5 Reasons to Avoid Traditional IAM’s Bridge to Nowhere
Published on July 2, 2020,
Even a global pandemic isn’t reducing the demand for digital transformation. As customers look for ways to engage with applications on their smart devices and workforces are increasingly “work from home”, the need for digital transformation has accelerated. Development teams eager to progress app modernization and transformation goals are looking for ways to accelerate the process and remove any roadblocks. We must look at the ways traditional IAM solutions are hindering application modernization, acting as a "bridge to nowhere".
For teams with traditional IAM platforms, here are the top 5 ways it's likely slowing your app modernization:
- It wasn’t built for the cloud and cloud-native services
- It lacks OAuth 2.1 transactional and continuous authorization
- It wasn’t built for on-demand computing
- It isn’t designed for privacy regulations
- It wasn’t built for scale
Traditional IAM Wasn’t Built for the Cloud
Application development practices and web infrastructure continue to evolve, as new ways to build, manage, and deploy applications are introduced into the market. Consider that just 10 years ago, the idea of deploying a fleet of containerized applications through Kubernetes would’ve seemed impossible. Now, teams regularly use Docker and Kubernetes as part of their modernization efforts in decomposing monolithic applications into more manageable, and agile, services. It’s no wonder then why legacy IAM solutions built 10, or 20 years ago, aren’t ready to handle the needs of modern applications. Distributed architecture, serverless computing, and API-driven development all introduce new complexities into application infrastructure, requiring identity and access management to properly manage and secure. With its heavy footprint, slow upgrade cycle, LDAP backend, inability to scale and long lived sessions. Traditional IAM solutions aren’t capable of supporting the new wave of APIs, microservices and functions that development teams are building and deploying today.
Protecting microservices, functions, data, applications and APIs requires extending identity to each and every service at the service edge. At Cloudentity we’re breathing new life into traditional IAM platforms, leveraging what they do well (e.g. authenticate users) and extending it into multi-cloud application ecosystems with cloud-native identity and authorization microservices that extend the investment made into your IAM/CIAM platform for years to come.
Traditional IAM Lacks OAuth 2.1 Transactional, Contextual Authorization
Identity and access management was originally built to answer these fundamental questions:
- Who is connecting to my application (authenticatioN)?
- What do they have permission to do (authoriZation)?
These two questions are still highly relevant decades later but as cyber security attacks have grown in sophistication and cloud computing has introduced more service to service (machine to machine) communications, we have to consider new ways to stay protected. In recognizing this change in cybersecurity, Gartner has advocated adopting continuous and adaptive measures to dynamically adapt to changes in the cybersecurity landscape.
The security requirement is that as changes in state happen—like change in risk or threat, such as the result of a token replay or MiM attack— during a transaction, the corresponding risk must be continuously assessed and dynamically updated as a reaction to mitigate evolving threats. In an identity context, this means that access to application resources like APIs or even individual data objects MUST be continually assessed and adapted to provide real-time mitigation of threats when they emerge. Since authentication is a one time event (i.e. session), all of this becomes the responsibility of authorization. Thus, a continuously adaptive approach is necessary to ensure that every transaction is analyzed for risk factors that might suggest suspicious or fraudulent activity.
Without a perimeter, identity and authorization has become the security layer for mitigating most threats to a service or API. Without continuous, contextual, or risk-based, authorization there’s zero capability of assessing and mitigating risk at a transaction level much less all of the corresponding API transactions between front and backend services. For example, is the user trying to connect to an API over an untrusted VPN network? Is the user connecting to the device from a suspicious location? Is the user probing for business logic attacks? Understanding the sensitivity of the transaction from a user, data, service perspective enables a layer of security that can thwart attacks and keep applications safe. At Cloudentity we’ve built our Authorization Control Plane to act as a lightweight, yet powerful authorization server that continuously analyzes services and APIs for the data types they are passing and then cojoins data from cyber solutions (WAF, threat feeds, UBA, etc.) to generate risk for each and every transaction via authorization. This way, APIs are continuously monitored, and suspicious activity can be mitigated via additional triggers (i.e. Transactional MFA or Manager Approval) . Zero-Trust is established and access to resources and data is continuously assessed and monitored—something traditional IAM solutions are unable to provide, much less perform, at scale.
