How to navigate your journey to cloud IAM
How to navigate your journey to cloud IAM

01

01

The cloud imperative

The cloud imperative

3 min read

With the drive to digital transformation, mandates for cloud-first strategies and pressure to reduce costs, organizations are looking to cloud-delivered identity and access management (IAM) or identity-as-a-service (IDaaS) to help satisfy all three imperatives.

With the drive to digital transformation, mandates for cloud-first strategies and pressure to reduce costs, organizations are looking to cloud-delivered identity and access management (IAM) or identity-as-a-service (IDaaS) to help satisfy all three imperatives.

Why? Cloud IAM technologies can significantly reduce the cost and complexity of managing and operating legacy on-premises identity programs while helping to accelerate innovation and business growth.

By 2022, 40 percent of global midsize and larger organizations will use IAM capabilities delivered as software as a service (SaaS) to fulfill most of their needs

— Gartner1.

By 2022, 40 percent of global midsize and larger organizations will use IAM capabilities delivered as software as a service (SaaS) to fulfill most of their needs

— Gartner1.

Legacy on-premises IAM programs typically come with challenges, the result of balancing conflicting goals, objectives and constraints over time. While IAM spans all IT domains, in practice it likely consists of multiple projects and owners with differing dependencies, technologies and objectives. New business requirements and processes get addressed with add-ons and hard-coded customizations that are difficult to move away from. And somehow, audit requirements must still be met.

Compared with the cost and difficulty of upgrading the legacy environment, cloud-delivered IAM offers attractive benefits, including cost-efficiency, minimal infrastructure footprint, faster deployment and simplified operations.

Cloud IAM technologies offer compelling benefits

Fortunately, on-premises versus cloud is not an all-or-nothing decision. Most large enterprises will end up with a hybrid environment in which cloud IAM complements or augments the legacy functionality that has outlived its utility and cost of upkeep. The hybrid approach is also a way to address regulatory requirements and other restrictions that dictate keeping some data and functionality in house.

Bumps in the road

Nonetheless, there are some significant challenges that must be considered before moving to a cloud IAM solution; particularly for larger organizations with complex operations, IT landscapes or organizational structures. With IDaaS, most business processes and workflows — like onboarding users or authorizing applications — are standardized and “baked in.” The same may hold true for security policies. This means the organization may have to adapt to the platform, rather than operating in the usual way of shaping the platform to the business.

This big technology change will impact the user experience and, if not done right, will cause adoption challenges. Technology change can also make it difficult to retain and redeploy valuable skilled resources that have the organizational knowledge to help with integration and drive continuous improvement of the IAM program.

What’s more, you will have to develop and deploy your cloud-based solution while maintaining and operating your existing architecture, using different processes and security policies in parallel. Success in meeting these new challenges depends on the needs and flexibility of your core IAM team, business stakeholders and end users.

02

02

How to get cloud
IAM right

How to get cloud IAM right

3 min read

Designing your journey to cloud IAM with your end users and stakeholders in mind can go a long way toward assuring smooth adoption.

Designing your journey to cloud IAM with your end users and stakeholders in mind can go a long way toward assuring smooth adoption.

This may seem obvious, but it’s all too easy to end up with a solution designed by engineers for engineers. The result can be a poor adoption rate due to poor design, complicated technology or an unintended negative impact on end users.

For instance, consider the case of an airline rolling out a cloud-based multifactor authentication (MFA) solution for pilots and flight attendants. Many MFA solutions require the end user to be connected to a network — for example, having access to a cell phone or email — to retrieve an authentication code. Putting flight crews in the position of relying on the airplane’s WiFi to access resources — if in-air WiFi service is even available — can lead to frustration and adoption problems. At worst it can result in crews not being able to access resources necessary for doing their jobs.

airplane pilot

Involve your end users and stakeholders

Any major technology change in IAM is going to impact the way your end users access their resources, how administrators perform their workflows, and how security teams integrate on-premises infrastructure, such as firewalls, with cloud-based services. That’s why you need to make sure any solution you design addresses the needs of all stakeholders.

