THE IAM PRO’S GUIDE TO BUILDING A BUSINESS CASE
Part One of Three: Modernizing Legacy Web Access Management (WAM)
WHITE PAPER
The IAM Pro’s Guide to Building a Business Case, Part 1WHITE PAPER
2
TABLE OF CONTENTS
03
04
08
12
21
22
INTRODUCTION
PAIN POINTS OF LEGACY WEB ACCESS MANAGEMENT (WAM)
REQUIREMENTS FOR MODERN ACCESS SECURITY
HOW MODERNIZATION BENEFITS YOUR ENTIRE ORGANIZATION
THE BOTTOM LINE
CONCLUSION
ANALYST PERSPECTIVEWhile Web Access Management technologies
are well established and Identity Federation has
also been around for years, we have observed a
tremendous growth in interest and adoption of
these technologies over the past years. Customers
– and specifically their business departments –
are requesting solutions for emerging business
requirements such as the onboarding of business
partners, customer access to services, access to
cloud services, and many more. IT has to react and
create a standard infrastructure for dealing with
all the different requirements of communication
and collaboration in the Extended and Connected
Enterprise. In consequence, Access Management
and Federation are moving from tactical IT
challenges towards strategic infrastructure
elements that enable business agility.
Source: 2016 KuppingerCole Access Management and Federation Leadership Compass
The IAM Pro’s Guide to Building a Business Case, Part 1WHITE PAPER
3
INTRODUCTION
As an Identity and Access Management (IAM) professional, you know that your company’s access security needs have changed.
Controlling access to on-premises applications was a different challenge than the one you face today.
More and more applications are moving to the cloud and mobile. APIs are everywhere. The number of devices, identities, domains,
sites, stacks and environments is exploding. Enterprises have billions of endpoints to secure. And everyone’s an insider, including
employees, contractors, suppliers, distributors and customers.
Once the de facto standard, the web access management (WAM) solution of yesterday isn’t designed for the requirements you face
today. You can try to force a round peg into a square hole, but at what cost? There’s a hefty price to pay not only in dollars, but in user
experience and security.
You know you need a better solution.
Security is no longer about just keeping the bad guys out. And it’s not simply a one-time event. Security in the modern enterprise must
be dynamic, responding to a user’s location, time, behavior, network and device.
The past perimeter-defined approach of firewalls and passwords just doesn’t cut it any more. Digital enterprise transformation
requires a new approach. And identity provides it.
A modern access security solution, centered on identity, will provide the security you need and a whole lot more.
So how do you get others to see this, too?
By building a solid business case, you can guide your company to a better solution. You can demonstrate how IAM can drive your
organization forward by:
• Accelerating time to market for new applications and services
• Enhancing security for applications on premises and in the cloud
• Reducing IT costs and increasing predictability of operating expenses
These are just some of the benefits of modern access security. And it’s no accident that they’re aligned to your company’s top
strategic objectives.
This paper will explain how IAM can provide the secure access you need, accelerating digital transformation and propelling your
company forward.
The IAM Pro’s Guide to Building a Business Case, Part 1WHITE PAPER
4
PAIN POINTS OF LEGACY WEB ACCESS MANAGEMENT
WAM solutions work fine for web apps on a single domain. This legacy architecture was designed to protect simple web resources that are
hosted in enterprise data centers, and it does that job well.
Because of the purpose it was designed for, WAM tightly couples the relationship between legacy agents and policy servers, and relies on
heavy communication. But as your business becomes more mobile, apps migrate to the cloud, and APIs connect it all, this architecture just
can’t keep up.
Here are five ways your WAM solution falls short of today’s requirements:
1. IT CAN’T SECURE APPLICATIONS IN A PRIVATE OR PUBLIC CLOUD• Mirroring the heavy database infrastructure shown in Figure 1 for session storage, policies and encryption keys is complex to manage
and expensive.
• Leaving policy servers on site creates latency from the VPN to the cloud.
2. IT CAN’T SECURE ACCESS TO NATIVE
MOBILE APPS AND REST APIS • Native mobile apps and REST APIs have difficulty translating proprietary cookie tokens generated by legacy WAM solutions.
• Sessions within native mobile applications and REST APIs are stateless, whereas legacy WAM solutions require stateful sessions.
3. IT REQUIRES EXCESSIVE COST TO UPGRADE AND SCALE• Labor to upgrade agents and policies to conform to new corporate mandates is excessive, in addition to costs for system-wide upgrades
every three years.
• Application level access control requires significant numbers of policy servers.
4. IT REQUIRES CONTINUED INVESTMENT
IN PROPRIETARY SOLUTIONS• Proprietary solutions require custom development expertise gained through previous administrative experience, often involving
professional services intervention.
