Securing the modern web: Open sourcing the future of IAM
by Lasse Andresen - CTO of ForgeRock - Friday, 16 August 2013.
Every CIO needs a reliable identity and access management (IAM) system for protecting employee, customer, and partner data – and for years, they have relied on traditional, proprietary IAM vendors to secure their user identities and data behind the company firewall.

In the past few years though, IAM needs have changed dramatically. Employees expect access to company systems anytime, anywhere; customers expect immediate and constant access to user-friendly, consumer-facing data; and partners need access to various apps with limited access to company data.

Traditional IAM cannot protect the modern web

Traditional IAM solutions were designed exclusively for the on-premises enterprise; they were not equipped to handle or adapt to the immediate demands of the modern Web. Let’s remember that the common use cases that influenced the initial development of traditional IAM were based on a very different set of business needs when compared to today’s needs. Early IAM was developed to secure employee identities and protect enterprise applications and data that were maintained behind the company firewall. The access devices were provided to the users (employees) by the company, usually a desktop or laptop. The scaling requirements were limited to the company’s employees so a deployment that exceeded 100,000 were rare. While use cases such as onboarding and off boarding of users were common, these processes happened at a much slower pace compared to today and were necessitated by predictable and intermittent events such as the hiring of a new employee.

In Gartner’s Ian Glazer’s presentation, Killing IAM in Order to Save It, he states that “current enterprise identity and access management cannot adapt and cannot evolve to the contemporary web. Identity management presently is ensconced in a reasonably static world. Identities are created, owned and managed by the enterprise. The problem is the world around identity management is growing both larger in terms of the constituents that have to be served and moving faster than this static model can keep up with.”

Glazer notes that “the current style is slow, requiring changes when an individual is added, moved or leaves an organization, and while this works fine, this isn’t the current pace or style of the modern enterprise, partners, or the customers that are working in the modern Web. Legacy IAM systems are a part from instead of a part of other crucial business services of an enterprise which ultimately is inconvenient and requires additional work. Modern systems need integrated systems.”

Today, the needs are much different. Users are not just employees, but also customers and partners. In fact, the user might be anonymous initially. The users are accessing applications from locations far beyond the company firewall and from a multitude of devices. Further, the applications themselves are often hosted in the cloud and provided by a SaaS provider. The volume of users has exploded and the rate at which they change and the number of identities they require has expanded. This is not to say that there still isn’t a need for traditional IAM. Rather, a new open, agile, scalable IAM platform is needed – a platform that can integrate with the legacy systems, but also provide for the needs of today’s modern Web environments.

So how can a CIO extend, integrate, and modernize their identity infrastructure to solve for these common new use cases?

Fortunately, an alternative to traditional proprietary IAM vendors exists. Open source IAM was built from the ground up, tailored to the needs of the modern Web, and equipped to handle IAM requirements across cloud, social, mobile, and enterprise systems.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th