One way to accomplish this is to apply Enterprise Design Thinking to your project at the outset. This approach, developed by IBM, solves design problems from an end-user perspective. It brings all the relevant stakeholders together in a collaborative and outcome-driven environment at the outset of the project. Taking this step to gather requirements and identify problems firsthand can create a sense of ownership on the part of stakeholders and mitigate the risk of poorly designed solutions.

You can also use this approach to revisit the user points of view at key milestones. The needs of the business will change, so keeping your stakeholders involved while you stay flexible and responsive will go a long way toward delivering a solution that is technically sound and secure as well as suited for your user population.

Plan, Design & Implement & Operate Graphic

Don’t reinvent — adopt, iterate and continuously improve

Most IAM projects face the challenge of delivering cost savings quickly. As you are designing your solution, leverage industry best practices for common use cases to help speed up deployment efforts and deliver a secure and usable cloud IAM solution. Combine this with an Agile approach to accelerate time to value and delivery of functionality.

Next, prioritize a rollout schedule that delivers success early. For example, begin with one feature, such as a single sign-on (SSO), to build trust in your project and keep stakeholders engaged and invested in its success. Then move on to the next project, such as MFA, as you expand your cloud IAM footprint.

Ongoing day-to-day management should focus on driving continuous improvement in the new environment. Getting started with cloud IAM is not a simple matter of pulling out a credit card and making a purchase. Likewise, cloud IAM is not a set-it-and-forget-it environment. Retraining and redeploying your IAM talent on cloud-based IAM architecture and processes can go a long way toward retaining key employees as well as prioritizing integrations and onboarding new assets.

03

03

Consider how you want to deliver
IAM functionality

Consider how you want to deliver IAM functionality

3 min read

IAM functionality can be delivered in many ways, ranging from on-premises or private cloud to hosted on public cloud or cloud delivered.

IAM functionality can be delivered in many ways, ranging from on-premises or private cloud to hosted on public cloud or cloud delivered.

Many organizations have requirements for IAM workflows -- including approval, provisioning and onboarding -- that drive heavy customization of the legacy on-premises architecture. Often, these customizations are not available in cloud-delivered services, and teams must decide whether to keep these capabilities on-premises or adapt their business processes to the realities of the cloud-delivered tools.

Many cloud-delivered IAM solutions also have limited support for custom legacy deployments, which may make it difficult to integrate things like on-premises custom apps. However, by moving some on-premises applications to private or public cloud, you can realize some of the cost savings and scalability of cloud while retaining control in house. The key is to assess the current landscape and build a technical solution to meet the varying requirements of the business.

Factors affecting your assessment

The factors impacting your ability to deliver IAM functionality from the cloud fall into three categories: strategic, operational and the IT ecosystem.

Strategic considerations and where they originate include:

  • CISO and the board of directors: Look here for direction about governance, security policies, compliance requirements and your organization’s overall cloud strategy.
  • Line of business and IAM team goals: Which users are moving to the cloud? Which business functions are moving to SaaS applications? How will you provide IAM for these users?
  • Third-party partners: They may have their own security and compliance requirements that will dictate that you use on-premises solutions.

Operational factors are broader and require careful consideration:

  • Line of business: What do users expect from the IAM experience throughout the joiner-mover-leaver lifecycle? What degree of self-service do they want, for example, in resetting passwords? And how does the competitive environment affect time-to-market pressures for new capabilities?
  • Application and IT owners: This group will be concerned about access requirements for their applications and compliance issues, and will be interested in a quicker, simpler onboarding process.
  • Security and IAM: Access security policies will drive considerations around policies for approvals and the granularity of access recertification. IAM-specific considerations include how to meet requirements for workflows (approval, provisioning, onboarding of people and apps) and using automation where possible to increase efficiency.
  • Auditing and compliance. These requirements won’t change, whether delivery is on-premises or from the cloud. You will need to ensure that you can consistently provide the types of evidence and reports required for audits, both ad hoc and on a scheduled basis. Look for opportunities to employ automation.

