Whatever organization you’re a part of, there’s sure to be some sort of identity and access management (IAM) solution at work. This can range from an active directory solution to a full-fledged identity governance and administration (IGA) solution. But the real question is whether you’re getting tangible value out of the IAM solution you currently use — and whether managed IAM might help.

Running an IAM solution is not always easy, however. The following challenges can make it difficult for security and business leaders to focus on the value of such a solution:

  • Pressure to reduce cost. If an IAM solution runs well, it’s often seen as too costly. A well-functioning IAM solution becomes invisible, or frictionless, as it orchestrates access behind the scenes without bothering the end user. This also means management doesn’t see the solution at work, and might therefore assume it’s easy to maintain.
  • The IT skills gap. It’s getting increasingly difficult to find and retain the right people to maintain your solution, especially if you want to run a service with real-time support.
  • Increasing solution maturity and service level. Stakeholders expect the same level of service they get from providers elsewhere, including 24/7 support and an evolving, state-of-the-art solution.

Many IAM challenges revolve around operational activities, which is where most organizations are putting the majority of their efforts. Most of the work is some form of firefighting: resolving incoming incidents, deploying the next patch, etc. This prevents organizations from addressing the underlying issues or talking to their business units to identify and act upon the next task.

What Does a Full IAM Solution Involve?

So how does a managed IAM service help address these challenges?

To explain clearly what operating an IAM solution entails — and which parts you might be able to have someone else manage for you — start by splitting the activities into layers. There are multiple ways to visualize it, but a stack-based model (see figure below) accurately builds from the infrastructure components on the bottom up to the governance activities at the top.

Each layer is connected, with the top layers building on the layers underneath. In the same way, the top layer provides direction on how the lower layers evolve.

The bottom layer involves hosting and hardware/operating system (OS). Often, organizations have an outsourced provider that takes care of these. Next is the middleware and databases, which are usually application-specific and supported or directed by the IAM teams. Then comes the IAM application layer, which involves the heavy lifting required to keep the solution running: deployment of application patches, changes in functionality, backup, monitoring, etc.

Toward the top, the functional management layer includes the oversight of functionality provided by the landscape today as well as in the future. It works with business stakeholders on improvements and projects, such as extending user self-service functions. At the top is the overall ownership of the IAM landscape, governing between the different application owners involved.

How Does Managed IAM Work?

A managed IAM solution typically focuses on the middle components of the stack, effectively keeping the solution running so your teams can focus on what comes next: which capabilities you should develop, where your business needs to evolve and so on.

An effective methodology to deliver managed IAM services follows a phased approach, described in further detail below.

1. Take Over the Current Solution

Starting on day one, your managed IAM service team starts to transfer knowledge from the current team. The service team also looks for quick improvements, as well as which patches need to be deployed.

A client might be running a specific technology, with most of its resources focused on keeping that technology running. Even if the company would like to build a new solution on a different technology platform — or just evolve what it has — it wouldn’t have the people to do it. This model relieves the current team of its workload, allowing it to focus on extending and evolving, or even building an entirely new solution.

2. Stabilize the Platform

If the client wishes to keep an existing solution, the service team implements changes to reduce incidents and reach service level objectives (SLOs), typically based on an analysis of the tickets raised in the past and feedback from current staff members. Oftentimes, the staff has been working on keeping the solution afloat rather than making it better. A thorough analysis of where this effort goes and any recurring issues allows the service team to reduce the number of tickets and increase the solution’s availability.

3. Transform

If the client wishes to transition to a new solution, the service team builds it. With help from existing staffers freed up by the management service, the service team gathers the requirements, designs the future solution (or existing solution improvements), and starts the actual build and deployment. This takes place while the run team operates the current solution.

4. Improve

Finally, the service team launches continuous cycles to improve the IAM landscape and operations. An IAM solution isn’t finalized after its delivery; the service team continues to look at the number and types of incidents involving the solution to figure out where it can improve. The service team also works with the current team to determine what additional functionality is needed and which applications should be integrated. This is where an IAM road map becomes beneficial.

These managed IAM models can be operated through a global delivery center or within the European Union (EU) — depending on a customer’s regulatory needs, including the General Data Protection Regulation (GDPR) — making them a flexible and valuable option for improving an organization’s IAM capabilities and solutions.

Discover How Managed IAM Can Transform Your Security Ops

More from Identity & Access

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…