The Identropy Blog

Customer Webinar

Learn how Wyndham Worldwide leveraged Identropy's Advisory Services for IAM Success


Thursday, May 24th

1pm Eastern

Register

Search

Loading

Subscribe by Email

Your email:

Most Popular Posts

Posts by Tag

Posts by Month

Current Articles | RSS Feed RSS Feed

The IAM in the Mirror – Part 2 of 2

Posted by Frank Villavicencio on Wed, Aug 24, 2011
 

Part 1 of this 2-part article depicted the “typical” Enterprise IAM environment and contrasted it against a cloud-based IT environment, making the case that they look like mirror images of each other.  In part 2, we will discuss some of the specific challenges that the cloud-based IT environment presents, as they relate to IAM.

Some of the IAM Challenges in the Cloud-based IT Environment

Common Challenges

The reality is that organizations face similar challenges in both traditional or cloud-based IT scenarios as it relates to IAM:

  • Automate and streamline identity lifecycle processes and access governance (i.e. re-certification, reconciliation, access request) to be able to report who has access to what
  • If the organization is subject to regulatory compliance, they need to implement and demonstrate that their risk management and compliance-required controls are in place and are effective
  • There is a constantly changing landscape of systems, applications and interfaces to integrate with the IAM infrastructure to effective manage access
  • Managing the permutation of access rights and entitlements that a given user can be granted is exponentially complex, hence role-based or template-based access requests and approvals may be more needed and m

    What's Common vs. What's Unique

    ore effective
  • The organization may not have the appropriate expertise in house, or the resource availability to effectively deploy and operate its IAM solution
  • Reduce the volume of calls to the help desk for password resets and delays in access requests being processed

Unique Challenges

Specific to the cloud-based environment, there are some unique challenges for IAM that are in big part due to the more recent, and thus less mature nature of the cloud and SaaS, such as:

  • There are no open standards available to simplify the integration between various SaaS systems as it relates to IAM. This creates the need to have one-off integrations, often homegrown, to synchronize and propagate data in-and-out of cloud and SaaS applications. Some examples such as keeping user groups in sync between Google Apps and an LDAP directory were discussed in a prior blog series. Note: We at Identropy see SCIM with optimism
  • There are few commercially available products and somewhat limited and unproven options for providing modern IAM solutions that can effectively integrate and govern identities across SaaS vendors, beyond SSO and basic provisioning – the latter still being a stretch
  • IAM is an afterthought for many SaaS applications, which means that the controls (provisioning, termination, authentication and SSO) need to be “bolted on”, often requiring to deal with proprietary or non-existent interfaces
  • It is very difficult, or nearly impossible to automate account reconciliation and provide a reliable termination process, since most cloud or SaaS applications implement an optimist approach to account creation: they may streamline the creation (with on-the-fly provisioning based on SAML assertions for instance), but they do not provide a similar capability to terminate or list which accounts exist

So, What Should One Do?

Well, some of the recommendations we made in prior blogs still apply.  You need to start with defining risk, sensitivity and the appropriate prioritization, then inventory your options available to implement a scalable and reliable solution, figure out the cost and benefit, clearly regulatory compliance will be a strong driver to implement an automated control, event if at a high cost.

One of the things that I view as relevant for organizations embracing the cloud is that they approach IAM in a way consistent with their overall business model. In other words, if your model is to rely heavily on the cloud for business critical applications and data, then it makes sense to explore cloud-focused IAM solutions first. Note that cloud-focused IAM solutions do not exactly mean cloud-based IAM; some on-premise approaches may still work or be feasible.

This [cloud-focused IAM] is clearly an evolving area for IAM, and one that will continue to drive innovation as well as standardization in the coming years. For us at Identropy, this is not only a critical area of our business, but it is our conviction that in a few years, there will not be traditional IT environments any longer, or better said, today’s cloud-based IT environments will be traditional.

There you have it, I hope that at least this dissertation had been thought provoking and hence, and that it ignites some comments.

Tags: , , , ,

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics