As organizations continue their digital transformation journey, many teams are trying to take their legacy solutions with them. Yet a major challenge continues to intrigue identity and access management (IAM) teams: legacy solutions are not cloud-ready.
Moving to the cloud has been a top priority for teams, but companies are struggling to move away from their legacy solutions, especially given the amount of financial and technical investment already in their legacy technology stack. However, the transition from IAM to the cloud offers advantages such as the use of unlimited data storage potential, saving time, enabling a software-defined approach, etc. So, as your organization begins to prepare for this process, here’s what you need to keep in mind to make the transition successful.
SecurityInfoWatch.com (SIW) and Editorial Director Steve Lasky recently collected feedback from Jeff Broberg to help our audience better understand this evolving migration. Jeff is a Director of Product Management with over 30 years of experience. before joining styreJeff has worked at SecureAuth, OneLogin and CA Technologies, where he worked on their authentication and identity management solutions.
SIW – Moving to the cloud has become a priority for organizations, but moving legacy solutions can be quite a challenge. How can Identity and Access Management (IAM) teams and IT leaders create a smooth transition?
Broberg– As we all know, moving an application to the cloud can be full of trade-offs: are you working from a clean slate or changing your current composition to fit the cloud? In many cases, prior investment in legacy solutions hinders a clean slate approach. It is therefore important that IAM teams and IT managers first discover and understand exactly what is preventing them from integrating properly in a cloud-native environment. Specifically, they should understand the software architecture as well as any areas that tie the application to their on-premises infrastructure or data sources.
In the case of IAM, we view entitlements as a common coupling that prevents a simple, streamlined move to the cloud. However, a different modern approach can replace this: strategy as code. Policy as code is the use of code to define and manage rules and conditions, allowing teams to write policies using some type of programming language (eg Rego). By integrating this approach, IAM teams can decouple the application from on-premises data sources to deliver the performance required for application users.
SIW — Why do outdated, in-house, and legacy solutions fail and how do they hinder the performance of an IAM team?
Broberg — Although they served their purpose before, these outdated, internally developed legacy solutions not only increase the time developers spend integrating and updating solutions, but also hinder modernization by limiting the bandwidth for innovation.
Legacy solutions are often built and maintained in silos, allowing an abundance of creative freedom. So what happens when the original author decides to retire or leave the organization altogether? Sure, organizations can hire talented new IAM team members, but they lack the essential knowledge of the original author’s intent. This means that the team will spend more time trying to solve these puzzles rather than performing simple tasks.
In addition, legacy solutions obtain a monolithic architecture that is difficult to break down into microservices. This poses a significant challenge as cloud-native environment applications are built on microservices systems. With this lack of agility, not only do IAM teams face integration challenges, but they also lack architectural perimeter security, which is a high risk in today’s landscape.
SIW — How does an organization assess its IAM goals and then create that implementation roadmap?
Broberg– To begin creating an implementation roadmap, organizations need to understand the current state of their IAM infrastructure and realign with the original goals.
IAM teams need to start asking themselves: Are they affected by authentication and multi-factor protection? Should it manage access to on-premises and cloud properties? By reviewing these questions, IAM teams will understand what regulations the organization must comply with or what certain controls mean for their IAM structure. Once these questions are answered, it will be easier to see what works best and what needs more work.
It is also important to understand what IAM means for the whole organization. IAM information (including users, groups, roles, and resources) can be used in other areas of an organization’s cloud-native stack, such as microservices, gateways, and service meshes. So start looking at the needs of the organization.
SIW — The cloud and remote work are nearly interchangeable in today’s business environment, so how do you ensure your organization’s approach to IAM is secure?
Broberg — The cloud has enabled organizations to offer hybrid or fully remote working options that best meet the personal needs of their employees; however, this can open the door to more potential security threats. With the disappearance of the traditional computing frontier in the office, the cloud has democratized access to corporate-provided resources as well as employee-owned devices.
For this reason, organizations must ensure that their IAM approach is secure enough to prevent unauthorized access by internal and external parties. Using a permission policy management platform, teams can easily tap into existing systems of record while leaving their access rights band-aids behind. Using this platform, IAM teams can use predefined policy packs that are saved in decision logs for auditing purposes, and they can monitor vulnerabilities in new code before it is released. While security is never 100% guaranteed, taking a modern, cloud-native approach to IAM can help.
SIW — What are the clear and enforceable best practices that an organization should adhere to when developing its IAM policies?
Broberg –When developing IAM strategies, here are three best practices that organizations can consider and start implementing:
1. Evaluate new best practices that have evolved as IAM and authorization continue to be redesigned in cloud-native environments.
- It is important to decouple policy from application and business logic. Indeed, the policy defines the rules of the environment and the encoding of these rules in the logic of the applications becomes painful in the distributed systems. With applications consisting of hundreds of services, having to rebuild and redeploy each one every time a rule changes is not a great experience. Treating policy as a separate entity, with its lifecycle decoupled from that of the application, allows teams to build, test, and deploy policy changes isolated from applications, and allows application developers to focus on added value for their users.
2. Consider implementing plans to support Zero Trust Architecture and Contentious Access Enforcement Protocol.
- This consideration needs to be taken because verifying the identity and permissions of a user or machine is no longer a concern that can only be addressed at the perimeters of systems. Secure access following the Zero Trust architecture requires identity to be verified and access control to be performed in every component of the stack. Don’t make assumptions, always check!
3. Remove the silos once and for all.
- Instead of working separately, encourage IAM and application teams to collaborate when creating permission policies for corporate resources. Embracing a collaborative atmosphere during these processes will streamline tasks, eliminate time and confusion, and promote interoperability within an organization’s IT team, which means more room to grow alongside. to the ever-changing technological landscape.