Integrating a custom Identity and Access Management (IAM) solution into a mature product portfolio can be a challenging task. Beyond has had the opportunity to face this challenge with multiple clients enabling us to define a way of working that guarantees a smooth transition even in the most complex situations.
Why integrate an IAM?
IAM systems help organisations manage and secure access to critical systems, applications, and data by ensuring that users only have access to resources that they need to perform their job functions. These systems typically include tools for identity provisioning, authentication, authorization, and auditing. IAM solutions also offer granular Role-Based Access Control (RBAC), providing users with specific permissions to access resources based on their job roles. This simplifies the process of onboarding and offboarding users and helps organizations meet compliance requirements related to data privacy and security. Additionally, IAM solutions include the implementation of Single Sign-On (SSO), which enables users to access multiple applications with a single set of login credentials.
When we think about introducing such a system, we must consider four main aspects:
• Smooth integration – it has to have an interface that can be easily integrated into the existing product, considering any future enhancement plans of the product.
• Scalability – the system must be prepared for an increase in the number of users or volume of data/resources managed through the product.
• Straightforward operation – it must be able to handle a certain level of complexity related to combinations of feature and resource restrictions and for managing these restrictions it needs a user-friendly UI.
• Security – With the spread of increasingly popular cloud-based solutions this area has become an even more important topic, where the data of different customers is stored in the same database.
IAM is a common requirement that is almost never part of the scope of a new product's MVP, but its absence will become a more and more pressing problem over time. In most cases, the onboarding of a new customer or modification in access level for an existing customer requires development work to manually modify various mappings. With the rapid increase in the number of customers, this part can easily become a bottleneck that can make customers dissatisfied.
In the case of a new product, the focus is naturally on the reliability of the basic functionalities and the addition of such extra functions that can easily acquire new customers or lure customers from competitors. This is why an operational support tool such as an IAM solution, which does not generate revenue directly, only comes to the fore in the latter stages of a product roadmap. On the other hand, an IAM system has its own positive effects, such as reducing the risk of financial losses due to customer dissatisfaction and reducing operating costs, which become more significant as the number of customers increases.
Why is it so risky?
The introduction of a new feature always brings a certain level of risk to existing related functions, rendering them unavailable. This risk is increased when we are talking about a change at such a level as integration into a new IAM system, as it impacts almost every part of a product. The IAM system must have control over all the required functions and resources and so the number of scenarios to be retested can be high. If some newly introduced bugs remain in the system after testing, they may even result in a decrease in any of the revenue streams or loss of reputation due to:
• Data leaks that could lead to GDPR or other Data Privacy legislation issues
• Partially or completely unavailable features
• Partially or completely broken third-party applications that rely on the affected product's API
Approach
The very first step is to map the existing systems from a functional point of view to understand which services will be involved when implementing the new IAM. Even where the responsibilities and functionalities of these services are properly documented, it is important to contact the service owners to understand what possible additional features of IAM they need, and any that do not have to be part of the MVP, but added to the roadmap, as they may become important later. However, in the absence of documentation, it is crucial to designate Single Points of Contact (SPOC) who have sufficient knowledge of their specific field (Architecture, Product, Design, etc.) and have the authority to make decisions on questions which need input from the Client side.
When you work with Beyond to develop an IAM solution we will conduct a detailed impact analysis, to significantly reduce the risks already mentioned. Knowing exactly which areas are affected by the implementation, defines the use cases for testing much more precisely.
It is important to define the governance structure at the beginning of the project. It covers the rules of cooperation, the responsibility of each project member and the decision-making process. It is key to agree on the everyday work processes, the tools that will be used during the project execution, the ceremonies and all the architectural and non-functional requirements in advance.
IAM is not a custom-facing application in most cases, but an internal tool that makes the operation of one or more products easier for the internal end users. At the same time, it must be adapted to the customer's needs and fit into the existing architecture. The implementation of an IAM solution is a relatively complex and mainly technical project. Using a Domain Driven Design methodology can be rewarding in IAM implementations. This methodology makes communication easier with consistent language and terms as we have a clear concept of what exactly we mean by the three main components of IAM, which are the User, Role and Resource, what kinds of relationships there are between them, and finally, what actions we want to take with these entities.
Our most recent IAM implementation gave us the opportunity to work with Black Swan Data, a leading company in predicting consumer needs using social data analysis. Beyond provided a cross-functional squad to develop the User Administration part of a custom IAM solution that can be easily integrated into their existing cloud-based product portfolio.
The positive outcomes of this project that were shared with us by Nick Peppiatt, Director of Product Management at Black Swan Data:
• 78% reduction in tickets requiring developer support
• Strong engagement from Customer Success Team
Key to a successful IT project implementation
Implementing an Identity and Access Management (IAM) solution can be daunting for any organisation.
With the growing number of applications and users, managing access to resources becomes increasingly complex. However, a successful IAM implementation can improve security, streamline the user experience, and better comply with regulations.
One of the critical factors in achieving success with IAM implementation is properly defining the scope of the minimum viable product (MVP). Identifying the most critical features necessary for the initial implementation and focusing on delivering a simple solution that can be easily enhanced in the future. It’s crucial to avoid the temptation to include too many features in the MVP, as this can lead to scope creep, increased complexity, and longer implementation timelines.
A simple solution can often be achieved using open-source third-party tools, such as KeyCloak, which provides robust IAM capabilities out-of-the-box. By leveraging these tools, organizations can avoid the need to develop custom solutions and focus on configuring and integrating the tools to meet their specific requirements.
Another critical success factor in IAM implementation is having a clear understanding of the entities that are related to IAM, including groups, users, roles, permissions, resources, and more. Among these entities, resources are especially important, as this is a part of IAM that can be easily overcomplicated. To achieve simplicity and easy extensibility, it’s essential to define a very simplistic resource structure and move application-specific information to the application tier.
By simplifying the resource structure, organizations can reduce the risk of creating complex access control policies that are difficult to manage and maintain. Instead, organizations can focus on defining resource permissions based on the user’s role or group membership, which can be easily managed using centralized IAM policies.
A successful IAM implementation requires a well-defined MVP, a focus on simplicity, and a clear understanding of the entities related to IAM. By achieving these key success factors, organizations can streamline their access management processes, improve security, and better comply with regulations. Open-source third-party tools such as KeyCloak provide a solid foundation for a successful implementation, enabling organizations to focus on implementing IAM and reap the benefits it provides.
Summary
An IAM implementation into a mature product portfolio may seem risky at first sight, but Beyond can help to mitigate risks and ensure a successful transition. The result of the implementation will be financially beneficial through long-term cost reduction and also extremely beneficial in terms of brand reputation protection.