architecting your future-state ... - techvision research

Architecting Your Future-State Identity and

Access Management Program

Gary Rowe, Doug Simmons

Principal Consulting Analysts

September 10, 2020

Sept. 20-23 2021

Gary Rowe, CEO/Principal Consulting Analyst

at TechVision Research13-year President of Burton Group (sold to Gartner) and TechVision

founder. Technology thought leader for 30+ years with over 100

consulting engagements and published research in innovation,

identity management, distributed computing, security, enterprise IT,

blockchain, privacy and IOT.

Your Presenters

©️ TechVision Research Corp. 2020 - All Rights Reserved 2

Doug Simmons, Principal Consulting Analyst

at TechVision ResearchOne of the leading IT security and Identity Management experts,

has led hundreds of consulting engagements and developed leading

edge research. He ran the consulting organization at Burton Group

and led the security/risk consulting organization at Gartner for 5

years prior to joining TechVision.

Agenda

• Background and Workshop Objectives

• The Digital Enterprise: Digital Transformation and Identity Management

• The Future of Identity Management: The Top 12 IAM Trends

• The Art of the Possible: Architecting your Future-State IAM Foundation

• Zero Trust and Frictionless Security

• IT Governance and Administration

• Sponsored Session: Radiant Logic’s Role in the Future of IAM

• Discussion, Q&A


TechVision Research at-a-glance

Founded in 2015 by veterans of the research industry to bridge the gap

between board-level strategy and technical solutions through cutting-edge

research and pragmatic consulting.

Our model is built

around industry

experts with strong

track records of

execution.

We go beyond the

trends. Our deliverables-

based engagements give

you the action plans you

need to achieve your

goals.

We make our

perspectives and

expertise available

to everyone in the

enterprise.

4Copyright(c) TechVision Research Corp. 2020- All Rights Reserved

Proven Technique

Actionable Advice

Direct Experience

TechVision Research: What we do

©️ TechVision Research Corp. 2020- All Rights Reserved 5

Take a client theme

Research

Privacy &Consent

Identity &

AccessManagement

and Connect the Dots

Cybersecurity

Architecture ,Innovation, & Collaboration

Consulting

Information Asset

Management

Providing deep knowledge to

inform executive decisions

• Broad and deep experience

• Industry specialists

• Technology pioneers

• Global perspective

• Senior, C-level clients

• Bridge between board-level

strategies and technical solutions

Identity and Access Management

Security and Risk Management

Data Management, Architecture,

Analytics, AI/ML

Digital Enterprise/Transformation

Innovating with Purpose

Privacy and Information

Protection

Blockchain Adoption

Communication, Collaboration,

Content, Activities (3CA)

Product to Platform Evolution,

DevSecOps, Microservices

Adaptable Technical Architecture

Survey Says: Workshop Priorities

(Most/Moderately Critical)

• Managing Identity during cloud migration while maintaining legacy/hybrid: 79%

• Securely managing larger remote workforce: 68%

• Acquiring better quality data to support automation/AI: 68%

• Managing scale of identity and protected data: 63%

• Increase in fraud/data theft: 53%

• Complying with rapidly changing privacy/regulatory environment: 53%

• Providing a deeper customer engagement: 47%

• Expansion of business beyond brick/mortar: 32%


Survey Says: Workshop Priorities

Added by Attendees

• Integration of IAM tools with Risk/SOD engines

• Self sovereign identity and verified credentials

• IAM for OT/ICS -- Industrial Control System

• IAM as the foundation of a zero trust architecture

• Passwordless authentication/authorization, Zero Trust

• IAM as micro services and REST APIs

• How to evangelize that identity (people, things) is fundamental to IT architectures. Most enterprise architects have little understanding of this most critical capability and how to integrate into solutions.


What are your top 2 goals/priorities in this

workshop? (poll)

❑Input towards developing IAM strategy/reference architecture

❑Understanding of how to modernize my current IAM capabilities

❑Understanding what success looks like

❑Input towards making IAM investment decisions

❑Gaining insights into the future of IAM and IT


Agenda








• Discussion, Q&A


Why do we need Identity?

Because on the Internet everybody doesn’t know your name.


Identity and Access Management (IAM) Services at

Internet Scale

• The policies, processes and technology to support the right access, to the right resources, at the right time, for the the right individuals and things.

