Modernizing IAM solutions leveraging new operating models with the KuppingerCole Identity Fabric

Welcome to the Ko Nicole Analyst view. This is the identity edition, and this is the March, 2020 edition of the identity edition. My name is Matthias ARD, I'm director practice. I am here at Ko Cole, and I want to talk about modernizing IM solutions, leveraging new operating models with the equipping, a coal identity fabric. And that sounds much more complicated than it is. So if we modernize IM solution, we have to start with legacy. I am legacy IM is something that is in existence in almost any organization.

Many organizations have started early in using identity and access management for efficiently and securely managing their identities and the access rights associated to them. So many organizations do have legacy IM it started out as a typical enterprise IM system. So typically run on premises and run by an own team that is specialized on running such a system. And of course over time requirements have changed and the environments have changed and deployment models have changed, but these self run on premises run infrastructures come with high operations effort and costs.

You need to have the team that does it. You need to have well designed and executed processes. You need to provide these platforms and services with a high availability because this is your authentication authorization platform. So this should be available 24 7 and with high performance. So high operations effort in high cost. These systems typically come with lots of customizing because they don't provide out of the box, all the functionality that you require. So there are toolkits APIs, workflow engines available, which you can use to add additional functionality.

And this customizing of course, come with, comes with a generic issue. And that issue is maintaining these customizations, maintaining them, especially in the process of software, upgrades, and patches, to make sure that these changes still are available and functionally functioning perfectly as they did before the upgrade and the patch, many organizations need to have maintenance windows and make sure that these patches are well tested and well executed. There are maintenance windows on weekends that make sure that no normal business is interrupted by that.

And even organizations don't dare to do software upgrades and patches, just not to break the system. The customizations. On the other hand, there are much more newer requirements coming up. Digitalization is one buzzword that has to be mentioned here. And this digitalization requires new digital services and the, they need to be provided in a way that they have access to access data, to identity data identities by employees, by partners and by consumers, new business requirements need to be fulfilled very in a very agile manner.

And so these new digital services and business requirements are real new challenges to existing IM system. On the other hand, there's the requirement for compliance and governance. So second password of course, is GDPR here. So many organizations just have to make sure that they handle identity data because this is PII personally identifiable information in many cases has been, or is handled in a compliant manner to all the regulations, to all the laws that are out there, and that need to be fulfilled.

And there much more to think of when it comes to compliance and governance and an IAM system and thinking all of, of all of this, another issue is the skills gap. So if you want to have a team that provides this within your organization, it might be very difficult to find the right people to actually do it for you to hire them in, in a way that they are as experienced and as trained as required. So that might be really an issue here. A different angle to look at this topic is the cooking, a coal IAM reference architecture.

We use this as a tool, as a competitive to look at existing IAM architectures and to define, to be architecture. So for move from a status quo to a plan, new status along a roadmap. So if you look at this graphics very quickly, I don't want to dive too deep into that, but a short glimpse on it. If you look at the big box in the middle, we have four columns, administration audit and analytics authentication authorization. And with these four pillars, we organize the building blocks that we typically expect to be within an IAM system.

They are, if you look at the lines also distinguished between core IAM, extended IAM and IM related it. So the blocks that we expect should be in an IM system, those who can be but are not necessary. And those systems that are within an organization and that provide data to an IM system, consume data, interact, cooperate with an IM system to the left. We have the data sources to the right. We have the target systems on the top. We have business use cases.

So the actual questions that your business will ask the it, the IAM team to fulfill or onboard a partner off board, a partner, usually more challenging provide content management technique techniques. And on the bottom, we have all these regulations that are there without being asked. They need to be fulfilled no matter what you do. So privacy regulation, industry specific regulations, all these need to be fulfilled in general. So looking at these building blocks and thinking of the existing IAM system, and then moving that to a more modern approach, that is what we want to look at here today.

What we are doing is we are shifting IAM currently, and that is nothing specific when it comes to IAM in general, but it isn't something that happens to it in general. So we are looking at more and new deployment models apart from the standard on premises, running of systems. So one trend of course, is microservices slash containerization. Although these are different things they are closely related when it comes to formulating well defined microservices and putting them for the implementation into a container and running them on infrastructure as a service.

On the other hand, there are more and more organizations who provide I am as a managed service. So the actual operations of the IM is executed by a trusted partner and where it is executed is not necessarily defined because it's just a managed service. It could be on premises. It could be on in data centers owned by the MSP, or it could be in the cloud or in a data center by your third party. So what you're doing here is you're really losing the responsibility for operating the system for yourself.

It comes with a price tag and somebody does it for you and not that new, but still, rather than you, it's the concept of identity as a service where you have identity and access management features, access management, IGA, access governance capabilities being provided to an organization from the cloud as a service, without the need of operating that without the need of taking care of maintenance, windows, upgrades, patches, and that is usually provided yeah, from the cloud. And it could be in a private cloud, or it could be in a multi-tenant shared environment.

So shifting an IM from a on-premises system partially or completely towards such an architecture, that is also an aspect when it comes to modernizing IM the third angle, I want to have a short look at is what we at co call the identity fabrics. And that is actually the complete picture. Apart from the more technical more architectural building block point of view, this is really, yeah. The vision behind that. We have to the left, all these identities that are managed in an IM system, but also need access to systems to the right. We have all the systems from cloud to federated to legacy.

