3 keys to re-evaluate your authorization management

Axiomatics   ·   Tuesday, June 1st, 2021

On May 27, I had the pleasure to join the KuppingerCole KCLive event with several industry peers in a panel discussion about  “Enabling the Future of Identity and Access Management”.  

The topic of implementing an interconnected IAM architecture designed for the post-pandemic era is a great conversation piece. Each of the speakers in the panel was well versed in their area of specialization. If you missed the live session, I highly recommend you catch the archived version here.

I want to elaborate that while we all grapple with the fall out of a remote workforce explosion, the challenge of data security is not limited to the post-pandemic era. Industries have been struggling with data access and rights management for years. The pandemic has shone a very bright light on the cracks in our data security armor. Dynamic Authorization is the core of the solution – it is, in essence, the central interconnection hub for access and authorization. To elaborate more, I will tackle three questions that were asked during the panel discussion section. I welcome your input and feedback on these points.

Q: What are the typical silos at play in the IAM space?

A: Having talked to several organizations, I have noticed a growing number of “Silos of Concern” between various roles who work in the authorization space. 

I often hear the Application developers “just need to get my app to work“ which clashes with the risk and compliance team focus “to get the compliance controls in place and checks done”. Meanwhile, the DevOps team “need to be able to deploy, scale and shift level the development”. Sound familiar?  I bet it does!  Here’s the challenge – This siloed approach is detrimental to an enterprise’s authorization efforts. It encourages teams to take a “not my problem” stand to the overall goal of a solution that works for the enterprise. 

There are some ways to ensure that your enterprise does not fall into this trap: 

• For enterprise IAM teams, each of the above-mentioned teams are business and technical stakeholders that need to be managed through communication shared understanding of the goals behind the authorization policies and ensuring that their concerns are addressed where possible and where not possible clear reasoning as to why should be provided.
• While emphasizing that enterprise security is a common goal, acknowledging that IAM is such a cross-cutting concern that it will impact the length and breadth of the organization and where possible, its architecture, design and implementation should be done with maximum flexibility and separation of concerns as possible.
• Use IAM systems and tools that provide the flexibility and customization that is needed in order to support all the stakeholders – developers, DevOps engineers, IAM analysts, compliance officers and business leaders.

Q: How can leaders implement IAM initiatives in their enterprise?  

A: My answer to this question is rooted in my experience of seeing the challenge from two lenses – as a vendor, then within an organization working to reinvent the IAM set up, and then back as a vendor again. I have to say, I like the vendor perspective, but that’s another conversation for another day. There are two main considerations that leaders need to keep in mind when implementing IAM initiatives in their enterprise:

a) Not-invented-here or Build vs Buy

Avoid falling into the “Not-Invented-Here” trap. Also expressed as the “Build-vs-Buy” discussion. This is an easy trap to fall into for organizations that have a big-enough development department. It may seem easier to develop a custom and “optimized” solution for your specific case. Who else knows the unique requirements and considerations of your complex organization than your in-house team?  It’s a perspective I myself shared.  However, many companies like mine learned that this seemingly logical approach fails because of unknown variables like Total Cost of Ownership, opportunity cost, and future commitment, maintenance, regulation, and the speed of technology evolution. What makes sense today may not, in 6 months from now. 

b) Capture → Implement → Optimize

This is a bonus for those reading this post, as I did not get the chance to discuss this during the panel. This may sound obvious, and there are so many ‘one-off’ exceptions but in general, make sure to spend time to capture the core requirements you need from your IAM system before you start on your journey of implementing it. Similarly, consider optimizing only after having a good idea of how your deployment and implementation look on the ground. Of course, these steps are never sequential as there will never be a formal end to the “capture” phase or the “implement” phase. It is essential not to jump to the next phase prematurely.

Q: What future developments do you expect in this space?

A: I am very excited about the future of Access Management. If the last decade was the decade of Identity, this will be the decade of Authorization. In the past, Authorization Management had been subsumed into the wider IAM space where Identity was the main concern. It was so tightly coupled as a function into the application space that it did not have a life cycle of its own.  However, across the various industry verticals, it is becoming clear to organizations, as they move along their technology maturity levels, that Authorization is a core and important element of enterprise security that warrants dedicated focus and investment.

KuppingerCole has a great archived webinar that discusses, What’s Next for IAM: Building for the Future . It’s another great lineup and conversation related to this topic.