Are you bothered by the ubiquitous dichotomy between delivering to urgent demand and delivering to a strategy for your organization’s IAM (Identity & Access Management)? The one good news on that is that you are not alone. But there is more good news: You can get both, without unreasonable extra effort and without endlessly delaying any delivery. It is work and it will require some investment in time and maybe in money. But it works and it is an already proven approach.
Not every practice qualifies for “best” practice
The magic word in that is “best practices”. Best practices in the sense of the word. Unfortunately, a lot of what is sold as best practice is indeed an established practice, but by far no best practice (anymore). It might have been a best practice once in the past, or at least a proven practice. “Proven” and related terms are the alarm signals in that. What has been great for the last 10 years does not always qualify for the best practice when evolving your IAM (or other areas of your business) into the future.
A real best practice must have a proven element, as in practice. But it must also deliver to the future demands. A best practice thus must contain a significant degree of flexibility, to adapt to changes, such as new themes and technologies emerging in IAM.
Identity Fabrics: Proven & adaptive
Over the past years, KuppingerCole Analysts has developed and publicized the concept of Identity Fabrics. Identity Fabrics are not a fixed architecture, but a framework and guideline that describes a modern, future-proof, and adaptive IAM, but also the path towards it.
The KuppingerCole Analysts Identity Fabrics provides a framework for both architecting a modern, future-proof IAM and for the gradual modernization of the legacy IAM.
This approach delivers what a best practice must include:
• It is a proven approach that has been incorporated by several companies already
• It is a proven approach that influences the work of several providers of IAM solutions already
• It is adaptive because the set of capabilities, the definition of the services, and the tools in use are adaptive and can evolve with changing requirements
• It thus also is future-proof, because it isn’t static
• It also is future-proof because it focuses on modernization towards an IAM that covers all types of identities, all types of services, and delivers to the needs of businesses building digital services
• It focuses on modern architectures and strong support for APIs (Application Programming Interfaces)
In the work we have done in research and advisories over the past years, since the introduction of the Identity Fabrics model, the model has proven to deliver to both concrete challenges around delivering to current demand or IAM modernization, and to building a vision, strategy, blueprint, and roadmap for the future IAM.
Identity Fabrics: Some insights
Without explaining all the details of Identity Fabrics, where we already have published a Leadership Compass, a Leadership Brief on utilizing the concept on the journey towards IDaaS, a Leadership Brief introducing the concept, multiple whitepapers, and many blogs and videos, there are some aspects that deserve being highlighted in the context of this blog post.
One is that Identity Fabrics go beyond traditional IAM in supporting an inside-out and an outside-in approach on IAM. The inside-out IAM is what most solutions support: They manage accounts and entitlements in target systems, or they, e.g., sit in front of applications and do the authentication. The outside-in approach is different: IAM serves requests of applications and digital services at runtime, as a backend service, via APIs. This paradigm shift is not entirely new, but gaining attention and momentum in the digital age.
Another important element in the concept of Identity Fabrics is the support for migration from legacy IAM to a modern solution at the pace of the customer. Identity Fabrics can integrate with legacy IAM solutions. Moreover, existing IAM solutions can even form a part of the Identity Fabric as tools delivering services and capabilities needed, if the IAM technology in use is sufficiently modern.
This “sufficiently modern” involves support for deployment in as-a-service models and strong support for IAM as well as modern, modular architecture.
Vision, Strategy, Blueprint, Roadmap
We are aware from many discussions that the IAM teams in organizations are concerned that they fear not to being able to master the effort and time needed for developing their own IAM vision, strategy, blueprint, and roadmap. Our practice has proven the opposite: It can work, and it can be done with a very reasonable effort, and within a reasonable time.
The advantage of the Identity Fabrics model is that it provides a mature framework and thus orientation for deriving a specific version that suits the state, the current, and the future requirements of organizations, as well as providing the link to the existing IAM infrastructure.
The main effort is in two related areas:
• Requirements analysis
• Scoping & prioritization
The advisory team at KuppingerCole Analysts has developed efficient methodologies for identifying the high-level requirements, defining the scope, and prioritizing the various capabilities and thus the services and tools required to deliver these. Within a few weeks and a couple of workshops, the vision for the future IAM, the customer-specific incarnation of the Identity Fabric including a high-level architectural blueprint, and a rough roadmap are set.
Like every strategy, blueprint, and roadmap, this is not carved in stone, but a living model that evolves with future trends and requirements. It can be easily adapted because the framework for itself remains consistent. Adding services, replacing tools, serving additional capabilities: All can be done within the Identity Fabrics framework.
The time (and money) spent on vision, strategy, blueprint, and roadmap following the Identity Fabrics framework are well-spent. To bring up an old analogy here: No one ever would start building a house without a plan. So, why build your future IAM without a plan, by just adding some tools here or there?
Deliver & evolve: Balancing short-term demand with strategy
The other aspect that concerns organizations is the need to deliver to current, pressing demand, while executing a strategy. This dichotomy is not always easy to solve. However, having a strategy building on the Identity Fabrics paradigm also includes aspects such as strong API support, a modern architecture, and support for as-a-service delivery models. The Identity Fabric also provides a straightforward approach of mapping requirements to capabilities, services, and tools, and thus to identify overlaps to existing or planned technologies.
Thus, short-term requirements can be checked regarding their compatibility with the strategy and might become an element of the Identity Fabric. On the other hand, massive overlaps with existing components can also be easily identified, to avoid redundancy.
There also might be scenarios where some short-term solution stands in contrast to the requirements within the future Identity Fabric. If there is no alternative solution (in most cases, there is) that fits the strategy, such solutions should be defined and treated as tactical, with a limited life span and a defined migration strategy.
The legacy aspect: Embrace, extend & replace
Finally, there is the legacy. Most large organizations have some level of legacy IAM in place. In many organizations, these also serve complex legacy IT such as mainframe or SAP environments. The effort for a rip & replace approach in many cases is unreasonable. While the Identity Fabric is open to moving to modern solutions that support the legacy IT, it also is legitimate to use legacy IAM components as intermediaries to the legacy IT.
In the end, this is just a matter of economics and, to a certain extent, of pragmatism and prioritization. The economic aspect is about comparing the cost for licenses and operations of the legacy IAM with the cost of migrating it to more modern solutions. It can be more efficient to just keep the legacy IAM in the as-is-state and gradually move legacy IT to the Identity Fabric, or just retire legacy IT.
The aspect of pragmatism and prioritization applies to everything in the journey towards a modern Identity Fabric. You never will be able to do everything in parallel. Prioritization is key. This also holds true when it comes to the discussion about further utilizing some elements of legacy IAM: Sometimes, it is better to focus on adding new capabilities, while postponing migration. This just needs to be discussed, evaluated, and decided.
Modernize your IAM. Now.
The Identity Fabrics model helps in the journey from the legacy IAM to a modern, future-proof IAM. It has a lot of flexibility in planning and doing that journey. However, with the need to support more identities and services, and with the shift from an inside-out only approach on IAM to supporting both inside-out and outside-in approaches, there is a mandate to modernize your IAM. That journey must start now.
Don’t miss attending EIC 2022. You will benefit from plenty of sessions around the big theme of Identity Fabrics.