Traditional IAM Wasn’t Built for On-Demand Computing
Next generation application architecture like serverless functions (eg.AWS Lambda) are transforming how applications are developed, offering considerable cost-savings and performance at scale. Gartner estimates that by 2025 more than 50% of global enterprises will have deployed serverless function platforms (fPaaS). Development teams are eager to adopt serverless computing, as they provide boosts to productivity, scale, and cost-efficiency. But the notion of temporary, or on-demand, resources like serverless functions are challenging for traditional IAM solutions given they are monolithic platforms designed for centralized on-prem data centers. How do you extend identity and continuous context to serverless when every call has to go back to the centralized IAM? What does performance look like for on-demand resources when every request has to be confirmed by a centralized traditional IAM platform? We’ve built our identity microservices to provide support for serverless computing by extending declarative authorization to on-demand resources via a Serverless Policy Decision Point. The MicroPerimeter™—the policy decision point of our platform—automatically register with the central fPAAS platform and inserts itself into all ingress and egress traffic, placing identity and authorization next to your on-demand services and saving seconds in latency while increasing security.
Traditional IAM Wasn’t Built for Privacy Demands
When the General Data Protection Regulation (GDPR) went into effect in 2018, countries around the world followed suit and introduced their own set of data privacy laws. While these laws vary from nation to nation, they share a common requirement around the need to provide more transparency and control to users around the use and collection of their personal data. As businesses and applications share more of their data with partners and third-parties , they must consider how consent is granted, managed and enforced in order to avoid running afoul of data privacy laws. Beyond compliance, customer privacy laws is good practice given that users are increasingly aware and concerned with the amount of data collected and shared without their consent. Traditional IAM tools were built to provide role-based access to resources, which can be difficult to manage with increase in service-to-service communications and they're additionally incapable of addressing the privacy authorization of “what can a service know about a user?” Without shared consent management, enforcement and reporting, application teams create their own methods or use third-party solutions, creating a usability and governance nightmare across the application ecosystem. Cloudentity’s Progressive Consent Management and Privacy Ledger provide a data-object level consent coupled with immutable audit of every consent action across your application ecosystem, allowing companies to standardize collection, management and storage of consent preferences. As a piece of our Authorization Control Plane, the Privacy Ledger can be utilized to assess consent status for each authorization request, providing data object level consent enforcement for an API endpoint across any application infrastructure.
Traditional IAM Wasn’t Built for Scale
Finally, Traditional IAM solutions weren’t built for the global scale, availability, and cost-control mechanisms expected by modern applications. Sure, you can try to build a distributed architecture based on 90’s technology across the major clouds with LDAP and a traditional IAM platform but that doesn’t cover China, cottage cloud or the all–important IoT, consumer and partner edge much less take into account the costs of running legacy code and giant JVMs. As more users, devices, and services are integrated, traditional IdP’s (session providers) and Authorization services MUST scale and grow horizontally to meet the demands of applications, without driving up infrastructure costs. In essence, pairing microservices with microservices, and functions with functions, to provide development teams the speed, scale and agility mandated by digital transformation programs. Extending multi-level, delegated administration to your partners, customers or new business plans shouldn't require new deployments and instances of your IAM platform. With Cloudentity, we make this possible with lightweight services designed for distributed environments and providing throughput orders of magnitude over those of legacy providers.
Advancements in application development, infrastructure, and cloud computing have provided tools that accelerated development teams years beyond what traditional identity providers can provide. The fear is that in order to bridge that divide you’ll need to upgrade or rip-and-replace with a new IAM platform. But that’s what we’re here to solve. We’ve built identity microservices, distributed authorization, and AI that plays well with existing platforms, so they can be easily integrated. It’s why we say don’t rip-and-replace when you can augment and extend your IAM solutions and accelerate your application modernization efforts.
Ready to learn more? Sign for a demo today and we’ll show you how we can enhance existing IAM solutions and accelerate application modernization.