Next-Gen Identity and Access Management
In many organizations working with the current IAM solution is like driving a 20-year-old car. To get up to speed consider a replacement to improve security, efficiency, and compliance. Here is why and how.
By Martin Kuhlmann, Lead Solution Consultant, Global Blackbelt Team
Next-Gen Identity and Access Management: Ready for a New Set of Wheels?
In many organizations working with the current IAM solution is like driving a 20-year-old car. It brings you from A to B, is still rolling, and may look fine from the outside. But when you consider its safety standards, when you think of the high fuel consumption, the costly breakdowns that you have had in the recent past, and when you find it harder every year to find a mechanic who still knows how to fix it, then you realize; It’s time for a new set of wheels. Similarly, for your legacy identity management system. To get up to speed consider a replacement to improve security, efficiency, and compliance. Here is why and how.
Many organizations have started their identity and access management (IAM) journey more than 15 years ago with the first mature IAM systems. At that time, key goals were mainly to implement a more efficient central user administration and automation by implementing data flows between HR systems and targets such as Active Directory, Exchange, SAP, and strategic legacy applications. In many cases, companies developed their own IAM solutions because the off-the-shelf systems did not meet their requirements well enough or were too costly to implement.
Legacy implementations were commonly expanded over time. Data flows and logic were added year after year with many compromises and increasing complexity. Today those IAM systems are often difficult and costly to maintain and the operation depends on a few experts who know all the details. As a result, legacy systems are expensive to maintain, do not meet the security standards and increasing compliance requirements, and are neither user-friendly nor future proof.
Does your current IAM solution meet the business requirements?
The key issue, on top of the technical and operational deficiencies, is that the legacy solutions in most cases are not keeping up with the business requirements of today’s hybrid IT infrastructure and IT governance. This has led to situations where business managers, auditors, and security officers implement point solutions for identity and access governance because their core IAM product does not have the required features; this includes:
Automated recertification of access
End user self-service
Supplier access management
Advanced access analytics
Monitoring of key performance and risk indicators, to name a few
The outcome is a poorly integrated set of identity governance and administration features and functions with no comprehensive oversight, of manual processes and high maintenance effort.
Finally, legacy solutions are lacking integration capabilities. On one hand, this applies to many new standard applications and cloud services for which next generation IAM products offer standard connectors. On the other hand, to create a defense against cyber-attacks and fraud, it is important to integrate the security solutions in the organization and tie IAM together with Security Incident & Event Management (SIEM) systems, privileged access management, data access governance, activity monitoring solutions, and others. Today organizations require plug'n’play interfaces and support of open standards like REST, SCIM or authentication protocols to keep up with the modern-day speed of change in IT.
What to consider when moving to a next-gen IAM system
When you know it is time for you to upgrade your current IAM solution, the essential question to address is: “How should you approach the migration to a next-generation solution for identity management and access governance?”.
The first and very important step, is to bring together the people who will benefit from a new solution: Business, HR, security, user administration, and/or auditors. It is important to remember that this is not just an IT project. This is a project that influences the entire organization. Prioritize the stakeholders’ requirements, evaluate the cost-savings and determine the benefits from automation of the compliance documentation process and the security gains. Clearly document what you will achieve through measurable outcomes by offering new identity governance functionality and streamlining the existing procedures and solution architecture. The key elements of the business case are risk reduction, efficiency gains, and infrastructure improvements.
In order not to ‘re-invent the wheel’, as well as minimizing the risk of over-engineering, spend time looking into best practice processes. That will also prevent you from implementing processes, that are unproven and flawed.
The Migration Strategy is Paramount – Some Recommendations
As important as the decision to move to a more comprehensive identity and access management solution which addresses the deficiencies in your existing solution, is the migration strategy.
Here are a few observations and recommendations from some of Omada’s successful IAM solution replacements:
- Consider starting with a small business case that is time consuming (e.g. recertification). Run it parallel to your existing IAM solution, with your chosen new IAM product that has the potential to develop into a full IAM and governance feature set. Afterwards, you can replace the existing solution step by step.
- Another option is to start with replacing the core data flows to extend the solution step by step to other systems and to add IAM and governance features one by one.
- If you decide for a new IAM solution, it will pay off to review and simplify the IAM architecture incl. IAM components, data flows, and processes.
- During the migration phase you need to ensure that compliance requirements are met at any time (e.g. availability of reports, enforcing of policies).
- The connection to HR, organizational data bases and target systems are switched over to the new solution and its standard connectors. Your new IAM system should be flexible enough to allow simple, configurable adaptation to the import and export data structures of the former IAM system and to make a smooth transition.
- Automated data flows and rule-based provisioning actions during the lifecycle of identities have often been hardcoded, or sometimes configured in the legacy system. These flow rules or assignment policies should be made configurable and be maintained in the administration portal of the new IAM system.
- It is very likely that some data is managed in the former IAM system as a leading system, such as data of external employees, business roles and other reference data. These data can be extracted and imported into the new system where they are managed from that point onwards. Again, flexibility of the new system in terms of data model adaptation is key.
- In a next step any existing workflows are transferred to the new IAM system, or existing manual procedures are replaced. We recommend validating existing processes against Omada’s IdentityProcess+ process framework and moving to best practice processes wherever possible.
- Any custom logic should be reviewed and put to the test if it can be made redundant of simplified.
When you know it is time for a change, make your business case and take the opportunity to simplify, automate, integrate, and become more secure! Get that new set of wheels.
Based on our almost two decades of implementing IAM projects, Omada has built a framework of best practice processes. Get access to this 100-pages reference guide here: IdentityPROCESS+.
Omada | August 2019
Dr. Martin Kuhlmann, Global Black Belt Senior Solution Architect, Omada, advises strategic customers and designs identity and access management solutions. Martin has been active in the IT security space for almost two decades and has been a frequent speaker and panelist at international conferences. As a consultant and strategist, he had a leading role in various security integration projects in large organizations, specializing in identity management and access governance, and risk and compliance. Martin has published numerous journal articles and several scientific papers on role-based access control (RBAC) and application security. In 1992, he completed his doctorate in mathematics from Bochum University, Germany.
Identity Governance and Administration (IGA) Best Practice Process Framework
The Omada IdentityPROCESS+ e-book is a comprehensive, best practice process framework, which describes the most important processes needed to ensure a successful IGA deployment. The framework has been developed with the goal of supporting successful IGA projects and has been created to help organizations implement well proven best practice processes.