The IAM Pro’s Guide to Building a Business Case, Part 1WHITE PAPER
5
5. IT’S AT OR NEARING END OF LIFE• Some WAM products have official end of life dates, like RSA Access Manager, while others exist at the end of innovation, like CA Siteminder and
Oracle Access Manager.
• Decreasing frequency of updates, degrading quality of software releases, and static administrative interfaces can indicate an unannounced or
approaching end of life.
Figure 1: Common on-premises legacy WAM deployment (CA Siteminder), with heavy infrastructure footprint, making it difficult to replicate in a private cloud.
The IAM Pro’s Guide to Building a Business Case, Part 1WHITE PAPER
6
REQUIREMENTS FOR MODERN ACCESS SECURITY
In an increasingly digital and mobile landscape, your enterprise needs to continuously verify all users and devices at all entry points. You
need to enable secure access for everyone to all applications no matter their type or where they live (public cloud, private cloud, on-premises,
enterprise, third-party, mobile). You must accommodate access across cloud, mobile and APIs.
And, of course, you must provide this high level of security while delivering the frictionless experience your users demand. Seems like a tall
order? It is. And it’s exactly what modern access security solutions are designed to do.
When it comes to meeting the demands of modern access security, a best-in-breed identity and access management solution must deliver on
these eight characteristics:
Figure 2: Lightweight and cloud-ready modern access security deployment shown with optional SSO and directory components.
The IAM Pro’s Guide to Building a Business Case, Part 1WHITE PAPER
7
1. LIGHTWEIGHT AND CLOUD-READY• Provides cross-domain access security with a proxy (access gateway) as shown in Figure 2, or an agent-based approach without making DNS or
network changes.
• Delivers out-of-the-box support for Microsoft IIS, Apache and NGINX servers, plus provided SDK for custom plugins.
2. CENTRALIZED ACCESS SECURITY FOR MOBILE, WEB AND APIS• Decreases coordination costs between administrators and developers with policy creation and sharing from a single console for applications and APIs.
• Is able to scale, whether resources are hosted on premises or in the cloud.
3. FLEXIBLE AUTHORIZATION POLICIES TO SUPPORT
NEW BUSINESS RELATIONSHIPS • Provides built-in federated single sign-on (SSO) capabilities to enable rapid and seamless connections for your partners and customers to any
application or service.
• Allows for customizable access policies, based on user groups, location, time or device.
4. STANDARDS-BASED• Provides native support for SAML, OAuth 2.0, OpenID Connect (OIDC) and JSON Web Tokens (JWT), enabling standard communication for all apps
and APIs and increasing interoperability.
• Reduces complexity and relieves your developers from spending hours writing custom code or becoming an expert in proprietary authentication
and authorization protocols.
5. ADAPTABLE TO ENTERPRISE REQUIREMENTS, INCLUDING
INTEGRATION WITH NON-STANDARD APPLICATIONS• Offers language-based kits for .NET, Apache, PHP and Java.
• Provides application-based kits for Citrix, SAP, Oracle, RSA, IBM and Microsoft.
• Supports agentless integration for attribute passing via direct HTTP calls.
6. SUBSCRIPTION-BASED WITH ENTERPRISE SUPPORT• Provides a predictable operating rhythm and expense, and eliminates the variable costs of upgrades, maintenance and support.
• Delivers high-quality new releases driven by customer requirements.
The IAM Pro’s Guide to Building a Business Case, Part 1WHITE PAPER
8
7. COMPATIBILITY WITH EXISTING ARCHITECTURE• Coexists with legacy systems, allowing you to try new features without impacting the business.
• Is compatible with common legacy systems, like CA Siteminder (SSO), Oracle A.M., RSA A.M., IBM Tivoli A.M. and Central Authentication
Service (CAS).
8. ZERO DOWNTIME MIGRATION• Is fully deployable in an enterprise environment within a matter of weeks.
• Allows deployments that are agent-based, proxy-based or a combination of the two to support access security for both legacy and new
applications.
• Supports token mediation to ensure a seamless end user experience for difficult-to-migrate applications.
The IAM Pro’s Guide to Building a Business Case, Part 1WHITE PAPER
9
When it comes to building your case for modern access security, you can point to benefits that extend far beyond your direct purview.
A well-architected solution will deliver value throughout your organization.
Security & Compliance• Reduces risk of breach and non-compliance with centralized, policy-driven access control.
• Increases security without impacting productivity and with access security in context.
IT Executives• Allows access to be centrally controlled for almost any resource, anywhere.
• Reduces vendor lock-in with future-proofed solutions built on open standards.
