The last 4 weeks I have been running some semi-anecdotal polls on LinkedIn in order to raise some discussion and awareness regarding the deployment patterns related to a broad array of identity and access management services.
An article I wrote last month helped articulate some of the different deployment options – from the classic on-premise, managed service, private cloud and the complete software as a service. It is one of the topics that occurs on many inquiry calls – what are the differences, how to choose, how to evolve and why are there differences?
Over a 4 week period I asked the preferred deployment model option for four key identity and access management services: consumer identity, workforce access management, identity governance and administration and privileged access management.
The results where subtle and nuanced.
Workforce Access Management
The results here were pretty polarised. Only two options where selected, with the SaaS pure cloud approach receiving 86% of the votes, with private cloud receiving the remaining 14%. The movement to cloud centric identity providers (think Okta, Ping Identity, Auth0, more latterly ForgeRock and the big three cloud providers Amazon, Google and Microsoft Azure) were likely front and centre of peoples thoughts. The integration of cloud access management services back to on prem protected resources is likely done via standards such as SAML and OIDC and perhaps with the integration with gateways and proxy services. Does this mean the end of on premises access management?
Perhaps not, but new projects are likely to investigate cloud systems first, with some still remaining on private cloud instances perhaps for complex B2B use cases or compliance reasons.
Identity Governance and Administration
IGA produced a more varied results set. SaaS was again the dominant choice with 60%, managed service at 20%, on prem at 11% and private cloud/isolated at 9%. Whilst SaaS was the majority, the requirement for on prem and private cloud is likely to come from the need to integrate against on premises systems (think mainframes, ERP, structured SQL databases) that are heavily reviewed and analysed for compliance and access review processes. Does that provide an opportunity for migration? Possibly, yet two things are likely to need to happen. Firstly a steady migration for the systems under review – which is of course out of scope of the identity and access management services.
We would need to see those classic systems to be cloud ready, which may not a) be possible or b) take 2-3 years of re-engineering. The second thing to consider, is that the most complex IGA requirements, may not yet be fulfilled by existing cloud IGA providers. One additional comment to make, is that IGA had the highest percentage for managed service at 20%. This is likely due to the strong business analysis and organisational understanding that is requirement to make IGA successful.
CIAM produced a fairly expected results set. Primarily SaaS, yet with over hangs of some limited on prem at 3% (likely home grown solutions being migrated) as well as some private cloud responses at 11%, which is often the case where the CIAM project requires high transaction throughput’s and the avoidance of potential “noisy neighbour” problems.
CIAM is a slightly more recent addition for productionized systems. As such it is likely that the on prem instances will start to disappear over time, whilst managed service and isolated instances may stabilise – mainly due to volume perhaps.
Whilst PAM is still identity related, it certainly has some different characteristics. Viewed traditionally from a security perspective and more focused on operational IT support, PAM showed the highest on premises result at 42%. Likely two reasons for this. Firstly the “keys to the castle” issue with PAM vaults and session management systems may mean many organisations are reluctant to migrate – or atleast not migrate immediately – to a pure SaaS model. I think that is likely to change over time – assuming the cloud offerings are equivalent to the the on prem version and the systems needing integration can be done so from a cloud settings.
A couple of different break downs of the same results, this time per SaaS as a percentage and also on premise as a percentage.