Developing a reference architecture for modernised IAM approach

In addition to the dynamic threat environment, technology and business trends are driving the need for a more focused and approach to Identity and Access Management (IAM). Unfortunately, with time and resources in high demand, most companies are in reactive mode, implementing a point solution to meet the newest threat or most important business requirement.

Defining an IAM architecture and implementation roadmap may seem like a daunting task, but it is important for any that is facing the demands of diverse device types and access points, expanding application hosting platforms and distributed user communities. As embrace cloud and mobile and extend their on-line presence to customers and partners, IAM plays a major role in securing IT resources. Traditional processes such as authentication via a login form, on boarding new customers or verifying access permissions are more complex, contributing to an increased attack surface.

An IAM Reference Architecture is the first step in your journey to a infrastructure. A complete reference architecture consists of the following core elements:

Access via single sign-on (SSO) & federation

Processes and procedures for administering access to IT resources. Challenges face may include: (i) authentication may differ between cloud providers, (ii) different levels of assurance for authentication may be required, (iii) to IT resources must be agreed upon between cloud provider and the , (iv) workforce SSO may have fundamentally different requirements than business partner and consumer federation to services, and (v) may need to host multiple services for multiple business partners that requires multi-tenancy.

User provisioning and de-provisioning

Identity Lifecycle Management of users (e.g. workforce, business partners, and customers). Provisioning (and de-provisioning) defines the processes and procedures to create users, update users, and terminate users across the portfolio of on-premise applications and cloud providers. Challenges face may include: (i) technologies and standards for provisioning are often different across cloud providers making it complex to deliver an automated solution, (ii) business requirements for on-boarding processes may not be and difficult to automate, and (iii) processes for termination and de-provisioning are often overlooked from the perspective of how to deal with data and user rights of information managed by the terminated user.

Self-service management

Capabilities that allow users to securely register for access, manage passwords, and reset forgotten credentials through a series of secure answers that validate the identity of the user. Challenges may face include: (i) information for identity proofing an individual that is unique and difficult to compromise based on information published on the internet, and (ii) types of technology to support users such as SMS Text, Email notification, or voice.

User credential store

Management of the user community. Organizations need to understand the geographic distribution of users, scale/number of users to manage, and policies unique to users in order to choose the right type of technology that will support the overall IAM reference architecture.

Governance with auditing and reporting

Policies and procedures related to the identity lifecycle that governs access to systems. Includes ongoing actions such as re-certification of access or attestation of access. Understanding the processes for compliance and governance of access is a challenge many face today, as these processes are often manually intensive and error prone. The automation of these processes greatly increases overall security of the and IAM architecture that protects IT resources.

Monitoring and analytics

Continuous monitoring for misused or compromised credentials, risk ratings of users, as well as access to applications and cloud providers. Challenges that face include: (i) knowing that users are accessing sanctioned applications and not proliferating unsanctioned cloud applications, (ii) detection of compromised credentials to stop data thieves in their tracks, (iii) detection of elevated privileges of administrators and users, and (iv) detection of orphaned accounts over the organization.

Now that you have your future state architecture, how do you get from your current out of date architecture to IAM nirvana? As you work through the implementation roadmap, you will see that boundaries are blurring, and the definition of who owns and is accountable for the resources is not completely clear-cut. A key outcome of the roadmap exercise will be a realignment and clarity of roles and responsibilities for managing IT resources that will position you for meeting the future requirements.

You’ve created and implemented the blueprint, so now it’s time to head off and cruise Alaska, right? Not really. Well maybe, but given the constantly changing technology landscape and threat vectors, it’s important to evaluate and refresh the roadmap every 2-3 years.

As an enterprise architect, I have realized the benefits of reference architectures that include design patterns, methodologies, standards and documentation. We have extended that concept to include the key processes and technologies that implement a modern IAM system designed to meet the needs of your entire organization and evolving business requirements. Our goal is to help you deliver a reliable, agile, resilient, best of breed architecture that can meet the business and security needs of the entire enterprise now and in the future.