By Lasse Andresen, CTO of ForgeRock
Every CIO needs a reliable identity and access management (IAM) system for protecting employee, customer, and partner data – and for years, they have relied on traditional, proprietary IAM vendors to secure their user identities and data behind the company firewall.
In the past few years though, IAM needs have changed dramatically. Employees expect access to company systems anytime, anywhere; customers expect immediate and constant access to user-friendly, consumer-facing data; and partners need access to various apps with limited access to company data.
Traditional IAM cannot protect the modern web
Traditional IAM solutions were designed exclusively for the on-premises enterprise; they were not equipped to handle or adapt to the immediate demands of the modern web. Let’s remember that the common use cases that influenced the initial development of traditional IAM were based on a very different set of business needs when compared to today’s needs. Early IAM was developed to secure employee identities and protect enterprise applications and data that were maintained behind the company firewall. The access devices were provided to the users (employees) by the company, usually a desktop or laptop. The scaling requirements were limited to the company’s employees so a deployment that exceeded 100,000 were rare. While use cases such as onboarding and off boarding of users were common, these processes happened at a much slower pace compared to today and were necessitated by predictable and intermittent events such as the hiring of a new employee.
In Gartner’s Ian Glazer’s presentation, Killing IAM in Order to Save It, he states that “current enterprise identity and access management cannot adapt and cannot evolve to the contemporary web. Identity management presently is ensconced in a reasonably static world. Identities are created, owned and managed by the enterprise. The problem is the world around identity management is growing both larger in terms of the constituents that have to be served and moving faster than this static model can keep up with.”
Glazer notes that “the current style is slow, requiring changes when an individual is added, moved or leaves an organisation, and while this works fine, this isn’t the current pace or style of the modern enterprise, partners, or the customers that are working in the modern web. Legacy IAM systems are a part from instead of a part of other crucial business services of an enterprise which ultimately is inconvenient and requires additional work. Modern systems need integrated systems.”
Today, the needs are much different. Users are not just employees, but also customers and partners. In fact, the user might be anonymous initially. The users are accessing applications from locations far beyond the company firewall and from a multitude of devices. Further, the applications themselves are often hosted in the cloud and provided by a SaaS provider. The volume of users has exploded and the rate at which they change and the number of identities they require has expanded. This is not to say that there still isn’t a need for traditional IAM. Rather, a new open, agile, scalable IAM platform is needed – a platform that can integrate with the legacy systems, but also provide for the needs of today’s modern web environments.
So how can a CIO extend, integrate, and modernise their identity infrastructure to solve for these common new use cases?
Fortunately, an alternative to traditional proprietary IAM vendors exists. Open source IAM was built from the ground up, tailored to the needs of the modern web, and equipped to handle IAM requirements across cloud, social, mobile, and enterprise systems.
Open source IAM can rescue the modern web
Open source IAM is able to adapt to the modern web where legacy IAM vendors cannot, for several key reasons.
Open source IAM products are designed to be unified, lightweight, modular, and scalable. This allows them to quickly and easily adapt to the ever-changing, ever-growing requirements of the modern web. Legacy products were built by acquisition over time, making their solutions inherently piecemeal, bulky, and complex—and thus ultimately time-consuming to implement and inefficient in practice.
The open source build process itself facilitates organised, lightweight, and efficient design that can adapt to the shifting security needs of the modern web. With access to the source code, a wider community of developers works together to develop fixes, innovations, and stable new releases, checking each other’s work for fewer bugs and quicker fixes. Unlike the traditional development process, the users have the opportunity to evaluate and critique the actual code, not just how it works but how it was written to work. This doesn’t just make open source IAM the fastest, most adaptable solution on the market, but also the safest, most secure IAM solution available.
Developers are also notoriously hesitant to release code with their name on it without thoroughly vetting it first, lest they lose credibility with the entire community. Because the world can see their work, developers strive for a great product that earns them the respect of their fellow developers, maximising quality.
The collaborative nature of open source IAM also speeds development, making open source IAM highly responsive to consumer needs and quick to release product updates, fixes, patches, and stable new versions, thus providing great value for money.
Open source IAM provides a development model where organisations can commit code tailored to their needs back to the project, where it must pass a rigorous quality assurance process, providing a level of participation and influence that is not possible with proprietary IAM offerings. For vendors who use an open source development process this means that a broader, more timely set of requirements and use cases can be considered when defining the product.
The benefit of open source is that modifications of general interest can be vetted and accepted into the code base much faster, diminishing the need for additional development work on the part of the customer, or expensive requests for custom code from legacy IAM vendors.
Over time, open source has the power to bring identity and access management code development for the majority of companies—big and small—into alignment, thereby establishing a safe, useful, efficient, and elegantly architected IAM standard for the modern web.
And at the end of the day, open source IAM is investment protection. When a proprietary vendor decides to stop supporting one of its products and announces “end-of- life,”the installed base of customers have few options other than to replace it, a far too common scenario that comes with high cost and risk to the business. Open source products, on the other hand, do not suffer this risk. With access to the source code, the larger technology marketplace will continue to support and innovate products and solutions where there is customer need.
The open source model presents a highly attractive alternative as enterprises seek out lightweight, flexible IAM solutions that can accommodate both the standard needs of the traditional, on-premises enterprise, and dynamic requirements of the modern web, whether mobile, social, or in the cloud.