A Case for Cloud Identity Management: Change Management
A question with a million answers: Why are Identity & Access Management (IAM) integration costs so high?
Most people will answer with the obvious: the tricky and time-consuming nature of gathering IAM requirements, the effort required to integrate the IAM system to heterogeneous target systems within an enterprise, etc. What most people don't realize is that something as simple as a tight change management policy can wreak havoc on even the best IAM PM's estimates.
Imagine, if you will, a customer with change management policies that requires change management requests on the creation, deletion, or modification of accounts created in any environment. For IAM unit testing, this means a 10x increase in effort hours! (Some customers with highly regulated environments might even have this apply to their development environment.)
A popular option that our customers are requesting is a dev or play IAM environment in the cloud. In this option, an IAM solutions provider has a ready made dev environment, all up in the cloud (which could even contain sample target systems, such as AD/Exchange, HR, etc.) The goal is to quickly demonstrate use cases, show the customer the look and feel of the solution, and get the kinks out of specific workflows - all without having to sit and wait for change management to create service accounts, add/remove privileges, and grant access to target systems. Based on our experience, and more closely aligning with the agile software development methodology, customers could accomplish more in 1 week this way than 3 weeks due to the change management bottleneck. Here are a few options on how to make that happen.
Option 1: Cloud Dev to On-Prem Dev
Once the cloud dev environment is up to snuff, the team has a very good idea regarding how the customer's dev environment should look.
This way, a comprehensive list of request can be routed to change management for batch processing (as opposed to the multiple one-offs that typically happen in an implementation). Once the environments have been proven to be "mirrored", the cloud dev environment is thrown away.
Option 2: Cloud Dev to On-Prem Staging
Another option is to keep the Cloud Dev is a permanent fixture of the customer's "environments". We suggest a hosted private cloud to our customers, and promote changes directly from the cloud based dev environment to the customer's staging environment. This is an excellent pragmatic first step towards cloud adoption in the IAM world. As the customer feels more and more comfortable, other environments can be migrated out to the cloud as well.
Although we like option 2, either one can speed up (and lower the cost of) an IAM implementation. Either way, they represent baby steps towards cloud adoption in the realm of IAM solutions that can get the (snow) ball rolling.