Beware of hidden dependencies and “gotchas” in the IT ecosystem. Be sure to consider:

  • Network structure restrictions
  • User repository configurations and HR feed requirements
  • Integration with an on-premises ERP system and other legacy applications
  • The location of data feeds and provisioning targets
  • The types, location and authentication mechanisms of existing applications

04

04

Build a target architecture customized to
your organization

Build a target architecture customized to your organization

3 min read

With the information you derive from your assessments, you can identify which IAM capabilities will stay on-premises, what you can move to cloud infrastructure, and what can be delivered from the cloud.

With the information you derive from your assessments, you can identify which IAM capabilities will stay on-premises, what you can move to cloud infrastructure, and what can be delivered from the cloud.

Expect to do some gap analysis at this stage of the journey as you look at existing customizations and determine which business and process flows will need to change to migrate to cloud IAM. Remember that change is often not welcome. You may have to go through a customization rationalization process, developing use cases for requested customizations to determine if they are really necessary for the business.

What you end up with is a future-state, program-wide architecture. For example, access management functions such as federated SSO and MFA may be delivered from the cloud, and functions like role management and privileged access management might remain on-premises. Workflows and provisioning can be hosted on private cloud, while directory services can be hosted on public cloud. It all depends on your requirements and the feasibility of what can be migrated to the cloud.

access management, identity management

Pick the right operational model

Another lens that can help you make decisions about your architecture is the operating model. Let’s use a transportation analogy to illustrate the options.

Owning your IAM software and running it on-premises is like owning a car. You are responsible for buying, managing and maintaining the car, and if it breaks or you get a flat tire, that’s your problem. But you also have complete control. You can go where you want, when you want. Likewise, if your on-premise identity infrastructure breaks, the software needs to be upgraded or you make process changes that require customization, it’s all on you. But you also have in-house control and can make all the customizations the business requires.

Alternatively, when you consume IAM from a SaaS platform, it’s like taking the bus or the train. You get the ride, but it’s on the operator’s schedule using equipment of their choice. On the plus side, you pay as you ride, with no overhead and no break/fix responsibility. With a SaaS provider, you manage your data and business processes. But the rest of the stack is provided for you on a pay-as-you-go basis. Operations are simplified, you have minimal infrastructure footprint, and configuration is point and click. The tradeoff is that you are limited to standardized business process and workflow capabilities.

options

There is a third operational model to consider: managed identity services. Think of it like a rideshare service. Your transportation is tailored to your needs — you can go where and when you want — but you are still consuming a service, not owning an automobile. The outcome you are paying for is on-time pickup and safe arrival at your destination. With managed identity services, your IAM functionality — on-premises, SaaS or hybrid — is provided as an outcome-based, fully managed service that is adapted to your scope. The outcome is an always on service that meets the needs of your users, with high adoption rates and on-time delivery of new capabilities.

05

05

Why IBM Cloud IAM Services?

Why IBM Cloud IAM Services?

3 min read

A successful move to cloud IAM requires a security strategy that combines people, process and technology. IBM Cloud IAM Services offers pragmatic, product-agnostic guidance to help you maximize the benefits of cloud IAM functionality along with proven processes and expertise.

We manage more than 250 million identities across more than 1,200 clients and can help you implement cloud IAM at scale.

We manage more than 250 million identities across more than 1,200 clients and can help you implement cloud IAM at scale.

First, our professionals collaborate with you to design a user-focused solution using Enterprise Design Thinking that can include customized workflows, processes and use cases. Enterprise Design Thinking for IAM helps organizations rethink how an IAM project operates. We fully execute your migration to help minimize service disruption as well as providing effective training to introduce the new platform to end users.

After deployment, we can also manage and optimize your newly deployed cloud IAM platform to improve operational efficiency and business processes based on performance data and user feedback. Our managed identity services help deliver continuous improvements and optimization to your IAM program. Finally, we expand the scope of your new cloud IAM solution with prioritized new target application onboarding and system integrations with our Onboarding Factory. This creates a solution that continually evolves to meet your changing needs.

1 Press release: Gartner Predicts Increased Adoption of Mobile-Centric Biometric Authentication and SaaS-delivered IAM, February 6, 2019. https://www.gartner.com/en/newsroom/press-releases/2019-02-05-gartner-predicts-increased-adoption-of-mobile-centric