Making the Business Case for Managed IAM Solutions

Whatever organization you’re a part of, there’s sure to be some sort of identity and access management (IAM) solution at work. This can range from an active directory solution to a full-fledged identity governance and administration (IGA) solution. But the real question is whether you’re getting tangible value out of the IAM solution you currently use — and whether managed IAM might help.

Running an IAM solution is not always easy, however. The following challenges can make it difficult for security and business leaders to focus on the value of such a solution:

  • Pressure to reduce cost. If an IAM solution runs well, it’s often seen as too costly. A well-functioning IAM solution becomes invisible, or frictionless, as it orchestrates access behind the scenes without bothering the end user. This also means management doesn’t see the solution at work, and might therefore assume it’s easy to maintain.
  • The IT skills gap. It’s getting increasingly difficult to find and retain the right people to maintain your solution, especially if you want to run a service with real-time support.
  • Increasing solution maturity and service level. Stakeholders expect the same level of service they get from providers elsewhere, including 24/7 support and an evolving, state-of-the-art solution.

Many IAM challenges revolve around operational activities, which is where most organizations are putting the majority of their efforts. Most of the work is some form of firefighting: resolving incoming incidents, deploying the next patch, etc. This prevents organizations from addressing the underlying issues or talking to their business units to identify and act upon the next task.

What Does a Full IAM Solution Involve?

So how does a managed IAM service help address these challenges?

To explain clearly what operating an IAM solution entails — and which parts you might be able to have someone else manage for you — start by splitting the activities into layers. There are multiple ways to visualize it, but a stack-based model (see figure below) accurately builds from the infrastructure components on the bottom up to the governance activities at the top.

Making a Business Case for Managed IAM

Each layer is connected, with the top layers building on the layers underneath. In the same way, the top layer provides direction on how the lower layers evolve.

The bottom layer involves hosting and hardware/operating system (OS). Often, organizations have an outsourced provider that takes care of these. Next is the middleware and databases, which are usually application-specific and supported or directed by the IAM teams. Then comes the IAM application layer, which involves the heavy lifting required to keep the solution running: deployment of application patches, changes in functionality, backup, monitoring, etc.

Toward the top, the functional management layer includes the oversight of functionality provided by the landscape today as well as in the future. It works with business stakeholders on improvements and projects, such as extending user self-service functions. At the top is the overall ownership of the IAM landscape, governing between the different application owners involved.

How Does Managed IAM Work?

A managed IAM solution typically focuses on the middle components of the stack, effectively keeping the solution running so your teams can focus on what comes next: which capabilities you should develop, where your business needs to evolve and so on.

An effective methodology to deliver managed IAM services follows a phased approach, described in further detail below.

1. Take Over the Current Solution

Starting on day one, your managed IAM service team starts to transfer knowledge from the current team. The service team also looks for quick improvements, as well as which patches need to be deployed.

A client might be running a specific technology, with most of its resources focused on keeping that technology running. Even if the company would like to build a new solution on a different technology platform — or just evolve what it has — it wouldn’t have the people to do it. This model relieves the current team of its workload, allowing it to focus on extending and evolving, or even building an entirely new solution.

2. Stabilize the Platform

If the client wishes to keep an existing solution, the service team implements changes to reduce incidents and reach service level objectives (SLOs), typically based on an analysis of the tickets raised in the past and feedback from current staff members. Oftentimes, the staff has been working on keeping the solution afloat rather than making it better. A thorough analysis of where this effort goes and any recurring issues allows the service team to reduce the number of tickets and increase the solution’s availability.

3. Transform

If the client wishes to transition to a new solution, the service team builds it. With help from existing staffers freed up by the management service, the service team gathers the requirements, designs the future solution (or existing solution improvements), and starts the actual build and deployment. This takes place while the run team operates the current solution.

4. Improve

Finally, the service team launches continuous cycles to improve the IAM landscape and operations. An IAM solution isn’t finalized after its delivery; the service team continues to look at the number and types of incidents involving the solution to figure out where it can improve. The service team also works with the current team to determine what additional functionality is needed and which applications should be integrated. This is where an IAM road map becomes beneficial.

These managed IAM models can be operated through a global delivery center or within the European Union (EU) — depending on a customer’s regulatory needs, including the General Data Protection Regulation (GDPR) — making them a flexible and valuable option for improving an organization’s IAM capabilities and solutions.

Discover How Managed IAM Can Transform Your Security Ops

Bert Vanspauwen

European Competence Leader Identity & Access Management - Security Services

Bert is an associate partner within IBM Security Services. Bert holds a strong background in security including...