• Starts with Identity Proofing

• IAM is a key infrastructure supporting security, privacy and governance in—and critical to support Digital Engagement

• Market is speaking: Okta (pure play IAM) IPO in 2017 with current Market Cap of over $26 Billion

• We’ll now look at how the Digital Enterprise is requiring a new IAM foundation


2020: Engaging The “New” Digital Reality

“Radical rethinking of

how the organization

uses technology”- Clint Boulton CIO.com


Digital Technology Brings Together People,

Processes, Data & Things

THINGSDevicesObjects

EndpointsInterfaces

PROCESSESLearning

ReportingIntegratedAutomatedDATA/

INFORMATIONFindableShared

Intelligent

PEOPLEAnywhereIn ContextConnected


Digital Enterprise Drives New IT


IAM Governance

InfoSec

People Process

Technology

TRADITIONAL IT

“RESPONDERS”

People

Process

Data & Information

Technology

DIGITAL ENTERPRISE

“CURATORS”

IAM

InfoSec

Governance

Data

&

Info

Requires a Change in ThinkingIT RESPONDERS IT CURATORS

PRINCIPLES

GOVERNANCE

FOCUS

EXPERIENCE

IMPLEMENTATIO

N

INNOVATION

INDUSTRY

Ownership & central delivery

Whole feature sets

Distributed oversight,

protection & accessibility

Command & control

Least common denominator

Siloes of tech, info & data

Limited capabilities

Operations oriented

Favorite vendors

Agile & flexible to meet

business’ goals

Central oversight,

protection & risk mgt

Integration & interfacing

Use tech to fit needs

Tech as facilitator

Innovation mind set

Outsourcing

Responsive

Not either/or

Centralized

Fragmented

Managed

Destination

Large &

Complex

Revolutionary

Systems

Business

Aligned

Pervasive &

Coordinated

Utilization &

Accessibility

Seamless

Interfacing

Speed to Value

Evolutionary

Platforms

Certainty

Big Bang

Experimentation

Incremental

Components & Interop

Subscriptions

Features releases

Self contained Products

Licensed based

Upgrade cycles


Digital Enterprise Principles & Practices

Centralized Oversight, Pervasive,

Accountability

OpEx, Business Driven,

Opportunistic, Responsive

Storage Agnostic, Metadata & Tagging,

Internal/External, Compliant

Anytime, Anyplace, Anywhere, Anything

Frictionless, Consumerized, Contextual,

Usability, Personalized

Integrated, Automated, Outcome Aligned,

Proactive, Persistent, Learning

Agile, Flexible, Innovation,

Speed to Value, Bespoke

Platforms, Federated, Cloud, Microservices,

Modular, Integratable

Accessibility

Experience

Functionality

Governance

Data Model

Architecture

Management

Implementation

CONTINUOUS TRANSFORMATION


Agenda








• Discussion, Q&A


IAM 2020+: Building/Enabling the New Digital

Foundation

• The foundation to seamlessly embrace new technologies, business models & approaches while “keeping the IAM plane in the air”

• The Digital Enterprise transitions from “point programs” to new enterprise business models

• Flexibility, openness, scale, adaptability and inclusiveness are critical; NO LOCK IN

• Moving to cloud-first wherever possible, but hybrid support is still critical

• IAM is critical in support of the “Safe Digital Enterprise”

• Areas of Focus for the next several years follow:


Future of Identity Management; Enterprise Top 12

List (2020-2025)1. Zero Trust Security Model: Identity is the

primary tool for locking down ecosystems, protecting enterprises and supporting Zero Trust

2. Unprecedented Scale/Speed: Supporting larger numbers of customers, prospects, things, employees, partners with near real-time response times

3. User Experience: 2020+ is all about the user experience and user-friendly interfaces for developers, administrators and end-users

4. Cloud and Hybrid Identity: Identity services move to the cloud, but on-premise IAM needs to seamlessly integrate with cloud-based IAM

5. New Authentication models including MFA, Adaptive Authentication and Password-Less: Passwordless for users and PAM emerges to tightly secure those with Amin rights

6. Use of AI/ML for Contextual Awareness and “Frictionless Security”: Using context, big data, pattern recognition to understand normal and anomalous activity so support better, lower-friction security

7. IAM Inclusion of Diverse Object Types--Internet of Everything: Support for IoT, contextual data, customer data, RPA, processes, consent, tokens, DID

8. Customer-centric IAM and Identity of Things (IDoT): CIAM /IoT services still treated with unique management controls, but increasingly integrated/accessible via apps & services.

