What strategies do you use to ensure IAM solutions are sufficiently composable to adapt to changing business needs?
Sort by:
Btw, for me integration is not only using standard workflow for Authentication/Authorization, I rather prefer integration of business and IAM domain events in business and IAM workflows.
For that I prefer to embed IAM into DDD and EDA transformation programs. And this is why I consider EDA a core composability component in my IAM reference Architecture.
We work closely with our enterprise architecture team to establish standards that integrate security into the planning stages of application development. By involving IAM-related tasks early in the project management process, we avoid last-minute surprises and enhance our security posture. While this approach remains challenging, it is gradually helping us achieve better security outcomes.
We are addressing legacy systems by implementing open standards like SAML to ensure interoperability across multiple systems. Our focus is on API-first design principles for authentication, provisioning, and policy enforcement within IAM platforms. We are also leveraging policy as code to implement authorization and access logic, allowing us to adopt new rules without extensive application rewrites. This strategy is helping us gradually improve our IAM infrastructure.
In my experience, particularly during mergers and acquisitions, it's crucial to have an orchestration layer or hybrid ecosystem that can implement RESTful APIs. This allows business applications to integrate seamlessly with IAM tools, such as CyberArk, SailPoint, or Transmit Security, enabling SMFA (silent multi-factor authentication). This orchestration layer can adapt to evolving technology stacks. We are also incorporating AI-based technologies to identify role consolidations and toxic combinations, allowing for fine-grained authentication policies. This strategy enhances efficiency and agility, enabling us to transition smoothly between technologies like CA SiteMinder, Ping Identity, Okta, and newer tools like Transmit Security.
IAM is a complex topic and usually needed and available capabilities vary from case to case and from solution to solution.
If you look at the major components or high level capabilities like IGA, PAM, AM. One could think of multiple points of composability , e.g.
- Ability to connect to multiple identity sources and consumer systems,
- Ability to adapt the data models and configurations from different scenarios.
- Ability to use unified identity flows for SSO through standardized interfaces and integrations.
- Ability to customize policies
- Ability to customize workflows for multiple user-group across the user groups.
- Ability to adapt to different risk scenarios.
- Ability to utilize and benefit from near future proof capabilities , e.g. IPA, LLMs, etc.
I focus on this set of measures to secure composability in my reference architecture and roadmaps, however some other scenarios may require different approach according to stakeholder needs and compliance requirements . And this led me to heterogeneous solution of Sail point for IGA + CyberArch for PAM + Ping identity for am.
I hope this helps you see through the confusion Let me know if there is any specific question you wish to address.