How Microservices Can Improve Your IAM Strategy 20180125 ......How Microservices Can Improve Your...

LICENSEDFORDISTIRBUTION

How Microservices Can Improve Your IAM Strategy Abstract IdentityManagementiskeytodigitaltransformationandthenextgenerationofenterprise IT.These foundational identitysystemsarerapidlyevolvingtosupportnewbusinessmodels,applicationsandecosystems.AkeyelementofthischangeisapervasivemovementtomicroserviceandDevOps—providingamoreflexible,dynamicandtimelymeansofprovidingidentityservices.Microservices, as applied to identity management, breaks up monolithicIdentityandAccessManagement(IAM)applicationsintosmallerservicesandprovides them to a variety of applications and other consumers as needed.Microservices enable an “abstraction layer” that can dramatically simplifyapplicationdevelopment, integrationandoperationalsupport. In thismodel,IAM services and functions that are enabled in a secure, easy-to-consumemanner.Asnewprotocols,techniquesandinfrastructureapproachesemerge(e.g.,blockchain,distributedledgers,verifiedclaims),andoldtechniquesfadeawaytheimpactontheIAMinfrastructurewillremainminimal.Doingsoisthesurestwayto‘futureproof’yourIAMstrategy.Thishighlyactionablereportprovidesacontextforapproachingmicroservicesas an increasingly important part of an enterprise identity managementstrategy.Wealsodescribeafewsignificantvendorofferingsinthisemerging,butrapidlydevelopingcategory.Authors:DougSimmons NickNikolsManagingDirector,Consulting& ManagingDirector,Research&PrincipalConsultingAnalyst [email protected] [email protected]&[email protected]

HowMicroservicesCanImproveYourIAMStrategyTechVisionResearchReprint

2 ©2017TechVisionResearch,allrightsreserved www.techvisionresearch.com

Table of Contents

TableofContents.............................................................................................................................................................2

ExecutiveSummary........................................................................................................................................................3Introduction.......................................................................................................................................................................4WhatAreMicroservices?.............................................................................................................................................................5

WhatIsanIAMMicroservice?...................................................................................................................................5GranularSolutioning:ContainersandAPIGateways....................................................................................8Containers...........................................................................................................................................................................................8APIGateways.....................................................................................................................................................................................8DoesBlockchainIAMFitThisModel?................................................................................................................................10

TheFirstStep:EnableanIdentityDataService............................................................................................11

EarlyVendorFocusonIAMMicroservices......................................................................................................14Cloudentity.......................................................................................................................................................................................14ForgeRock.........................................................................................................................................................................................16Okta......................................................................................................................................................................................................17Microsoft...........................................................................................................................................................................................19IBM.......................................................................................................................................................................................................19

RecommendationsandBestPractices...............................................................................................................20

Summary..........................................................................................................................................................................22AboutTechVision.........................................................................................................................................................23

AbouttheAuthors........................................................................................................................................................24RelatedReports.............................................................................................................................................................25



Executive Summary As enterprises embrace digital transformation, a renewed focus has been levied on theDevelopmentandOperationsgroupsresponsiblefordeveloping,integratingandmaintainingIT services - including IAM, for all constituents, whether internal or external to theorganization.Traditionally,thesetwogroupsoperatedinasomewhatisolatedfashion,withDevelopment working feverishly in its own silo, releasing new “IT products” (whetherdeveloped in-houseor integrating commercial-off-the-shelf solutions) to the ITOperationsstaff-whoarethenchallengedwithmaintainingtheseproducts.SuchawaterfallmodelforapplicationdevelopmenthasoftenledtodisconnectsbetweenDevelopmentandOperations,because the process is innately non-iterative and the model makes timely feedback andregularcross-functionalcollaborationdifficult.Therearetwoemerging,synergisticapproachestothisdilemmathatwe’llevaluateastoitsapplicabilityinsupportofIAM.Theyare:

1. Logically combining the Development and Operations groups into a single entityreferredtoasDevOps,withaprimaryfocusonagiledevelopment(theantithesisofthewaterfallmodel)coupledwith,

2. Microservices architecture and deployment strategies that break down businessfunctionsintoatomic-levelITfunctions,or“services”,thatcanbereused,retrofittedandreplacedwithminimaldisruptiontotheoverallITinfrastructure.

OneofthemostsignificantresultsofsuchaDevOpsmodelisimprovedaccessibilityofIAMservices functions, such as user/thing authentication, authorization, lifecyclemanagementand audit readily available to application developers and integrators.Without an effort tomove toward a better DevOps paradigm, enterprises will continue to suffer from siloedapplicationsandservicesthatwillperpetuatetheissuesofdisconnectthatlargelyexisttoday.

Delivering IAM functionality via microservices involves the identification of discrete IAMfunctionssuchasuserauthenticationwithinacompact,single-purposecodeset.Thissingle-purpose IAM microservice can then be easily and securely integrated into an in-housedeveloped or COTS application. This approach provides an environment for furtherintegrationofarelatedsetofmicroservicesasneededbyasetofrelated,callableservices.These related services can include specific IAM services such as ‘authenticate identity’ or‘create identity’, and so forth.Typically, individual, relatedmicroservicesare ‘packaged’ insuchawayusingacontainerstructureoranAPIgateway.