9. Identity Services and Security Controls as Microservices: Identity, security API microservices critical in support of DevSecOps, new JIT security

10. Privacy Protecting Identity and Security Services : Increasingly leveraging analytics, contextual data & AI/ML to support usability and privacy regulations by limiting and controlling the collection of PII

11. Decentralized IAM built on Blockchain: Identity services leveraging blockchain, verifiable claims and trust frameworks emerge and support user-centric, privacy-compliant IAM services

12. Centralized Identity Governance: Achieving centralized control while distributing computing, applications and data. Harmonization of IAM across multiple functional areas.


Survey Says: Highest Rated Categories within the

Top 12 List

1. Cloud/Hybrid Identity

2. Zero Trust Security

3. Centralized Identity Governance

4. User Experience

5. IAM Scale/Performance

6. Decentralized Identity


Survey Says: Comments/Additions to the Top 12 List

1. 75% liked it as is

2. 20% wanted to explicitly add PAM as a Category

3. Don’t put CIAM and IDoT together (1)


Evolution of Identity

Classic

IDM

IDaaS

Identity

as an

API

EmployeePerimeter

PartnerFederated

CustomerCloud/IDP

ThingsWallets, Chips

RelationshipsClaims, Context

On Premise

Directories

Networked

Identity Graphs


Decentralized,

Self-Sovrin

Identity

Enterprise IAM Progression Towards the Cloud

1. Become Cloud aware

2. Factor in Cloud migration

3. Develop global IAM data integration approaches


Many of today’s IAM

environments are largely

on-premise and only in the

early stages of migration or

seamless integration with

cloud Infrastructure as a

Service (IaaS) and

Software as a Service

(Saas) IAM solutions.

Not only B2E, but B2B and

B2C are increasingly

important and must be

considered in the next

generation IAM

architecture. For most

enterprises this may

include:• Azure AD as a cloud identity

store as it is already being

leveraged by many

organizations.

• Internal as well as external

users will need to securely

access services and data.

• Support for hybrid environments

• Cloud-enabling

• Global scalability and

flexibility in support

Customer IAM, IoT

• Privacy regulation

support

• Expansive federation

• High performance

IDoT and CIAM Drive IAM Scale/Relationship Management

Identity of Things (IDoT)

• Identity of Things (IDoT)

as a major IAM category

• Scale to billions of

objects

• Management of complex

relationships

• Securing dumb sensors

to highly sophisticated

devices

• Unique security, privacy

and consent issues

Customer IAM (CIAM)

• CIAM as a major IAM category

• Performance and context is critical

• Scale to the hundreds of millions of objects

• Integration with CRM and Marketing systems

• Unique security, privacy and consent issues


ZT: Gone Is The Secure Network Perimeter

The Digital Economy blends customers, suppliers, organizations.

Cloud, Mobile, BYOD, IoT create a fluid network perimeter


The Identity Problem & User Experience


The average American currently has about 200

accounts that require some sort of password

identification, and that number will rise to 400 within

five years or so. (per Dashlane)

The average business employee must keep track

of 191 passwords and 81% of confirmed data

breaches are due to passwords. (per LastPass)

This is the single biggest usability problem on

the Internet today; the foundation is collapsing

Passwordless & MFA in the Future

We have anticipated the demise of password-centric

authentication for decades - the time has arrived to deploy MFA

and passwordless security solutions within your enterprise

• Device and network ubiquity, reliability, Bring Your Own

Device (BYOD) initiatives coupled with the accelerating levels

of fraud associated with password-based authentication

• Many large, influential vendors such as Microsoft, Okta, Ping,

ForgeRock and others have laid down the gauntlet - the

password is truly dead

• The shift to the cloud provides the opportunity to reinvent

authentication

Furthermore, as the concepts associated with Zero Trust

continue to evolve and take hold, passwordless & MFA will be

an imperative


• Addressing the hundreds of IDs/passwords often maintained today

• Move from BYOD to BYOI, to SSI

• Identity control by identity owner like in the physical world

• Peer-to-peer (no 3d party)

• Integrity of the identity record can be verified via blockchain

• Stronger authentication via digitally signed, verifiable credentials

• Better privacy by limiting non-essential verification data

• Requires the development of an underlying ecosystem

• Significant investment by Microsoft, IBM, Ping, SAP and several early stage companies

Decentralized Self-Sovereign Identity Built on

Blockchain(?)


