3 IAM deployment models: Which will work for your organization?

Identity and access management (IAM) platforms have become vital components of corporate cyber security programs. They help companies manage digital identities and user access to systems, networks, and critical information within the organization—through role-based controls.

A key question for any organization looking to leverage IAM is what’s the best deployment model? Every IAM deployment will be unique, but there are three main models: on-premises, in the cloud, or within a hybrid environment. Each approach has its own challenges.

Following are some of the possible challenges companies might face with each and best practices for managing them.

Deploying IAM on-premises

With the on-premises model, most IAM solutions require significant infrastructure and platform footprint. It can be difficult to provide continuous availability and support, and to migrate from one vendor product to another, says Tim Skinner, information security manager at health insurer BlueCross BlueShield of Tennessee, which uses an IAM offering from Ping Identity.

Other challenges are that upgrades don’t always make the priority list for the security staff, and on-premises offerings require a large, specialized staff to run and monitor the IAM stack, Skinner says.

In the past, all business applications used to be situated “inside” the firewall of a corporation, and therefore very much contained. Now, many companies are using multiple software-as-a-service (SaaS) offerings via public clouds, exposing their data to web-facing applications and allowing users to access software from their homes and smartphones, notes Joan Pepin, CISO at identity and access management provider Auth0.

“Consequently, this is putting great pressure on the security and performance of authentication solutions,” Pepin says. “In an on-premise solution, hardware sizing, capacity planning, and management, and database administration will be particularly important.”

If this is an area an organization is already well staffed in and prepared to deal with, on-premises might be a good option, Pepin says. “But if it is not, building that muscle just for your authentication needs may not be the best investment,” she says.

The best way to address on-premises challenges is to put the time and discipline into thoroughly gathering the organization’s requirements and creating a “thoughtful and holistic approach from the ground up, which considers all of your stakeholders current and future integrations, use cases, and capacity,” Pepin says.

This should include data center capacity planning as well as a thorough understanding of the geographical and performance concerns of the business, Pepin says. 

Organizations might also consider implementing private cloud infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) offerings, Skinner says. “This gives you the features of a hybrid approach while keeping the control and assets fully owned in house,” he says.

Deploying IAM in the cloud

Among the challenges of cloud-based IAM is a shortage of experienced cloud systems security experts, Skinner says. Increased information security risk can be an unwanted result of this model if not done right, he says.

In addition, leveraging SaaS access control systems requires on-premises system compliance with current security authentication and authorization standards, Skinner says. “And you still have to know how to configure and integrate your on-prem systems with your cloud IAM systems,” he says.

If your organization has policies and practices of keeping production data out of non-production cloud tenants, some SaaS applications might require changes in your policies, Skinner says. If the SaaS offering in place allows customization, “how do you develop, test and deploy?” he says. “Will it line up with your current deployment and automation team’s processes and tools?”

With the cloud model, it’s important to understand what you’re doing and why, Skinner says. “Simply acting on a ‘cloud first’ strategy will lead to misery and regrets,” he says. “The most important way to address IAM cloud challenges is to have a coherent cloud strategy that lines up with your IAM needs, budget, human resource needs, technical and workforce constraints, and IAM architecture.”

Organizations must be able to measure results to expectations, “and be willing to accept direction changes based on your metrics,” Skinner says. “Your IAM cloud strategy must support your IAM objectives and live within the constraints of your corporate culture.”

The cloud is the most secure and seamless model, Pepin says, but there can be some challenges making sure integration is effective and efficient. “One of the challenges with the cloud model is ensuring that your security and compliance controls, such as access control, logging, and monitoring, are properly designed and implemented,” Pepin says. “All of the control objectives you manage on-premise are achievable in the cloud, but often require a different approach and tools.”

Another challenge is identity management across several independent organizations, Pepin says. That can lead to multiple identities within one enterprise, complicating security and administration.

A reliable identity-as-a-service (IDaaS) platform can address the challenges associated with cloud systems. “By incorporating a separate platform service into your environment, it takes the work off your hands to manage capacity planning, hardware, development of the core features, etc., and frees you up to worry about the implementation and end-user experience,” Pepin says.

This also allows management to focus on the core areas of expertise and intellectual property that are most valuable to the organization’s overall strategy, while leaving the complexities of IAM to an outside expert.

Deploying a hybrid IAM platform

A hybrid IT model is one of the first steps many companies take when they want to undergo a digital transformation journey, Pepin says. “It’s less expensive and resource-intense than a full private cloud option, making it popular among tech professionals,” she says.

Hybrid deployments can help an organization bridge the gap between the on-premises and cloud paradigms, providing them with the scalability and features of a cloud environment while still maintaining the on-premises footprint many enterprise security departments are most comfortable with, Pepin says.

“However, the management overhead and technical complexity are higher in this scenario, and will require a thorough architecture to work seamlessly,” Pepin says. Good, thoughtful design and an understanding of the goals of choosing a hybrid model are essential to its success, she says.

“Knowing which tools and interfaces belong in each zone and why is the best way to start,” Pepin says. “Then, ensuring your operational processes and playbooks take into account the increased complexity of troubleshooting and maintaining this deployment is critical for the successful operation of a hybrid deployment.” 

With the hybrid model, it’s “hard to cost justify many expensive subscriptions while maintaining an on-prem footprint as well as cloud.” Skinner says. Determining the levels of use of public vs. private cloud services can add complexity, and as with the cloud model a hybrid environment can lead to increased security risk if not done right, Skinner says.

One company that’s using the hybrid model is Motorists Insurance Group, which has major legacy application investments but is committed to modernizing and moving to a “cloud first, mobile first” strategy.

“We have cloud-based applications and partner relations that require us to be able to provision/de-provision users with full federation,” says Tony DeAngelo, assistant vice president of information security at Motorists Insurance Group. “Likewise, we have legacy applications that were never coded to support the modern methods for authentication or provisioning and require specialized connectors or coding that typically are not available for a cloud-based solution. A hybrid solution is a must for us, not just operationally but to enable the transition to our desired end state.”

The hybrid model brings together aspects of the other approaches. “While it maximizes the flexibility, it comes with a cost of additional overhead or administration,” DeAngelo says.

The company had standardized on on-premises IAM, with integration into its legacy applications and portals. “As we looked to the future, we knew we needed a platform that was nimble and allowed us to keep better pace with the needs of the business,” DeAngelo says. Motorists took a three-pronged approach, using a provisioning and governance product from SailPoint, SSO and multi-factor authentication from Okta, and a privileged access management platform from CyberArk.

“This created a hybrid platform to meet our IAM needs, leveraging the individual components for their strengths and blending on-premise and cloud solutions to provide the flexibility and broad reach we required,” DeAngelo says.

To keep administration and overhead from becoming a burden, the company relies on standards and automation, aligned with its corporate goal of continuous improvement. This allows it to focus more on supporting the business and empowering users, and less time maintaining systems and platform refreshes.

“In the end, IAM solutions have to fit your culture and enable the business,” DeAngelo says. “You have to understand your corporate direction and stay aligned with your business partners, so you are delivering the results they need.”