What strategies do you use to ensure IAM solutions are sufficiently composable to adapt to changing business needs?

1.3k viewscircle icon1 Upvotecircle icon6 Comments
Sort by:
Principal Enterprise ARCHITECT in Finance (non-banking)2 months ago

IAM is a complex topic and usually needed and available capabilities vary from case to case and from solution to solution. 
If you look at the major components or high level capabilities like IGA, PAM, AM. One could think of multiple points of composability , e.g.
- Ability to connect to multiple identity sources and consumer systems, 
- Ability to adapt the data models and configurations from different scenarios.
- Ability to use unified identity flows for SSO through standardized interfaces and integrations. 
- Ability to customize policies 
- Ability to  customize workflows for multiple user-group across the user groups.
- Ability to adapt to different risk scenarios.
- Ability to utilize and benefit from near future proof capabilities , e.g. IPA, LLMs, etc.

I focus on this set of measures to secure composability in my reference architecture and roadmaps, however some other scenarios may require different approach according to stakeholder needs and compliance requirements . And this led me to heterogeneous solution of Sail point for IGA + CyberArch for PAM + Ping identity for am.
I hope this helps you see through the confusion Let me know if there is any specific question you wish to address.

2 Replies
no title2 months ago

Btw, for me integration is not only using standard workflow for Authentication/Authorization, I rather prefer integration of business and IAM domain events in business and IAM workflows.

no title2 months ago

For that I prefer to embed IAM into DDD and EDA transformation programs. And this is why I consider EDA a core composability component in my IAM reference Architecture.

Information Security Analyst2 months ago

We work closely with our enterprise architecture team to establish standards that integrate security into the planning stages of application development. By involving IAM-related tasks early in the project management process, we avoid last-minute surprises and enhance our security posture. While this approach remains challenging, it is gradually helping us achieve better security outcomes.

Director of Information Security2 months ago

We are addressing legacy systems by implementing open standards like SAML to ensure interoperability across multiple systems. Our focus is on API-first design principles for authentication, provisioning, and policy enforcement within IAM platforms. We are also leveraging policy as code to implement authorization and access logic, allowing us to adopt new rules without extensive application rewrites. This strategy is helping us gradually improve our IAM infrastructure.

Lightbulb on1
VP of Information Security2 months ago

In my experience, particularly during mergers and acquisitions, it's crucial to have an orchestration layer or hybrid ecosystem that can implement RESTful APIs. This allows business applications to integrate seamlessly with IAM tools, such as CyberArk, SailPoint, or Transmit Security, enabling SMFA (silent multi-factor authentication). This orchestration layer can adapt to evolving technology stacks. We are also incorporating AI-based technologies to identify role consolidations and toxic combinations, allowing for fine-grained authentication policies. This strategy enhances efficiency and agility, enabling us to transition smoothly between technologies like CA SiteMinder, Ping Identity, Okta, and newer tools like Transmit Security.

Content you might like

It will encourage eased restrictions and more advocation on behalf of open source communities.29%

It will bring the wrong attention to DMCA practices and cause additional legal issues.52%

It will balance the scales on difficult to navigate DMCA legislation, but no changes in the foreseeable future.14%

I don't know4%

View Results

More risky than useful35%

More useful than risky58%

Don’t know/show results6%

View Results