Whatever organization you’re a part of, there’s sure to be some sort of identity and access management (IAM) solution at work. This can range from an active directory solution to a full-fledged identity governance and administration (IGA) solution. But the real question is whether you’re getting tangible value out of the IAM solution you currently use — and whether managed IAM might help.

Running an IAM solution is not always easy, however. The following challenges can make it difficult for security and business leaders to focus on the value of such a solution:

  • Pressure to reduce cost. If an IAM solution runs well, it’s often seen as too costly. A well-functioning IAM solution becomes invisible, or frictionless, as it orchestrates access behind the scenes without bothering the end user. This also means management doesn’t see the solution at work, and might therefore assume it’s easy to maintain.
  • The IT skills gap. It’s getting increasingly difficult to find and retain the right people to maintain your solution, especially if you want to run a service with real-time support.
  • Increasing solution maturity and service level. Stakeholders expect the same level of service they get from providers elsewhere, including 24/7 support and an evolving, state-of-the-art solution.

Many IAM challenges revolve around operational activities, which is where most organizations are putting the majority of their efforts. Most of the work is some form of firefighting: resolving incoming incidents, deploying the next patch, etc. This prevents organizations from addressing the underlying issues or talking to their business units to identify and act upon the next task.

What Does a Full IAM Solution Involve?

So how does a managed IAM service help address these challenges?

To explain clearly what operating an IAM solution entails — and which parts you might be able to have someone else manage for you — start by splitting the activities into layers. There are multiple ways to visualize it, but a stack-based model (see figure below) accurately builds from the infrastructure components on the bottom up to the governance activities at the top.

Each layer is connected, with the top layers building on the layers underneath. In the same way, the top layer provides direction on how the lower layers evolve.

The bottom layer involves hosting and hardware/operating system (OS). Often, organizations have an outsourced provider that takes care of these. Next is the middleware and databases, which are usually application-specific and supported or directed by the IAM teams. Then comes the IAM application layer, which involves the heavy lifting required to keep the solution running: deployment of application patches, changes in functionality, backup, monitoring, etc.

Toward the top, the functional management layer includes the oversight of functionality provided by the landscape today as well as in the future. It works with business stakeholders on improvements and projects, such as extending user self-service functions. At the top is the overall ownership of the IAM landscape, governing between the different application owners involved.

How Does Managed IAM Work?

A managed IAM solution typically focuses on the middle components of the stack, effectively keeping the solution running so your teams can focus on what comes next: which capabilities you should develop, where your business needs to evolve and so on.

An effective methodology to deliver managed IAM services follows a phased approach, described in further detail below.

1. Take Over the Current Solution

Starting on day one, your managed IAM service team starts to transfer knowledge from the current team. The service team also looks for quick improvements, as well as which patches need to be deployed.

A client might be running a specific technology, with most of its resources focused on keeping that technology running. Even if the company would like to build a new solution on a different technology platform — or just evolve what it has — it wouldn’t have the people to do it. This model relieves the current team of its workload, allowing it to focus on extending and evolving, or even building an entirely new solution.

2. Stabilize the Platform

If the client wishes to keep an existing solution, the service team implements changes to reduce incidents and reach service level objectives (SLOs), typically based on an analysis of the tickets raised in the past and feedback from current staff members. Oftentimes, the staff has been working on keeping the solution afloat rather than making it better. A thorough analysis of where this effort goes and any recurring issues allows the service team to reduce the number of tickets and increase the solution’s availability.

3. Transform

If the client wishes to transition to a new solution, the service team builds it. With help from existing staffers freed up by the management service, the service team gathers the requirements, designs the future solution (or existing solution improvements), and starts the actual build and deployment. This takes place while the run team operates the current solution.

4. Improve

Finally, the service team launches continuous cycles to improve the IAM landscape and operations. An IAM solution isn’t finalized after its delivery; the service team continues to look at the number and types of incidents involving the solution to figure out where it can improve. The service team also works with the current team to determine what additional functionality is needed and which applications should be integrated. This is where an IAM road map becomes beneficial.

These managed IAM models can be operated through a global delivery center or within the European Union (EU) — depending on a customer’s regulatory needs, including the General Data Protection Regulation (GDPR) — making them a flexible and valuable option for improving an organization’s IAM capabilities and solutions.

Discover How Managed IAM Can Transform Your Security Ops

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…