By Allan
Foster, Chief Evangelist at ForgeRock
One of the unique strengths of an identity and
access management (IAM) solution is flexibility. IT decision-makers want the
ability to extend the technology through plug-in application programming
interfaces (APIs), hooks, and various components that enable customers and
partners to add and modify capabilities, like authentication methods. As a
result, companies need technology ecosystems that provide a vast network of
pre-built, tested, certified and consistently updated integrations.
For
successful business outcomes, it will be essential to arm businesses with
well-designed, robust IAM platforms with defaults that cover the majority of
use cases while also enabling extensions to those capabilities.
Notably,
the rise of this flexible deployment model has changed how we think about the
future of extensibility.
Wrapping Our Minds Around Extensibility
in the Cloud
In a
typical on-premise environment, extending functionality for IAM solutions required businesses with the domain
expertise to leverage an API that was defined for a specific platform. With the
emergence of more cloud services, the management of extensibility capabilities
needs to occur earlier in the cycle. If an IAM vendor owns the execution space
in the cloud, it's not feasible for third parties to drop code into their environment,
especially when the vendor is hosting services for multiple enterprises. This
would raise security, reliability, and resource usage concerns.
Since I
am an inveterate car buff, I'll use a simple automotive analogy. Car radios
used to be installed as aftermarket devices by your local dealer or an
automotive radio shop. Today, it's all done at the factory, and the radio is
inherently part of the car's overall system, such as the onboard computer and
the fuel injection system. We're seeing that same shift in cloud-based IAM as a
service. Software no longer runs on-premise, so businesses cannot simply drop
code in. As a result, add-on capabilities must be offered earlier in the chain
through a process that's scalable, manageable, and secure.
How it Works Versus What it Achieves
When we
think of on-premise extensibility, the focus is on the mechanics of how the
system works: How does it get to the data? Where does it store the data? How
does it process the data? But moving to a cloud platform changes how we look at
extensibility, and what becomes most relevant is what the business is trying to
achieve.
Bear with
me for another automotive analogy: Many of us might remember tinkering under
the hood of a car, making adjustments, like setting the spark plug points gap
just right to provide plenty of juice to the engine. But today, most of us now
drive a modern, automated vehicle that has a button on the dash that says
"sport" or "economy." The car behaves differently depending on which button is
pushed. Drivers probably have no idea if there is a .25 or a .28 gap on the
spark plug points, and it doesn't matter anymore. What does matter is what the
driver is trying to achieve. Depending on the mode set by the driver, he could
get better fuel economy or a faster, tighter drive.
Similarly,
with IAM in the cloud, what's most
important is how businesses can manipulate or impact the IAM capability without
having to control the mechanics of how it's done to achieve its goals.
To an
extent, a level of acceptance is required when businesses sign up for a
cloud-based IAM service. They don't know what data store the service is in -
whether it's in a directory or database - and they don't necessarily need to
know, as long as the identity component is delivered. But what businesses do
care about is controlling or guiding user interactions. What happens when a
user connects, rather than how it happens, is of utmost importance.
As it
relates to extensibility, what becomes critical is how notifications can meaningfully
impact the flow of events in the authentication journey. In this event-based
model, businesses are interested in having an extension that tells them when
the system embarks on authentication or when it starts collecting usernames and
passwords. Businesses may want the ability to change a subset of information
that is part of that event, for example, ensuring that the username is all
uppercase or the password is longer than eight characters. Achieving these
kinds of refinements in an IAM cloud implementation only takes a simple script
consisting of two or three lines of code.
Another
use case involves delegation, and authentication nodes are a prime example of
this. When authentication is required, it can be delegated to an extension to execute
the code. There, the software tells the node to authenticate the user and then
reports back findings on the user. In the cloud, this may require calling to
another service, such as risk and analytics tools. Again, when businesses want
to consume identities in the cloud, they don't want to keep track of the
authentication repository - they just want it to work as it should.
As
businesses start moving up the cloud-based IAM technology stack, the industry
must start thinking about delivering capability
as a service. The "how" is only
relevant for people delivering the service, and businesses no longer need to be
concerned about it. It's up to us in the industry to leverage our collective
expertise and knowledge to determine the "how" to make it easier for business
to meet their goals and objectives in the cloud while also delivering the best possible user experience.
##
ABOUT THE AUTHOR
Allan Foster
LinkedIn: https://www.linkedin.com/in/allanfoster/
Allan
Foster is the Chief Evangelist at ForgeRock. As one of the founding team
members, he has helped build ForgeRock into a multinational leader in digital
identity. Allan has over 25 years of experience in the software development,
internet, and Identity management spaces and has served in leadership positions
in several organizations, including DIACC, Kantara Initiative, IEEE-ISTO, and
IDPro. Prior to joining ForgeRock, Allan worked for Apple, Netscape, AOL, Guru
Associates, and Sun Microsystems. In his spare time, Allan likes to cook and
drink fine wines, and is currently exploring how to make sourdough bread. And oh, he likes to sail!