Dismantling Your Legacy Identity Management

Posted on by Steve Tout in Architecture Guidance,Current Events

The stars are not wanted now: put out every one;
Pack up the moon and dismantle the sun;
Pour away the ocean and sweep up the wood.
For nothing now can ever come to any good.
W. H. Auden

If you have ever (or currently do) feel that way about your Oracle or legacy IdM solution, you are not alone. The billion dollar Identity Management industry is being turned upside down by the tidal waves of distributed, claims based identity. Identity management vendors (one of which owned by VMware itself) sprung up to service the SaaS apps and the customers who require a scalable and secure way to access their applications and data in the cloud. Cost savings realized by moving corporate applications and compute to SaaS and PaaS outside of the firewall has been a strong driver for cloud based access management and SSO, but given a few years and dozens of success stories later, many companies still struggle with the “albatross round your neck” syndrome with the multi-million dollar legacy/enterprise IdM systems still in place, and finding it difficult if not impossible to get rid of.

If you look closely, the likely reasons that organizations will consider dismantling legacy Identity Management systems are understandable, and likely among them are:

  • Only using a fraction of the capabilities
  • Using it less as more of your applications and compute goes outside the firewall in favor of more cost effective SaaS/PaaS models for application and services
  • The more you consume now, the harder (and more expensive) glazed_doughnutsit will be to migrate later
  • There are some things it is not good at (like provisioning, or federated SSO) and the only way to get those capabilities is to buy and integrate more of the legacy vendor’s offering
  • Lack of support for the latest identity standards, like SAML 2.0, OAuth2, SCIM, etc…

While I can understand the dollar signs flashing in the executives eye, we all need to take a healthy dose of reality and remind ourselves that these systems were built over many years and have many dependencies that will ultimately impact and may cause serious disruptions to the enterprise applications if not managed well. And while money may be one driver for a rip-and-replace, I am sure there are other valid reasons as well (like competitive or strategic ones) so to each their own.

The Road Ahead

While I missed the chance a few weeks ago to make my new year predictions about the future of identity management along with my colleagues, I am sure a lot of new opportunities for small and medium sized businesses and enterprises who will have a much easier time adopting cloud-based offerings such as (Identity-as-a-service) IdaaS. It is also evident that much will also remain the same. For enterprises, this is good news because the migration away from legacy IdM vendors can be done one step at a time, and the benefits measurable from the standpoint of economics of SaaS (pay-as-you-go) apps vs custom developed or monolithic enterprise ERP or HR applications.

With the onset of projects aimed at replacing and/or updating legacy IdM systems, I would like to offer the following suggestions that I hope will keep organizations and IT architects on a path to success:

  • There will continue to be a need for some kind of enterprise IdM systems. Even if that means (as an Identity Provider both inside and outside of the firewall) having basic LDAP repositories on your network to maintain a single source of truth for the password + entitlements of your employees, customers and partners. This will ensure that an organization can keep control over hard authentications and avoid the hassle of making 3rd parties liable, or finding and implementing some kind of audit/compliance solution elsewhere. GRC solutions in the cloud, though not impossible, is more difficult to pull off because the value is proportional to the number of applications (or identities) connected to it, and they might not all be SaaS apps.
  • Enterprise-washing cloud IdM systems is not the answer. Just as the early SaaS/IdaaS vendors would lay claims against enterprise vendors for cloudwashing their products, each will have to co-exist going forward, though in a greater or lesser extent. If a SaaS or PaaS vendor even has the right mind-set about how their product can and will be used, then the model will be more like bring-your-own-identity and they should not see much value at all in owning the identity of your users especially if they support multiple identity protocols such as SAML or OAuth.
  • There is a new category of appliance that will find its way permanently into Identity architectures that connects enterprises with the cloud and cloud to the enterprise. Embrace them! Companies like Layer7’s SOA Gateway, Radiant Logic’s Cloud Federation Service, or Vordel Security Token Service (and of course, many others as well!) which all exist to bridge the cloud and the enterprise and ensures interoperability of security protocols to provisioning and de-provisioning processes and higher levels of security and assurance.

drive-fast-in-california

While there are a lot of innovations that organizations can embrace to provide a more secure and scalable Identity Management service, for example the core identity service of cloudfoundry.com has supported SCIM, OAuth2 and partial OpenID Connect since March 2012, the speed of migration should be manageable due to human resources, scale of a company’s existing integrations and other variables that are likely unique to each business. Taking a step-wise approach to migrating applications to a SaaS based model while riding out an existing ELA should offer sufficient time to consider more cost-effective solutions that might replace legacy investments with, while keeping an eye on how to modernize your infrastructure economically as well.

The days of the tightly coupled identity management suites are over. Long live layered, loosely coupled, standards based security and identity management! Please leave feedback!

Subscribe to Forteadvisory group news