Cloud identity and access management (IAM) is quickly becoming a cost-effective and flexible model for modern IAM programs. According to the “2018 Gartner Magic Quadrant for Access Management,” by 2022, identity-as-a-service (IDaaS), also known as cloud IAM, will be the chosen delivery model for more than 80 percent of new access management purchases globally, up from 50 percent today.
Reducing the complexity and cost of managing and operating legacy, on-premises IAM programs often drives the need to move to a modern, cloud-based IAM architecture. Many organizations have quite a bit of technical debt: Their investment in IAM infrastructure is too low to keep their solutions up to date over time, and the cost of upgrading these on-premises deployments becomes prohibitive. As a result, cloud-delivered functionality becomes an attractive way to complement, augment and even replace legacy IAM functionality that is weighed down by this technical debt. Not to mention the many benefits to migrating IAM functionality to the cloud, including cost-efficiency, flexibility, faster deployments and simplified operations.
However, there are some significant challenges associated with moving to a cloud IAM solution, especially for larger organizations with complex operations, IT landscapes or organizational structures. Adapting to a technology platform with less room for customization requires trade-offs to make it the right solution for your organization, and your organization and IAM resources have to execute things differently than how they’re used to.
Your organization will need to plan, design, deploy and operate a cloud-based solution, often alongside existing architecture, in a hybrid manner, so the IAM processes and security policies will be completely different. These new challenges can depend on the requirements of your core IAM team, stakeholders and end users.
With all that in mind, let’s explore some steps you can take to make your transition to cloud IAM easier.
Find the Right Cloud IAM Strategy
To identify the right cloud IAM strategy for your organization, you will need to balance the requirements of many different stakeholders. First, many security and IT executives across industries are defining cloud initiatives for their organizations — these are the directives that govern how IT should navigate the evolution of its ecosystem, and they can look different for every organization. These initiatives are often shaped by compliance requirements, the privacy requests of strategic partners and other third parties, and the organization’s overall business strategy.
Next, understand the needs and expectations of your various user populations. Any major technology change in your organization will likely impact the way your end users access their resources, how IAM administrators perform identity management workflows and how auditors receive reports, just to name a few. That’s why you need to make sure any solution you design addresses these users’ most important requirements if you want to see successful adoption. This focus on user outcomes and how they relate to business goals is what drives Enterprise Design Thinking.
Lastly, these requirements must be balanced against the realities of your current business processes and IT architecture. Many organizations have requirements for IAM workflows, including approval, provisioning and onboarding, that drive heavy customization of the legacy on-premises architecture. Often, these customizations are no longer available in cloud-delivered services and teams must decide whether to keep these capabilities on-premises or adapt their business processes to the realities of the cloud-delivered tools. Many cloud-delivered solutions also have limited support for custom legacy deployments, which may make it difficult to integrate things like on-premises custom apps. In these situations, it’s important to assess the current IT landscape and build a technical solution to meet requirements.
After you know the answers to these questions, you can identify which IAM capabilities will stay on-premises and what will be delivered in the cloud and create a future-state, programwide architecture. For example, access management functions such as federated single sign-on (SSO) and multifactor authentication (MFA) may be delivered from the cloud, and functions like role management and provisioning might remain on-premises. It all depends on the requirements and feasibility of what can be migrated to the cloud.
Design and Deploy a New Cloud IAM Solution
There may be pressure from business leaders to migrate to the cloud as soon as possible to lower infrastructure costs and overall technical debt. But to do so without disrupting business operations and risking the success of the project requires a thoughtful approach to designing and deploying the right cloud IAM infrastructure.
First, stay closely aligned with users to make sure their requirements are captured at each phase of the project to help the technical teams design a phased project approach that is minimally disruptive to these users. Like in the previous step, Enterprise Design Thinking can help uncover these user needs and ensure they stay top of mind.
Second, leverage prebuilt use cases following industry best practices to help speed up deployment efforts and deliver a secure and usable solution. Combined with an agile approach, this can speed up the delivery of functionality.
Lastly, prioritize a rollout schedule to deliver success early. A good practice is to start with the easy integrations, such as SSO for Security Assertion Markup Language (SAML)-enabled software-as-a-service (SaaS) apps, to build trust in the project and keep stakeholders engaged and invested in its success.
Continuously Improve and Optimize Your Cloud IAM Solution
A successful transition to cloud IAM requires ongoing, day-to-day management of your new solution. These efforts should focus on driving continuous improvement in the new environment. An organization cannot simply adopt a set-it-and-forget-it mindset. As it expands its footprint, the IAM team should focus on prioritizing integrations and onboarding new assets in the new cloud-based IAM environment.
It’s important to consider how the organization will retrain and redeploy its IAM talent. Resources with traditional on-premises experience will need training and development on new cloud-based IAM architecture and processes. Especially during periods of dramatic technology transition, there is always a risk that employees will leave.
Therefore, it’s important to set up clear roles and responsibilities tailored to the skill sets of your current IAM talent. In doing so, you may help mitigate the loss of these important and limited resources for your organization.
Services such as IBM Cloud Identity and Access Management Services can facilitate a smooth IAM program transformation by helping security teams find, deploy and operate the right cloud IAM strategy and tools regardless of their deployment model. This insight enables IAM and security managers to focus on user outcomes, accelerate cloud IAM deployments and their integration with existing IAM processes, and optimize and continuously improve overall IAM operations.