IGA): As more of an enterprise’s IAM infrastructure moves to the cloud, there is a requirement for more comprehensive and integrated set of IGA services. These services should provide basic administrative management functions, automated provisioning, self-service options and management of a heterogeneous environment.
- Regulatory Compliance: Enterprises must properly assess privacy regulations such as the EU’s General Data Protection Regulation (GDPR) and many others. It is imperative that the organization clearly understand where their (or their customers’) identity data is being stored geographically, as well as who can access this data. Regulatory compliance based on audit findings is also often the tipping point that initiates next generation IAM initiatives.
Cloud IAM readiness; it depends on the approach
Let me start by saying there is a fork in the road when it comes to cloud based IAM and there is no perfect solution today. But the path you take determines the threshold of “readiness” you need to achieve. Path 1 is a point program from an IDaaS-native provider where you start with a clean slate which means there is less focus on integration and governance and, therefore, it is much easier to be “ready”. This is a viable path and allows an organization to move appropriate areas to the cloud while maintaining existing systems.
Path 2 is a more holistic next generation IAM program in which the enterprise requires the integration of existing systems, data flows and governance models. This has a higher barrier to entry and most of these services are on-premise today and the challenge is to keep the connections and governance while moving the to a cloud-based service. This will take longer to deploy and is far more complex, but it provides better integration, administration and governance of the entire enterprise identity ecosystem. But it is difficult to move this complex ecosystem to the cloud.
Are the Solution Providers Ready?
Much like the paths described in the previous section, the vendors are aligned in two basic categories; IDaaS-native vendors that started their journey in the cloud and identity suite vendors that started with connecting and integrating on-premise identities and data store and represent the more traditional IAM vendors. IDaaS-native providers are characterized by vendors such as Okta and Janrain and traditional IAM suite vendors are represented by organizations such as IBM, Oracle, One Identity and MicroFocus.
Vendors in each category are looking to leverage their initial strengths while generally building towards the strengths of the other category. The cloud native vendors are generally looking to add enterprise integration capabilities, increased governance and administration tools while the legacy enterprise IAM vendors are moving towards a more dynamic, cloud-centric model. In general, the IDaaS native vendors provide simpler, more cost-effective solutions for working with SaaS applications and the enterprise IAM suite vendors provide superior integration with on-premise data and applications as well as stronger governance. The long-term winner will be what we call the full-service cloud IAM vendor, but in our opinion, that fully cloud native, full service offering doesn’t yet exist. Both camps are working to get there and we’ll keep tabs on who is leading the race.
For more details on the path towards Cloud-based IAM, TechVision Research just released in-depth report describing a strategy, architecture, requirements and recommendations for moving enterprise IAM to the cloud written by Nick Nikols and myself. A generous excerpt from this research report can be found here: TechVision Research Cloud-Based IAM Report