What is Identity and Access Management (IAM) modularization? Is it a consideration in the enterprise-level solution selection process? Should it be?
We spoke to Dr. Martin Kuhlmann, Lead Solution Consultant at identity and access management solution provider Omada about the modularization of IAM and what it might mean for the future of identity.
Here’s our conversation, edited slightly for readability:
Solutions Review: What is the modularization of IAM tasks? Is it part of the current discourse in IAM or is it upcoming?
Martin Kuhlmann: Identity and access management has become a very broad field comprising of multiple activities. This means that instead of implementing IAM just as a single block, companies are prioritizing their needs, security architects are structuring the different building blocks, and software vendors specialize on specific IAM aspects or provide modularized suites of products. In this sense, we observe a growing modularization in the IAM space.
In the response to the first question, [here are] some examples of those building blocks:
- End-users want to use different applications seamlessly, pushing the innovations of authentication and single sign-on technologies.
- Compliance regulations and security concerns require comprehensive reporting, auditing, and governance capabilities.
- Access management workflows have become more versatile to provide coverage for employees, business partners, and customers.
- Customer identity and access management (CIAM) features rapidly evolving capabilities, leaning in the direction of “consumer relationship management.”
Even basic infrastructure tasks like data consolidation, synchronization, and reconciliation have become more complex since solutions providers have to manage a hybrid world with on-premises and cloud platforms [in many enterprises’ IT architectures].
In the future, each of these areas will be enhanced even more—for example with blockchain technology—by integrating user behavioral analytics or by incorporating automated decision-making. Special, feature-rich products have emerged for some of these areas, while some vendors offer “all-in-one” suites.
The questions enterprises face now are which approach to take, which priorities to set, and which product set to go for.
This is not just a “best-of-breed” vs. “suite” decision. The question really is: How much should the IAM architecture be modularized, and what should ideally be covered by integrated solutions?
SR: How would you define the single comprehensive approach?
MK: I think in the scenario I described above, with its many different activities, there isn’t a singular comprehensive approach.
The question is rather: Which kinds of integrated building blocks should be created? Which architecture provides the best balance between modularization and integration and can easily be operated?
SR: How does modularization and the comprehensive approach compare? What do they offer that the other cannot?
MK: I’ll give four examples regarding the level of modularization:
The business requirements of access management and access auditing are tightly connected. For example, auditors require that access request processes should be the same as re-certification processes. The access audits are based on the “real” access rights from the IT systems. [Your IT security team can] compare these rights with the “desired state” represented by access approvals and access provisioning policies. Therefore, the access management, auditing, and synchronization activities form a natural architectural building block.
While single sign-on is based on the notion of an overarching identity, and in many cases requires the provisioning of accounts and access to the involved IT systems, single sign-on usually only has a few integration points with access management.
The management of millions of consumer identities is still and will, over the next few years, be very different from enterprise IAM – it should be implemented in a separate initiative. This may look different for corporate customer scenarios.
Sometimes, a single product needs add-ons to provide a logically comprehensive feature set. There are platforms and IT solutions on the market which have some IAM features built-in but are lacking some essential things. In those cases, specialized add-on products can be used as an “add-on module.”
SR: Is one better suited to cloud adoption or digital transformation?
MK: Cloud adoption and digital transformation lead to additional capabilities and feature sets in IAM. These trends make it more urgent to think about the right level of modularization.
SR: Does the modularization of IAM tasks constitute more decentralization in the IT environment? And if so, how could that benefit enterprises?
MK: Yes, it creates a cleaner, de-coupled architecture. This architecture can be operated more easily and increases security. And yes, companies can choose a best-of-breed product for each module.
Thanks to Dr. Martin Kuhlmann of Omada for his time and expertise!
Latest posts by Ben Canner (see all)
- What Can Authentication and Continuous Authentication Protect Against? - June 2, 2020
- Thycotic Announces Acquisition of Onion ID - June 2, 2020
- By the Numbers: Enterprise Identity Security 2020 - May 29, 2020