So if a consumer wants to have access to a system that is run still on premises, that needs to be accomplished. If an internal employee wants to have access to a cloud service, the same is true as well. So if we have the users to the left, the identities, to the left, the target systems to look at to the right, then the middle block, make sure that this all plays well together, achieving and enabling access from everyone to everywhere in a secure manner, based on a need to have need to know basis.

And that all by combining existing and newly created building blocks from the reference architecture run in different operating models between on-premise and the cloud and microservices and containers. That is the full picture of the identity fabrics. And having this in place enables you to have the enablement of digital services to the top and the integration of legacy systems, including in the legacy I am if necessary at the bottom of this graphics. So this is the vision that is behind that. There's much more around that on the clip call website.

So if you're interested in that and it should be, you can find that on our webpage. So now how do we start? How do we get to a starting point? How do we find do we, do we define a first roadmap for modernizing an existing architecture? And we had cooking a call. We typically apply a very simple approach here. We do portfolio analysis, and that sounds more complicated than it is than it is. As an example, I've pulled out a list, not all, just a few of the building blocks of the reference architecture slide that we had before.

And then we assess that from the viewpoint of an organization, with regards to the importance of such a building block and the functionality that is hidden in there and the aspect of missing functionality, future completeness. So if we talk to the business, if we talk to it, if we talk to legal and within an organization about these topics, it's usually quite straightforward to assign values between zero and 10, to such a building block, and to look at what the results are here.

So if we take as an example, the directory services, of course they are highly important, but usually as these are grown up systems and directory services were the first to be in place within an IM system. There usually is not too much functionality missing.

So, which is important, cuz otherwise things don't work, but there is no functionality missing. If you look at access governance as an example, up until a few years ago, that was not that important. Sometimes it was in banks and insurance companies.

It was, but it was not that important. And everybody knew, Hey, there's lots of functionality missing. So this is the, the picture that we had just up until a few years ago. So if we look at all these values here and we look at the result of this, we get to a chart to a graph like this. And then you can really identify how these individual building blocks are related to each other. We will have a short look at that afterwards, but just to fix this of course, access governance in year 2020 is something that is highly important and no longer just a two.

So we should fix that and change it here to an eight. So it moved over here to the right upper quadrant. So to understand that access governance is really important. So what do we do with this?

Of course, we need to assess this. We need to get to a prioritization here. And that is how it looks like the four colors. I apply to the four segments of this graph and they of course have different meanings if we start to the lower left corner, which is entitled three, and which I said is the don't touch quadrant. These are functionalities building blocks that are of little importance and don't have any missing functionality. So they are rather function complete or feature complete. So what do you do with these? They are working, nothing is missing. Don't touch. Just keep them.

If we go to the upper left, we have identity proving and verification and user self service, which are not that important for that organization, for that ideal organization for this demo organization. But there is lots of functional functionality missing. So what do you do with that? I've called it with the one, the long tail. You should do something here, but you don't have to do it immediately when it comes to immediately. And we look at the upper right quadrant, this is the thing that, where you really want to start with.

So these are the ones which are highly important for reasons because your business wants to have it. Your legal department wants to have it, have it, your governance department wants to have it. Maybe your business partners want to have it. So it's really business essential. So these are the aspects of an IM system to look at because of high importance and missing functionality. So you need to do something and it is important. So these are the, what we call strong candidates for starting for embarking on your journey for modernizing your IM infrastructure.

And if you look at access governance, we've heard before, as an example, these are functionalities, which are provided also from the cloud can be deployed within microservices. Container scenario, privilege management is something that can be easily also provided as a service.

Of course, identity Federation is something that is run in the cloud from the cloud. Usually with IDPs being provided, for example, through services like Azure ad and to finalize that picture, of course there is the lower right segment where there is functionality that does not require much changes, but is highly important. So this is something where we would say there is no immediate action required unless there are other aspects when it comes to cost, which is not depicted in this picture. So these are something that do not require immediate action.

When we look at these two dimensions, missing functionality and importance, but of course you can execute such a portfolio scenario for different combinations of dimensions. So that really helps us and helps keeping a goal when working with our clients in really quickly defining and identifying first steps for a roadmap, for strategy, for architecture development plan. So to finalize this short session six takeaways as a summary. So it's just a short wrap up of what we've heard today. First of all, there is legacy IM we are not starting on a Greenfield basis. So a legacy IM is challenged.

The box just repeats what we've mentioned before, increasing requirements, limited functionality, growing complexity and cost patches updates, and the skill gap. I should shown you the architectural blueprint of cooking a code as a means of describing and understanding the status quo.

And to be, I am landscape I've quickly shown you the identity fabric for both of these things, architectural blueprint, identity fabric. There's much more to learn on our website, changing deployment models. So where do you run these systems and changing, operating models? Who does it, does it somebody do for you or is it something that you do somewhere else? And finally the roadmap definition when it comes to modernizing an existing IM infrastructure and I am architecture, thank you very much for listening to this video block post.

I would be happy to have you as an audience in future video block post. Thank you very much for your time.