In our mobile, volatile world Identity is the only

viable perimeter


Big data, mobile, AI/ML …

Identity and Access Management

…blockchain, context,

faster product cycles …

… cloudification of IT,

innovation, disruption and

personalization, automation,

security focus/investment …

… BYOD/BYOI,

privacy/GDPR, IoT

Disintermediation in Banking & Other

Markets

Strategic Investments in

Innovation/Disruption

Democratization & Consumerization

Privacy & Regulatory Volatility

Internet of “Me”

Sharing Economy

Momentum

Better Customer Connections & Relationships

New IT Models

New Business Models

IoT at scale

Agenda








• Discussion, Q&A


Developing a 5 Year IAM Plan

• Modern IAM supporting the Digital Enterprise starts by “going back to basics”

• TechVision recommends starting a current-state capabilities assessment, a requirements review (business and tech) and the development of a capabilities-based reference architecture

– Ensures all major areas are covered

– Helps to understand the big picture while developing specific strategies for each category of capabilities

– Structured approach to provide the flexible, open, modular, dynamic and inclusive IAM model for digital transformation

– Factor in the key future state areas we’ve described

• High-level view follows:


Survey Says: Top Requirements for 2020-2025

• Consistent Customer IAM across a variety of LOBs

• IAM support for IoT, automated devices running critical infrastructure

• Privacy controls/compliance

• Centralized Cloud/hybrid governance

• Dealing with executive expectation that there is a simple Zero Trust

'solution' building/combining offerings

• Need a Zero Trust roadmap

• More consistently address hybrid


Typical Enterprise Requirements, Pain Points and

Current State Review

33

Requirements and current-state data

collected via interviews and

questionnaires to discuss, refine and

add to during Reference Architecture

development.

©️ TechVision Research Corp. 2019 - All Rights Reserved

Capturing Enterprise Requirements (poll)

• Where is your organization in gathering cross-functional IAM

requirements?

❑Known, published, prioritized

❑Known but need more refinement/update

❑Known but not written

❑Not known


IAM Market Category Requirements

Consumer IdentityEnterprise Identity Identity of Things

Need to protect the

organization from

cybersecurity threats

Need to efficiently

provision/de-provision

access

Need to ensure

appropriate access

Need to facilitate easy

authentication

Need a frictionless user

experience

Need to provide personalized,

engaging experience

Need to scale

Need to protect consumer

data and enforce consent

restrictions

Need to ensure

appropriate access

Need to efficiently

provision/deprovision

access

Need to facilitate stronger

security controls without

getting it the way of the

deployment or device use

Need to secure

communications

Need to demonstrate

compliance

Need to track and manage

customer relationships

Need to provide easy

integration with existing

applications and services

Need to protect consumer

data and enforce consent

restrictions

Need to scale


Example: Business Outcomes• Employees have access to enterprise systems immediately

upon hire. – Currently provided by what source systems (e.g., HR?)

– Does it require much manual intervention?

• Automate de-provisioning in cases of leaving the organization.– De-provisioning is often currently a manual process.

• Perform attestation on all employees– Typically performed on high risk areas only.

• Improve customer experience– Are customer accounts linked across multiple LOBs?

– Do you offer MFA for higher risk customer transactions?

– Can you eliminate passwords?

• Other Expected Business Outcomes?

36©️ TechVision Research Corp. 2020 - All Rights Reserved

Example: Current Unmet Needs• Lack of self-service provisioning functionality:

– Excessive manual intervention required for provisioning—no workflows

– No mandatory approval capabilities

• No self-service password capability:

– Password resets must be done with the assistance of the Help Desk without ability to

perform off-network resets—thousands of calls/mo.

– Causes risky behavior for remote access users without reset capability

• De-provisioning and modifications are a manual process

• No functionality to review or update roles within business

• Attestation can’t be performed (with the current tool), leaving many in the organization

with excessive privileges—can’t restrict requestors to specific departments or

applications

• Review of key administrative functions is currently a manual monthly process.

