As organizations continue their digital transformation journeys, many teams are attempting to bring their legacy solutions along for the ride. Yet, one major challenge continues to puzzle Identity-and-Access Management (IAM) teams – legacy solutions lacking cloud compatibility.
Moving to the cloud has been a top priority for teams, yet enterprises find it difficult to walk away from their legacy solutions, especially when considering the amount of financial and technical investments already spent on their legacy tech stack. However, transitioning IAM to the cloud reaps rewards such as utilizing unlimited data storage potential, saving time, enabling a software-defined approach, and more. So, as your organization begins to set up for this process, here’s what you need to keep in mind to undergo a successful transition.
SecurityInfoWatch.com (SIW) and editorial director Steve Lasky recently collected comments from Jeff Broberg to help our audience better understand this evolving migration. Jeff is a director of product management with more than 30 years of experience. Prior to joining Styra, Jeff was at SecureAuth, OneLogin and CA Technologies, where he was involved with their authentication and identity management solutions.
SIW -- Moving to the cloud has become a top focus for organizations yet moving legacy solutions can be quite the challenge. How can Identity-and-Access Management (IAM) teams and IT leaders create a smooth transition?
Broberg -- As we all know, moving an application to the cloud can be full of compromises – do you work off a clean slate, or do you alter your current composition to accommodate the cloud? In many cases, the previous investment in legacy solutions hampers a clean slate approach. This makes it important for IAM teams and IT leaders to first uncover and understand what exactly is holding them back from properly integrating into a cloud-native environment. Specifically, they need to understand the software architecture as well as all of the areas that tie the application to their infrastructure or data sources on-premise.
In the case of IAM, we see entitlements as a common coupling that prevents easy, streamlined movement to the cloud. However, a different modern approach can replace this: policy-as-code. Policy-as-code is the use of code to define and manage rules and conditions, allowing teams to write out policies by utilizing a type of programming language (i.e., Rego). By incorporating this approach, IAM teams can decouple the application from the on-premise data sources to deliver the performance required for application users.
SIW -- Why do outdated, homegrown, legacy solutions fail and how do they hinder an IAM team’s performance?
Broberg -- Although they served their purpose previously, these outdated and homegrown legacy solutions not only increase the amount of time developers spend integrating and updating solutions, but also hinder modernization by limiting bandwidth for innovation.
Legacy solutions are often built and maintained in silos, allowing an abundance of creative liberty. So, what happens when the original author decides to retire or leave the organization entirely? Of course, organizations can hire new and talented IAM team members, but they lack the critical knowledge of the author’s original intent. Meaning, that the team will spend more time trying to solve these puzzles rather than executing simple tasks.
In addition to this, legacy solutions obtain a monolithic architecture that is difficult to decompose into microservices. This poses a significant challenge as cloud-native environment applications are built on microservices systems. With this lack of agility, not only do IAM teams face integration challenges, but also lack architecture perimeter security, which is a high risk in today’s landscape.
SIW -- How does an organization assess its IAM goals and then create that implementation roadmap?
Broberg -- To begin creating an implementation roadmap, organizations need to understand the current state of their IAM infrastructure and realign on original goals.
IAM teams should begin asking themselves – Are they concerned with authentication and multifactor protection? Do they need to manage access to on-premise and cloud properties? By looking into those questions, IAM teams will gain an understanding of what regulations the organization has to adhere to or what certain controls mean for their IAM structure. Once these questions are answered, it will be easier to see what’s working best and what needs more work.
It’s also important to understand what IAM means for the organization overall. IAM information (including users, groups, roles, and resources) can be used in other areas in an organization’s cloud-native stack like microservices, gateways, and service meshes – so begin to look into what the organization needs.
SIW -- The cloud and remote work are almost interchangeable in today’s business environment, so how do you ensure your organization’s IAM approach is secure?
Broberg -- The cloud has enabled organizations to offer hybrid or fully remote work options that best fit their employees’ personal needs; however, this can open the door to more potential security threats. With the traditional, in-office IT boundary gone, the cloud has democratized access to its corporate-provided resources as well as employee-owned devices.
Because of this, organizations need to ensure their IAM approach is secure enough to prevent unauthorized access by both internal and external parties. Using an authorization policy management platform, teams can easily tap into existing systems of record while leaving behind their homegrown entitlement band-aids. Through this platform, IAM teams can use pre-built policy packs that are recorded to decision logs for auditing needs, and they can monitor for vulnerabilities in new code before it’s pushed out. While security is never a 100% guarantee, taking a modern, cloud-native approach to IAM can help.
SIW -- What are some clear and implementable best practices an organization should adhere to when developing their IAM strategies?
Broberg --When developing IAM strategies, here are the top three best practices organizations can consider and begin to implement:
1. Evaluate what new best practices have evolved as IAM and authorization continues to be re-envisioned within cloud-native environments.
- It is important to decouple policy from application and business logic. This is because policy defines the rules of the environment, and having these rules encoded into the logic of the applications becomes painful in distributed systems. With applications composed of hundreds of services, having to rebuild and redeploy each of them whenever a rule is changed isn’t a great experience. Treating policy as a separate entity, with its lifecycle decoupled from that of the application, allows teams to author, test and deploy changes to policy isolated from the applications, and allows the application developers to focus on adding value to their users.
2. Consider implementing plans to support Zero Trust Architecture and Contentious Access Enforcement Protocol.
- This consideration should be made because verifying the identity and permissions of a user or a machine is no longer a concern that can be dealt with only at the perimeters of the systems. Secure access following the Zero Trust Architecture requires identity to be verified and access control to be performed in every component of the stack. Don’t make assumptions, always verify!
3. Remove the silos once and for all.
- Instead of working separately, encourage both IAM and application teams to collaborate when creating authorization policies for corporate resources. Welcoming a collaborative atmosphere during these processes will streamline tasks, eliminate time and confusion, and promote interoperability within an organization's IT team – meaning more room to evolve alongside the ever-changing technology landscape.
