Virtualization Technology News and Information
Extensibility in the Cloud: The Future of Identity and Access Management

hybrid iam 

By Allan Foster, Chief Evangelist at ForgeRock

One of the unique strengths of an identity and access management (IAM) solution is flexibility. IT decision-makers want the ability to extend the technology through plug-in application programming interfaces (APIs), hooks, and various components that enable customers and partners to add and modify capabilities, like authentication methods. As a result, companies need technology ecosystems that provide a vast network of pre-built, tested, certified and consistently updated integrations.

For successful business outcomes, it will be essential to arm businesses with well-designed, robust IAM platforms with defaults that cover the majority of use cases while also enabling extensions to those capabilities.

Notably, the rise of this flexible deployment model has changed how we think about the future of extensibility.

Wrapping Our Minds Around Extensibility in the Cloud

In a typical on-premise environment, extending functionality for IAM solutions required businesses with the domain expertise to leverage an API that was defined for a specific platform. With the emergence of more cloud services, the management of extensibility capabilities needs to occur earlier in the cycle. If an IAM vendor owns the execution space in the cloud, it's not feasible for third parties to drop code into their environment, especially when the vendor is hosting services for multiple enterprises. This would raise security, reliability, and resource usage concerns.

Since I am an inveterate car buff, I'll use a simple automotive analogy. Car radios used to be installed as aftermarket devices by your local dealer or an automotive radio shop. Today, it's all done at the factory, and the radio is inherently part of the car's overall system, such as the onboard computer and the fuel injection system. We're seeing that same shift in cloud-based IAM as a service. Software no longer runs on-premise, so businesses cannot simply drop code in. As a result, add-on capabilities must be offered earlier in the chain through a process that's scalable, manageable, and secure.

How it Works Versus What it Achieves

When we think of on-premise extensibility, the focus is on the mechanics of how the system works: How does it get to the data? Where does it store the data? How does it process the data? But moving to a cloud platform changes how we look at extensibility, and what becomes most relevant is what the business is trying to achieve.

Bear with me for another automotive analogy: Many of us might remember tinkering under the hood of a car, making adjustments, like setting the spark plug points gap just right to provide plenty of juice to the engine. But today, most of us now drive a modern, automated vehicle that has a button on the dash that says "sport" or "economy." The car behaves differently depending on which button is pushed. Drivers probably have no idea if there is a .25 or a .28 gap on the spark plug points, and it doesn't matter anymore. What does matter is what the driver is trying to achieve. Depending on the mode set by the driver, he could get better fuel economy or a faster, tighter drive.

Similarly, with IAM in the cloud,  what's most important is how businesses can manipulate or impact the IAM capability without having to control the mechanics of how it's done to achieve its goals.

To an extent, a level of acceptance is required when businesses sign up for a cloud-based IAM service. They don't know what data store the service is in - whether it's in a directory or database - and they don't necessarily need to know, as long as the identity component is delivered. But what businesses do care about is controlling or guiding user interactions. What happens when a user connects, rather than how it happens, is of utmost importance.

As it relates to extensibility, what becomes critical is how notifications can meaningfully impact the flow of events in the authentication journey. In this event-based model, businesses are interested in having an extension that tells them when the system embarks on authentication or when it starts collecting usernames and passwords. Businesses may want the ability to change a subset of information that is part of that event, for example, ensuring that the username is all uppercase or the password is longer than eight characters. Achieving these kinds of refinements in an IAM cloud implementation only takes a simple script consisting of two or three lines of code.

Another use case involves delegation, and authentication nodes are a prime example of this. When authentication is required, it can be delegated to an extension to execute the code. There, the software tells the node to authenticate the user and then reports back findings on the user. In the cloud, this may require calling to another service, such as risk and analytics tools. Again, when businesses want to consume identities in the cloud, they don't want to keep track of the authentication repository - they just want it to work as it should.

As businesses start moving up the cloud-based IAM technology stack, the industry must start thinking about delivering capability as a service. The "how" is only relevant for people delivering the service, and businesses no longer need to be concerned about it. It's up to us in the industry to leverage our collective expertise and knowledge to determine the "how" to make it easier for business to meet their goals and objectives in the cloud while also delivering  the best possible user experience. 



Allan Foster

Allan Foster 

Allan Foster is the Chief Evangelist at ForgeRock. As one of the founding team members, he has helped build ForgeRock into a multinational leader in digital identity. Allan has over 25 years of experience in the software development, internet, and Identity management spaces and has served in leadership positions in several organizations, including DIACC, Kantara Initiative, IEEE-ISTO, and IDPro. Prior to joining ForgeRock, Allan worked for Apple, Netscape, AOL, Guru Associates, and Sun Microsystems. In his spare time, Allan likes to cook and drink fine wines, and is currently exploring how to make sourdough bread. And oh, he likes to sail!

Published Wednesday, April 07, 2021 8:08 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2021>