• Increases IT capacity with easily repeated, secure rollouts of new apps.
• Enables new partner relationships by connecting applications to third-party APIs.
IT Budget Owners• Reduces on-premises hardware requirements.
• Reduces professional services requirements by shifting to a predictable subscription model.
• Reduces IT staffing previously required for administration of multiple, complex legacy solutions.
Application Developers • Streamlines and centralizes authorization processes for lower coordination costs.
• Speeds time to market for new applications and services.
Human Resources• Reduces need for highly specialized and solution-specific talent.
HOW MODERNIZATION BENEFITS YOUR ENTIRE ORGANIZATION
The IAM Pro’s Guide to Building a Business Case, Part 1WHITE PAPER
10
THE BOTTOM LINE
Of course, your business case isn’t complete without an assessment of the bottom-line value an IAM solution delivers. Modernization
may be thought to come at a high price, but when it comes to modernizing access security, it’s actually the savings that are often most
significant.
Infrastructure SavingsWhen migrating to modern access security, a reduction in server quantity, and the associated labor, utilities, maintenance and support
on server hardware typically equates to notable cost savings. Legacy WAM solutions typically require on-premises infrastructure to
store sessions, policies and encryption keys. But modern solutions, like PingAccess, are headless and stateless, enabling lightweight
deployment on cloud platforms at a much lower cost.
Licensing and Support SavingsIt can be tricky to unbundle the licensing costs from legacy “stack vendors” to pinpoint what exactly you’re paying for. A good proxy for
calculating annual maintenance and support costs is 20-25% of the annual licensing cost. However, many legacy customers find that
usage of their legacy WAM changes over time. As usage tapers, maintenance and support costs are proportionately more expensive than
they should be. A subscription model makes it clear what you’re paying for and allows you to more accurately predict ongoing costs.
Labor SavingsDepending on the size and complexity of the environment, legacy WAM solutions can require multiple full-time administrators to ensure
that applications remain secure and that access security isn’t interfering with business operations. The resources required to operate
and maintain these systems, which often involve thousands of agents installed on hundreds of servers, constitute a significant cost to
the enterprise. Add in upgrade cycles every three years that require hundreds of hours of professional services work, and the costs just
ballooned further. Finally, the inability to share policies between API and web application security doubles the administrative effort. By
contrast, modern access security deployed in a gateway architecture requires far less maintenance and enables you to share policies
between web applications and APIs in any domain.
#3237 | 06.17 | v004
ABOUT PING IDENTITY: Ping Identity leads a new era of digital enterprise freedom, ensuring seamless, secure access for every user to all applications across the hyper-connected, open digital enterprise. Protecting over one billion identities worldwide, more than half of the Fortune 100, including Boeing, Cisco, Disney, GE, Kraft Foods, TIAA-CREF and Walgreens trust Ping Identity to solve modern enterprise security challenges created by their use of cloud, mobile, APIs and IoT. Visit pingidentity.com. 11
CONCLUSION
You know that an investment in modern access management will provide the scalability and flexibility your enterprise needs to support bigger
corporate objectives. From securely rolling out new cloud and mobile applications to enabling new business relationships, the benefits of modern
access management will extend throughout your organization.
Here’s a quick overview of how a modern solution centered on identity will address your objectives and align to business initiatives.
Accelerate time to market for new applications and services• Reduce coordination costs between central IT and application developers.
• Decrease time to value with shareable policies for web, mobile and cloud apps.
• Shorten integration periods with out-of-the-box support for almost any platform.
• Enhance current relationships and create new ones with secure partner access.
Improve security for applications on premises and in the cloud• Centralize access security for all web, mobile and cloud apps, whether commercial or homegrown.
• Protect resources in context of the user, application or access scenario.
• Reduce risk of breach by preventing unrelated applications from impersonating end users.
• Strengthen IT compliance with centralized policy management for all resource access.
Reduce IT costs and increase predictability of operating expenses• Reduce siloed legacy implementations with centralized access security.
• Increase solution scalability and decrease hardware footprint.
• Stabilize costs and IT workload with predictable subscription model and updates.
• Leverage open standards to minimize lock in and minimize the need for specialized talent.
Ready to build your business case? Learn about how to seamlessly migrate from legacy WAM solutions here:
• CA Siteminder Migration Guide
• Oracle Access Manager Migration Guide
• RSA Access Manager Migration Guide
And be sure to read parts two and three of the IAM Pro’s Guide to Building a Business Case:
• Part Two: Upgrading On-prem 2FA to Cloud-delivered, Adaptive MFA
• Part Three: Consolidating Identities with a Modern Directory Solution