Here comes the Cloud
Cloud computing in recent years has revolutionised enterprise-level IT strategies. Organisations are seeing the benefits of moving applications onto IAAS to reduce the need for their own virtual infrastructure, or going further and utilising SaaS offerings from cloud providers. Cloud computing enables an organisation to move IT costs from capital to operational expenditure. CIOs no longer look out at their organisation’s state-of-the-art data centre with pride. Rather, they lament the cost of security, cooling, power, and all the other incidental costs associated with physical IT infrastructure.
One of the last services to be targeted for cloud migration is often an organisation’s identity and access management system. Managers believe that their employee’s identity information, entitlement data and especially their credentials should remain safely within the corporate network. Thus, IAM is looked upon as an immovable IT overhead. But it does not have to be this way. With Assertiv’s expertise and some carefully chosen cloud offerings, your entire IAM system can be moved into the cloud, completely secure, possibly reducing costs for the organisation.
SaaS Identity and Access Management
SailPoint’s IdentityNow (IDN) is a true SaaS solution that provides the heart of a fully cloud based IAM system. It provides all the benefits of cloud computing while providing full control over identity data and ensuring complete security.
SailPoint IDN can be deployed rapidly and efficiently and administered from anywhere. All enhancements and maintenance updates are automatically delivered, requiring zero downtime and local IT effort.
This brings the question, how can IDN learn about, manage, and administer an organisation’s identity data when the data sources and systems of interest are on-prem? IDN utilises the services of a virtual appliance (VA), a customised VM that is usually installed on a customer’s network and provides the interface between the organisation and the IDN tenant. All the low-level communication and native API requirements are handled by the VA and it communicates to the IDN tenant via an encrypted tunnel.
What to do with the Virtual Appliance?
Instead of begrudgingly reserving an image on their own infrastructure to host the VA, an organisation can use the cloud to host the VA. Microsoft Azure is an ideal choice for providing Virtual Machines into which VAs can be installed. Many VMs can be created and arranged into VA clusters for load balancing and fault tolerance. By selecting from a variety of Azure networking products, a VA can have the same connectivity and interoperability as one deployed on the internal network. SailPoint even publishes guides for VA deployment to Azure.
What about the corporate AuthN and AuthZ directory?
Microsoft Active Directory (AD) is now the standard implementation for Authentication (AuthN) and Authorisation (AuthZ) services for large organisations. AD requires domain controllers, exchange servers, and other member servers for implementation. This, too, can be moved into the cloud using the Microsoft Azure AD product. Once again, with the networking options now provided by Azure, an organisation can move its AD fully into the cloud and still have complete confidence that its identity information is secure. Also, SailPoint provides a connector for Azure AD, so full provisioning functionality can be maintained.
A common scenario for an organisation wanting to go down the cloud track is the migration from on-prem AD to Azure AD. In this case, best practice would be for IDN to be used as the central hub, aggregating identity data from on-prem AD, learning the account and entitlement information, and creating an access model for the organisation. As reported by Nick, IdentityNow’s AI Enablement features can assist in creating a full picture of an organisation’s role-based access requirements. Once a clean model is produced, identity sync to Azure AD can be initiated, ensuring a clean directory from day one.
Conclusion
Fear of security and connectivity issues surrounding identity data is no longer an excuse for keeping IAM within the organisation’s network. SailPoint’s IdentityNow and Microsoft Azure can be utilised to move yet another critical system into the cloud, reducing CapEx, and realising the advantages of cloud computing.
We all know that executive buy-in is critical to the success of a project. Once the CIO sees the IT overheads of IAM being reduced, success is assured.
Reach out to Assertiv Consulting today to begin the conversation around IAM cloud migration.
Gary Morris is a Principal Identity Consultant with Assertiv Consulting.