What Modern Identity Management (IdM/IAM/IGA) Solutions Should Look Like?

Intro

Part 1: The Datastore

Part 2: Connectors

Part 3: The Sync Engine

Part 4: The Workflow Engine

Part 5: The Customers and What to deploy?

Part 6: Engineering challenges - Connectors

Part 7: Consulting challenges – Why do most RBAC / ABAC Deployments Fail?

Part 8: IAM People Management challenges

In today's rapidly evolving tech landscape, big players are pushing for cloud-based management, urging customers to migrate from stable, legacy on-prem solutions to still-maturing cloud services. This raises a pivotal question: What should modern Identity and Access Management (IAM) solutions look like?

Beyond Traditional Systems

Modern IAM solutions go beyond the debate of workflow-based systems (fire and forget) versus state machines (knowing 'as-is' and 'as-to-be' states). They surpass the choice between SQL transactions and workers with no-SQL databases. They must address GDPR and privacy requirements, scalability, versioning, and other new demands that weren't prevalent in the on-prem world.

The Big Picture

Functional Requirements:

• Extensible Schema: A metaverse with an extensible schema is essential.
• Data Sharding and Geo-fencing: The ability to shard data, implement geo-fencing, ensure disaster recovery, and store BLOBs is crucial.
• Authentication and Authorization: Serving as an authentication and authorization store remains important. While directories and tenants can still be target systems, their necessity is debatable.
• Staging Area: Holograms of inbound and outbound data, confirming successful export operations, post-processing events, and a preview mode are vital features.
• Connectors: Modern solutions require connectors with pagination and active-active failover models.
• Modern Authentication: Support for REST, SOAP, SCIM, Pure HTTP, Graph MA with modern authentication methods is necessary.
• On-prem Integration: ODBC/JDBC wrappers, LDAP/AD DS, and PowerShell running on on-prem hosts are indispensable.
• Custom Connectors: A well-documented framework for custom connectors (ECMA2, ICF, OpenICF) is a must.
• Asynchronous Processing: Asynchronous event processing, parallel processing of changes, a message bus with guaranteed delivery, and super-fast references recalculation are key.
• Governance Capabilities: Out-of-box templates for role mining, recommended roles, poisonous sets of permissions, high-risk accounts, access packages, and a 'copy user' button are needed.
• Unauthorized Changes Detection: Features like automatic rollback, incident registration, and choice-driven responses are critical.
• Audit Capabilities: Tracking who did what and who had access at specific times, along with who approved actions, is essential.
• General Workflow Engine: A workflow engine to manipulate identities and assignments, subscribed to message bus events in the form of policies and sets, emitting changes into the same message bus, is crucial. This should be asynchronous with remediation and auto-restart for failed workflows.
• Self-Service portal: it just has to be there to manage vendors / contractors / service accounts.

The Datastore

Imagine a graph database with built-in geo-fencing and the ability to refer nodes from other instances, similar to Neo4J. This would not only represent human beings with multiple identities but also visualize relationships between users, their accounts, permissions, and roles. It would support relationship types like owner or member. Storing JSON BLOBs in its nodes, it could serve as an underlying authentication and authorization store. This eliminates the need to provision users into directories just for authentication and authorization, solving issues like multiple accounts in different tenants.

The Staging Area

One of Microsoft Identity Manager’s (MIM) strengths was the ability to run a preview on objects to foresee changes upon synchronization. This was possible due to holograms of objects stored in the MIM Sync DB. Aggregating changes from multiple runs before processing, having a standby system running in ‘read-only’ mode, or learning mode, are powerful features worth retaining.

Having a staging area enables other scenarios as well: from batched exports to improve performance to thresholds to avoid mass-destruction events due to bad data coming in.

Connectors and Sync rules

An ideal modern solution would extend the ECMA2 framework to reconcile and import specific users, combining it with OpenICF frameworks and stateless on-prem hosts for both Windows- and Linux-based connectors.

From the sync rules perspective, I do love what MIIS/FIM/MIM had to offer so much, including per-attribute flow precedence and multi-mastery, so I would just reimplement that as-it-was-in-MIM. The only thing to add would be an ability to import and reconcile a specific object(s). No code-based attribute manipulations, declarative expressions only.

The Event Driven Workflow engine

In a modern system, changes, including data imports from connected systems, should not be directly committed to the datastore. Instead, they should be sent as messages with guaranteed delivery to subscribers. For instance, an event like a new account import from an LDAP connector should trigger workflows to ensure unique values, with results emitted as messages. This approach, complemented by a Graph-QL-like API over REST, enables cascading workflows and dynamic updates.

The only remaining peace of a puzzle is custom workflow activities, developed and operated / hosted by customers themselves. While it brings a lot of flexibility, it comes with a cost of unexpected failures and investigations. With a proper MIMWAL like library, MVP or v1 might be able to get by without custom WFs.

Governance

A graph database metaverse with relationships between users, accounts, roles, permissions, packages, and other artifacts opens up extensive governance possibilities. Creating reports on high-risk accounts, excessive assignments, or generating recommended roles becomes straightforward. Attestation, time-limited assignments, and ownership can be directly represented as relationships between nodes. This level of organization simplifies JML workflows significantly.

Market Availability

There are solutions that offer a metaverse, connectors, workflows, message bus, graph DBs – but none of them is perfect or universal. Some offer perfect sync features (but do not scale), others – perfect governance scenarios (but dot not scale either and act as fire and forget system with manual reconciliation), third ones do not offer schema extensions and do not support multiple tenants and multiple accounts per person.

So, if I were to choose something to deploy for a client with 500k+ seats, I’d be scratching my head for days, thinking of what requirements my customer would agree to drop.

Building the Ideal Solution

Developing the perfect IAM/IGA service independently involves substantial time, budget, and risk. Large corporations prefer incremental improvements to play safe, while open-source solutions lack funding and comprehensive support, remaining niche options. With proper funding, determination, and belief in its profitability, building a new, robust IAM/IGA solution is feasible.

By envisioning and addressing these comprehensive requirements, the future of IAM solutions can be both innovative and practical, meeting the evolving needs of modern enterprises.

Next: Part 1: The Datastore