• Other unmet needs?

37©️ TechVision Research Corp. 2020 - All Rights Reserved

Reference Architecture: Top-Level


Reference Architecture 2nd Level


Elements of the Combined Portfolio Architecture


Identifying Capabilities for Each Service (e.g., Login)


Example: Login Template


Identifying Capabilities for Each Service (e.g., PAM)


Example: PAM Template


Connectors

Application Interface

Persistent View

Join

Identity Orchestration Template

Application Database DirectoryEmail

Resources

Directory Database Application OSSaaS Application Devices

Persistent,

Replicated

Identity

Repository

…

Remote Connectors Local Connectors

Bidirectional Change

Events

Activity

Auditing

Consuming

Applications

NormalizedSharedView

Join Engine

The Join Engine manages the

data sharing relationships

between connected systems.

The Normalized Shared

View maintains the common

state of the shared data

between connected systems

…


Agenda








• Discussion, Q&A


ZT: Gone Is The Secure Network Perimeter

The Digital Economy blends customers, suppliers, organizations.

Cloud, Mobile, BYOD, IoT create a fluid network perimeter


Putting Cybersecurity in Context

Identity-based cybersecurity controls are key to addressing the rapidly expanding threat surface

Authentication of people &

devices is central to anywhere

access and personalization of

services

Applications need to be secure,

beginning with the writing of code

– real time protection

Data will need to be secured at the

workload level so it can run in any

private or public cloud

Ops

DevSecOps: Enable and Secure while not slowing down the development process

Identity & Access SecurityApplication Security Data Security

Increased

Threats

Dev

Customer Engagement

Interact with more customers,

partners and devices

Cloud Adoption

Increase speed and lower

costs

Internet of Things

Device to device

communication, massive

volume

Application Growth

Massive growth in applications,

mostly on mobile platforms

Driver

s

Implication

s

Expanded “Threat Surface” with Increased Vulnerability Exposure

Sec


49

Governance & Provisioning

Enabling the lines of business to make decisions about

appropriate access and enforcing those decisions

Privileged Access

Control administrator access and system accounts plus deep forensic monitoring

Authentication

Providing greater Identity Assurance and Proofing

through Strong Authentication

Authorization

Enforcing Authorization policies ensuring

appropriate access to critical resources

Behavioral Analytics

Provides insight into normal operations and

brings attention to anomalous activity

Identity-based Cybersecurity Controls

Facilitating understanding of the relationships and determining the appropriateness of the activities


50

Example: Identity-based Zero Trust Template


Agenda








• Discussion, Q&A


Preparing for the Digital Enterprise: Start with

Identity Governance• Single biggest problem and most costly area in most large IAM programs

• Governance is the most significant IAM challenge and the trends we’ve defined will make it

harder

– New object types, relationships

– New identity consumers

– Lack of hard perimeters

– Management of hybrid environments, disconnected/federated identities, big data, context ,complex relationships

• Why is governance so hard?

– It involves people; people to people is the hardest to govern

– Getting harder given the points above

• New Governance Models

– Centralized policies/controls/visibility

– Leveraging AI/ML/Analytics

– Assumes base-level understanding of all connected data/identities

– Goal is to automate 80% and focus on 20% that isn’t easily automatable or represents anomalous activity/requests

– Support for self-service


Access Governance

• Provides a mechanism for collecting current entitlement

state

• Provides an entitlement catalog for organizing and

entitlement definitions and mappings

– Listing what is assignable

– Describing what these entitlements actually do

• Facilitates entitlement ownership and accountability

• Provides process for reviewing and certifying entitlement

entries

• Provides a self-service mechanism for requesting access

Time of Change Operations

What does appropriate access look

like?

