Information Technology Reference
In-Depth Information
Centralised Model of Design
: IAM products are in a sense victims of their
own hype. A prestigious (and expensive) IAM product is expected to
comprehensively manage user data by itself, because its purchase cannot
otherwise be justified. Such an expectation places an onerous burden on any
single application, because by its very nature, an enterprise has many
different applications, many of them standalone, off-the-shelf commercial
products with their own user databases, role definitions and fine-grained
access control rules. If a centralised product has to manage all of this
detailed and dispersed data, it will lead to two practical, logistical problems.
One, the IAM user repository will become overpopulated and excessively
complicated in structure, because it has to store the fine-grained roles and
access control rules of every application in the enterprise, along with the
mappings of users to all those roles.
Two, since it will in most cases be impossible to remove the fine-grained
access control logic from each individual application, some sort of
replication, often two-way, will need to be set up to keep the IAM repository
and the individual application databases in sync. What seems at first to be a
simple and elegant model of centralisation is
in fact operationally
cumbersome and error-prone.
A model where the IAM product only manages coarse-grained roles and
access control rules, and leaves fine-grained ones to each individual
application, will work better in practice. However, it will seem wasteful to
perform user management in multiple places, and the value of purchasing an
IAM product will be questioned. “We've paid a lot of money for this product.
We should use it to the maximum,” will be the inevitable argument. It is very
hard for common sense to prevail unless expectations are managed from the
start. The vendors are mostly to blame for raising expectations in the pre-
sales period which their products cannot realistically meet in a diverse
ecosystem.
Commoditised Functionality
: Quite frankly, the Access Management aspect
of IAM is a thoroughly commoditised capability today. You can source
solutions from a competitive market that includes some very capable Open
Source implementations, so you don't have to pay the premiums that the
market-leading vendors charge for it. You may be surprised to hear that
many vendor products are priced on a per-transaction (based on the number
of “hits” on a website) or per-user basis. The vendors make more money as
your volumes increase, but the same capability can be sourced without
having to pay such a rent, if you know where to look.
