Developing a Reference Architecture for a Modernized IAM Approach

If you work in enterprise IT, every day you are reminded that the corporate ecosystem is becoming more complex, more distributed and therefore, more vulnerable. The marketing organization has just licensed another unsanctioned cloud application for storing corporate digital assets. Your newest business partner has had a breach that could very likely impact you. Sound familiar?

In addition to the dynamic threat environment, technology and business trends are driving the need for a more focused and modernized approach to identity and access management (IAM). Unfortunately, with time and resources in high demand, most companies are in reactive mode, implementing a point solution to meet the newest threat or most important business requirement.

Defining an IAM architecture and implementation roadmap may seem like a daunting task, but it is important for any organization that is facing the demands of diverse device types and access points, expanding application hosting platforms and distributed user communities. As organizations embrace cloud and mobile and extend their on-line presence to customers and partners, IAM plays a major role in securing IT resources. Traditional processes such as authentication via a login form, onboarding new customers or verifying access permissions are more complex, contributing to an increased attack surface.

An IAM Reference Architecture is the first step in your journey to a modernized infrastructure. A complete reference architecture consists of the following core elements:

Access via Single Sign-On (SSO) and Federation. Processes and procedures for administering access to IT resources. Challenges organizations face may include: (i) authentication may differ between cloud providers, (ii) different levels of assurance for authentication may be required, (iii) authorization to IT resources must be agreed upon between cloud provider and the organization, (iv) workforce SSO may have fundamentally different requirements than business partner and consumer federation to services, and (v) organizations may need to host multiple services for multiple business partners that requires multi-tenancy.

User Provisioning and De-provisioning. Identity Lifecycle Management of users (e.g. workforce, business partners, and customers). Provisioning (and de-provisioning) defines the processes and procedures to create users, update users, and terminate users across the portfolio of on-premise applications and cloud providers. Challenges organizations face may include: (i) technologies and standards for provisioning are often different across cloud providers making it complex to deliver an automated solution, (ii) business requirements for on-boarding processes may not be formalized and difficult to automate, and (iii) processes for termination and de-provisioning are often overlooked from the perspective of how to deal with data and user rights of information managed by the terminated user.

Self-Service Management. Capabilities that allow users to securely register for access, manage passwords, and reset forgotten credentials through a series of secure answers that validate the identity of the user. Challenges organizations may face include: (i) information for identity proofing an individual that is unique and difficult to compromise based on information published on the internet, and (ii) types of technology to support users such as SMS Text, Email notification, or voice.

User Credential Store. Management of the user community. Organizations need to understand the geographic distribution of users, scale/number of users to manage, and policies unique to users in order to choose the right type of technology that will support the overall IAM reference architecture. See my blog Choosing a Customer Credential Store, which focuses on the decision between Active Directory, LDAP, or a Database for managing users.

Governance with Auditing and Reporting. Policies and procedures related to the identity lifecycle that governs access to systems. Includes ongoing actions such as recertification of access or attestation of access. Understanding the processes for compliance and governance of access is a challenge many organizations face today, as these processes are often manually intensive and error prone. The automation of these processes greatly increases overall security of the organization and IAM architecture that protects IT resources.

Monitoring and Analytics. Continuous monitoring for misused or compromised credentials, risk ratings of users, as well as access to applications and cloud providers. Challenges that organizations face include: (i) knowing that users are accessing sanctioned applications and not proliferating unsanctioned cloud applications, (ii) detection of compromised credentials to stop data thieves in their tracks, (iii) detection of elevated privileges of administrators and users, and (iv) detection of orphaned accounts over the organization.

IAM Reference Archtecture

Now that you have your future state architecture, how do you get from your current out of date architecture to IAM nirvana? As you work through the implementation roadmap, you will see that boundaries are blurring, and the definition of who owns and is accountable for the resources is not completely clear-cut. A key outcome of the roadmap exercise will be a realignment and clarity of roles and responsibilities for managing IT resources that will position you for meeting the future requirements.

You’ve created and implemented the blueprint, so now it’s time to head off and cruise Alaska, right? Not really. Well maybe, but given the constantly changing technology landscape and threat vectors, it’s important to evaluate and refresh the roadmap every 2-3 years.

As an enterprise architect, I have realized the benefits of reference architectures that include design patterns, methodologies, standards and documentation. We have extended that concept to include the key processes and technologies that implement a modern IAM system designed to meet the needs of your entire organization and evolving business requirements. Our goal is to help you deliver a reliable, agile, resilient, best of breed architecture that can meet the business and security needs of the entire enterprise now and in the future.

Rate this blog entry:
1