Govern

The "Atomic Elements" of Identity and Access

Governance

54

Credential(s)

Entity

Attributes

PoliciesEntitlements

Roles

Identity

Rules

Attributes

Entitlements

©️ TechVision Research Corp. 2020 - All Rights Reserved

Access Review & Certification ProcessCollection Mechanisms

Resources

Access Governance

Refine Data

Distribute Data

Review Access

Certify Access

Return Data

Remediate

Gather Data

Entitlement

Catalog

Attestation Report

Directory

Manual

Database

Application

Connector

or

Role Definitions

Data

Classifications

Access Review & Certification Process

Access Governance 2020+

Attestation Report

Role Definitions

3rd Wave AI and

Machine Learning

Collection Mechanisms

Resources

Refine Data

Distribute

Data

Review Acces

s

Certify Acces

s

Return Data

Remediate

Gather Data

Entitle

ment

Catalog

Directory

Manual

Database

Application

Connectoror

Data

Classificatio

ns


Identifying Capabilities for Each Service (e.g.,

Access Governance)


How the Capabilities can be Deployed

Deployed via SaaS Only Can be Deployed via SaaS or On Premises

Deployed On-Premises Only

Near Term

Mid Term

Long Term

Focus on new User and

Administrative Interfaces being

served from the cloud

Leverage existing on-premise

deployments, using SaaS

based services to augment

and modernize customer

experience

Agents and Connectors

deployed on-premises to serve

applications that remain in

customers’ local data-centers,

remotely managed by SaaS

services

Full suite of identity services

delivered as a service, managing

SaaS applications and remotely

managing applications that

remain on-premise

With virtual appliance packaging,

single instance per tenant SaaS

deployments are possible

Virtual appliances can be

deployed on-premise or in IaaS

Fleshing out fully elastic multi-

tenant versions of our identity

services

Package “SaaS first” offerings

into single instance, self

contained virtual appliances

Begin to ween customers off

traditional on-premise

deployments in favor of SaaS

offerings and/or virtual

appliances

Promote SaaS offerings as

preferred deployment option,

but keep appliances as a fall

back for redundancy/disaster

recovery or slow SaaS

adopters


59

Types of Vendor Relationships

SaaS

Direct

Sales

Packaged

Software

Direct

Sales

Perpetual License

Subscription

Resellers

Leverage a Broader Sales Force

Systems Integrators

Leverage a Broader Deployment Force

Managed Service Providers

Leverage Someone Else’s Infrastructure


Agenda








• Discussion, Q&A


Radiant Logic’s Role in the Future of IAM

Wade Ellery, Radiant Logic

Gary Rowe and Doug Simmons, TechVision Research

9/10/20

The World of Access is Expanding

Identity is the New Perimeter

Driver 1: Federation/Access Management

Driver 2: Hosting and syncing identity to the cloud

The Challenges of a Fragmented and Distributed Identity System

The integration and architecture of on premise IAM and cloud-based IAM systems will be critical decision points for most

organizations

While Federation Organizes Access, Identity Integration is Often

Required

Attributes are key

The Move to the Cloud: The Hybrid World is Full of Opportunity but

will Compound the Challenges

As Federation and the Cloud Grows, There Will be More Than One

Integration Point and Hub

Data centers on prem

The Solution:

An Identity Integration Hub Service on Virtualization & Synchronization

• With the extension of federation and the integration to the cloud, the requirements for

different levels of identity integration, views and storage have increased.

• In turn this will require a multiplication of “identity hubs” (ex. AWS, Azure, Google Cloud)

at different levels (on prem, regional, national), and the “pipes” (ex. AD-Connect) and

logic to keep them in sync.

• The solution: A federated identity and directory service based on integration &

synchronization

SaaS ApplicationOther Directory or Identity Repository

Consuming Application


Identity Integration and Services Working in Concert

Directory Environment

Database

NormalizedShared View Identity

Orchestration Service

Identity Aggregation Service

Multiforest/MultidomainEnvironment

Hierarchical view

Geographical view

Identity Services API

Virtualized Aggregated

ViewAuthentication Service

Authorization Service

API Gateway

©️ TechVision Research Corp. 2018- All Rights Reserved

First Step

Identity Aggregation – Dynamic View Generation

On Premises Application SaaS Application

Other Directory or Identity Repository



Hierarchical viewGeographical view

PEPPDP

PEPPDP

PEPPDP

PEPPDP

©️ TechVision Research Corp. 2018- All Rights Reserved

• The service creates the view of the identity data that best suits the needs of the

consuming application

Connectors

Application Interface

Persistent View

Join

Second Step

Identity Orchestration – Sharing Changes

Application Database DirectoryEmail

Resources

Directory Database Application OSSaaS Application Devices

Persistent, Replicated Identity

Repository

…

Remote Connectors Local Connectors

Bidirectional Change Events

Activity

Auditing

Consuming

Applications

NormalizedSharedView

Join Engine

The Join Engine manages the data sharing relationships between connected systems.

