Part 5: The Customers and What to deploy?
To address the question: "What do I deploy for my customer?", let's explore the various customer types and their Identity and Access Management (IAM) / Identity Governance and Administration (IGA) needs.
Disclaimer:
I’m a Microsoft employee so even if I had a lot to say, I’m bound by moral obligations. Do not expect me to criticize Entra ID or point to its feature gaps. For the same reason, I can’t speak about Identity IQ, Identity Now, Rippling, NetIQ, Saviynt, Identity Panel, ForgeRock, Midpoint or Okta. Maybe over a pint of beer if you stop by while in Redmond, WA. What I can do instead, is to explain the way I’d make decisions when choosing IAM platform or SaaS service.
Customer types
Small shops
In the IAM world, companies with fewer than 1,000 employees are considered "small shops". This classification is based on budget constraints rather than needs. Often, manual IAM processes are more cost-effective and reliable than a poorly implemented IAM solution. Small shops typically manage with standardized Joiners, Movers, and Leavers (JML) workflows, HR data sourced from a CSV file, and basic IGA scenarios like group management and owner approval.
Options include:
·???????? In-House Solutions: A set of scripts managed by a trusted individual. This approach works but relies heavily on a single person, posing a risk if that person leaves.
·???????? On-Prem Solutions: Often based on the IT supplier’s favorite choice. Many MIM Foundation and HR engagements were deployed with minimal tweaking and contracted support. This requires extensive documentation and support for MIM and its infrastructure.
·???????? Cloud-Based Solutions: Solutions like Workday + Entra ID + LCW Workflows + ECMA2Host. These require a P1 subscription or better. While Microsoft operates the infrastructure, customization is limited. This option is ideal for those going cloud-first or cloud-only and can afford it
Still requires someone to look after data conflicts and synchronization issues. Could become a preferred option by integrators if deployed as a green-field or if customers are willing to adjust their IAM processes to features offered by SaaS solutions.
Small Enterprises
Companies with fewer than 50,000-100,000 employees face similar needs as large enterprises but with tighter budgets. They aim to automate manual processes, especially forgotten passwords and basic JML scenarios. Common setups include a single AD DS forest or multiple domains, requiring Privileged Account Management (PAM) and Just-in-Time (JIT) permission elevation, key vaults to manage service accounts; a need to manage secondary accounts; a need for ownership management of groups, computers, telecom equipment, mailboxes and so on. Up to a dozen of connected on-prem and cloud systems: from Lync/Teams/Slack and hybrid mailboxes to M365/Google Suite accounts.
Somehow, tighter budgets were often coupled with very strict requirements and unwillingness to change existing IAM/IGA processes. Back in my consulting days these kinds of presales had the most failure rate just because of that.
Options include:
领英推荐
·???????? Homebrew Solutions: Not ideal unless there's a dedicated IAM department. Often replaced after years due to IT staff attrition.
·???????? On-Prem Solutions: Suitable for organizations with IT teams trained to operate and troubleshoot the solution. Most of on-prem IdM solutions easily scale up to 100k seats (even though being a monolithic application). The choice is really between Windows + .NET vs *nix + Java. The main factor of success would be a consultant building such a solution. Shall a bastion forest with JIT/PAM and 5-minute Kerberos TGT lifetime be needed, MIM PAM was the best and the simplest solution possible, though, not offering PAM portal OOB, but a REST API to submit elevation requests.
·???????? Cloud-Based Solutions: These work for cloud-only or to-be-cloud-only customers. Despite feature gaps compared to on-prem solutions, SaaS IAM is becoming viable. Limitations include on-prem privileged account management and performance issues, which are being addressed over time (leaving operational and subscription costs aside, assuming that enterprises have productivity licenses anyway).
Big Enterprises
These organizations handle up to 500,000-1,000,000 identities, requiring advanced governance capabilities, geo-distributed systems, compliance with regulations, and more. With sufficient budgets, they can pursue whatever their IAM department needs.
The best customers to work with from the consulting perspective.
Options include:
·???????? In-House Solutions: Generally, not favored due to certification challenges and high risk.
·???????? On-Prem Solutions: While these can handle large user bases, performance issues arise with extensive groups and roles. Scalability can be a significant challenge.
·???????? Cloud-Based Solutions: Flexibility and performance might still be issues in 2024, but improvements are expected.
Meaning, regardless of the options chosen, for big enterprises an in-house IAM division is crucial for addressing any gaps.
Consumer IAM
A type of a customer that didn’t exist in 90-ies. This category includes streaming platforms, financial services, and online stores managing millions of users, suppliers and vendors.
Being such a special case, a generic IAM solution found on a market most probably won’t fit at all. I would split that into
·????????Consumer IAM: customers, using 3rd party providers to authenticate and to provision their identities on-the-fly - custom solutions are necessary.
·????????Vendor IAM: Generic IAM/IGA solutions might work for managing suppliers and vendors.
·????????Internal IT Staff Management: Classic enterprise-grade IAM solutions are suitable
As of today, I’m not aware of any commercial IAM platform that supports management of that many identities (sure Entra ID and its B2C tenants or any other consumer platform can handle that number of users, but you can’t buy that as a platform, AFAIK).
Choosing the Right Solution
Ultimately, the choice depends on what you feel comfortable deploying, operating, and what your customers can afford. The best IAM/IGA solution is subjective and depends on specific needs and circumstance. Technologies change, principles remain.
-?What’s the best IdM/IAM/IGA solution on the market as of today?
-?"Beauty is in the eye of the beholder”
Previous: Part 4: The Workflow Engine
Engineering Manager | Microsoft | Identity Management Expert
4 天前Part 8 added https://www.dhirubhai.net/pulse/part-8-iam-people-management-challenges-eugene-sergeev-w5ssc
Engineering Manager | Microsoft | Identity Management Expert
2 个月Part 7 added: https://www.dhirubhai.net/pulse/part-7-consulting-challenges-why-do-most-rbac-abac-fail-sergeev-2ppzc/
Engineering Manager | Microsoft | Identity Management Expert
2 个月Part 6: https://www.dhirubhai.net/pulse/part-6-engineering-challenges-connectors-eugene-sergeev-6rczc/
Microsoft Entra Architect || Azure AD B2B , B2C & Verifiable Credential || IAM & SCIM Developer || Cyber Security Architect || Assistant Consultant - TCS IAM COE - Cyber Security Practice
2 个月Very good explanation !!
Identity Management Solutions Architect
3 个月A thing I've noticed with smaller enterprises (1k to 3k) is it's often more complex than a 100k organisation. They haven’t been forced down the efficiency at scale path and still think they can do things adhoc, on demand and with the expectation that unplanned exceptions will be accommodated by the IAM solution. It makes it almost impossible for them to go with a more commoditised IAM approach. Perhaps if they have really strong leadership who understand the need to simplify processes and force it through, but I've never seen that myself.