The Normalized Shared View maintains the common state of the shared data between connected systems

… ©️Tech

Visio

n R

esearch C

orp

. 20

18

-All R

ights R

eserved

Simplify/Extend Your IdP Deployment with a Federated Identity

and Directory Service

Federation approaches such as OpenID Connect, OAuth and SAML are critical

Use of identity data abstraction/virtualization will become more important

The Identity Integration Challenges Seen in the “Real World”

– No Unicity of Identity Across All Data Sources

Identity and Context Virtualization Process

FID Based on Virtualization: Local Systems Publishing to a Logically

Centralized Directory (Manage Globally, Act Locally)

• Acting as an abstraction layer between applications and the underlying identity silos,

virtualization isolates applications from the complexity of back-ends.

RadiantOne Federated Identity and Directory Service:

A System Made of Two Parts

• RadiantOne Federated Identity and Directory Service is made of two

main parts:

– An integration layer based on virtualization for:

• Identity aggregation and correlation

• Mapping and translation logic

• Advanced distributed join

• Group rationalization

• Modeling application-specific virtual views

– A storage layer (HDAP)

• Based on big data technologies

• Used as persistent cache

• Fully LDAP v3 compatible with a modern architecture

Integration

Layer

HDAP

Storage

What is HDAP?

• HDAP is the RadiantOne Big Data directory

– a Next-Gen LDAP v3 compliant directory driven by Big Data and Search Technology

• This highly-available version of LDAP offers better performance and increased scalability.

• Beyond LDAP, HDAP supports other protocol such as SQL and ADAP (REST interface to

LDAP)

Use of identity data abstraction/virtualization willbecome more important

Cluster, Leader, and Follower Deployment

• LDAP is a good protocol, but it is not web based. The closest thing to a web service

for LDAP is provided by DSML, which is XML based, and outdated. The new trend is

to deliver information via a REST interface.

• The usage of HDAP can be very broad. One crucial capability of LDAP is the ability

to navigate and discover context about any given subject or identity. Navigating a

directory is a form of graph and contextual discovery that allows you to have

progressive disclosure of information. This is key in security, and elsewhere, but

LDAP doesn't support the web service interface for delivering that information.

• Putting all this capability that exists in LDAP into a REST interface, opens LDAP to

the web.

ADAP: a REST Interface to LDAP/HDAP

Syncing to Different Clouds (Azure AD and AWS)

AD LDAP

Federated Identity and

Directory Service

DatabaseActive

Directory

LDAP

Directory

+ AD Connect

RadiantOne Creates Global Profiles that can be Provisioned to Each

App (and then Kept in Sync)

Integrating identity to Sync to the Cloud

• Integrate and Modernize your identity and directory infrastructure

• Leverage virtualization/integration/synchronization and a modern directory

storage to deliver a common identity service for:

– Access Management/Federation

– IGA

– Linking and provisioning your identity infrastructure on the cloud (Azure AD, AWS)

Conclusion

TechVision Recommendations• Consider the 12 future state directions for IAM within your

reference architecture and future state portfolio

• Invest in a consistent governance model but understand it requires:

– Cleaning up your existing environment; in particular as you prepare for proper migration to the cloud

– Automate 80%-90% of governance, focus on the anomalies

• The “Identity of Everything” is the roadmap to navigating and creating digital business opportunities

• Begin to iterate with new approaches/technologies such as password-less authentication, decentralized identity and verifiable claims


TechVision Recommendations• Systematize your collection of requirements, understanding

of current state and development of your reference architecture in the context of the new Digital Enterprise

• Expect your future-state enterprise IAM model to be more open, adaptive, flexible, scalable, and include many new objects—internal and external

• …but understand that legacy systems, hybrid environments, conflicting governance models and messy data must be cleaned up, managed and orchestrated to move to the next generation of IAM

• The right IAM model and execution will securely enable a Secure Digital Enterprise


Thank You!

Sept. 20-23 2021

architecting your future-state ... - techvision research

Documents