Many of the major IAM vendors have not been asleep at the wheel with respect tounderstanding, facilitating and furthering the development and usefulness of IAMmicroservices. That said, we see this movement as rapidly accelerating and recommendvendorsandenterprisesexaminetheopportunitiesassociatedwithapplyingmicroservicesandDevOpsinanIAMcontext.

AsTechVisionResearchhasbeenemphasizingforthepastthreeyears,acombinationofloose-coupling, virtualization and federation are critical elements in ‘the future of identitymanagement’. Microservices enables an ‘abstraction layer’ that can dramatically simplify



applicationdevelopment,integrationandoperationalsupport.Inthismodel,IAMservicesandfunctionsthatareenabledinasecure,easy-to-consumemanner.Asnewprotocols,techniquesandinfrastructureapproachesemerge(e.g.,blockchain,distributedledgers,verifiedclaims),andoldtechniquesfadeawaytheimpactontheIAMinfrastructurewillremainminimalbyfollowingthecoreprincipleswedescribeinthisreport.Doingsoisthesurestwayto‘futureproof’yourIAMstrategy.

Introduction TechVisionResearchbelievesa flexible, loosely-coupledand federated IdentityandAccessManagement (IAM) strategy is appropriate for most enterprises. This type of approachgenerally improves efficiency and reduces systems integration and operational overhead.Theserecommendationsalsofocusonabiggerpicture-thatofaglobaltrendtowarddigitaltransformation.Digitaltransformationisanareaoffocusformanylargeenterprisesastheyseektodigitallyengagewithclients,prospects,tradingpartnersandemployees.Digital transformation can be broadly described as a significant overhaul of existing ITinfrastructuretoadoptamuchmoreflexible,adaptableandscalablesetofcapabilitiesthatcanallowenterprisestoquicklydeployordecommissiononlineserviceswithminimalimpactto development and operations - which is preciselywhatwe’ve been advocating for IAMtransformation.Overthepastdecade,anintensetransformationofIThastakenplacewiththewidespreadadoption of cloud computing, SaaS and PaaS integration, system and infrastructurevirtualization,mobility,federation,IoT,IAMandmore.AddtothisthegrowthinmanagedITservices supported by 3rd parties and the typical enterprise IT environment now looksnothinglikeitdid10yearsago.As part of this transformation, a renewed focus has been levied on the Development andOperations groups responsible for developing, integrating and maintaining IT services -including IAM, for all constituents, whether internal or external to the organization.Traditionally,thesetwogroupsoperatedinasomewhatisolatedfashion,withDevelopmentworkingfeverishlyinitsownsilo,releasingnew“ITproducts”(whetherdevelopedin-houseor integratingcommercial-off-the-shelfsolutions) to the ITOperationsstaff -whoarethenchallenged with maintaining these products. Such a waterfall model for applicationdevelopment has often lead to severe disconnects between Development and Operations,becausetheprocessisnon-iterativeandcomprisesnoviablenear-real-timefeedbackloop.Wecallthesesymptoms“DevOpsanti-patterns”,whichhavebecomeprevalentacrossprojectsand platforms, typically resulting in infrequent releases with traditional change controlsleading to long lead times, and manual, time-consuming, painful, and tedious deliveryprocesses,whichactasgreatinhibitorstodigitaltransformation.

Therearetwoemerging,synergisticapproachestothisdilemma:1. Logically combining the Development and Operations groups into a single entity

referredtoasDevOps,withaprimaryfocusonagiledevelopment(theantithesisofthewaterfallmodel)coupledwith,



2. Microservices architecture and deployment strategies that break down businessfunctionsintoatomic-levelITfunctions,or“services”,thatcanbereused,retrofittedandreplacedwithminimaldisruptiontotheoverallITinfrastructure.

OneofthemostsignificantresultsofsuchaDevOpsmodelisimprovedaccessibilityofIAMservices functions, such as user/thing authentication, authorization, lifecyclemanagementand audit readily available to application developers and integrators.Without an effort tomove toward a better DevOps paradigm, enterprises will continue to suffer from siloedapplicationsandservicesthatwillperpetuatetheissuesofdisconnectthatlargelyexisttoday.Inthisreport,TechVisionResearchdivesintothearchitectureandbestpracticesforIAMtosuccessfully participate in and support the emerging DevOps paradigm encompassing amicroservices architecture strategy. The benefits of adopting this model will enableenterprisestoprovidemoreefficient,consistent,seamlessandsecureIAMcapabilities.

What Are Microservices? TechVisionResearchdescribesmicroservicesandamicroservicesarchitectureas simplyawayofdesigningapplicationsasindependentlydeployableservices.Microservicesstartwithafocusonbusinesscapabilities,nottechnology.Itisanarchitecturestyleofdevelopingasingleapplicationbasedonsmall,self-containedsetofservicesrunningtheirownprocessesandcommunicating via a lightweightmechanism.There is limited centralizedmanagement orgovernanceoftheseservicesandtheycanbewrittenindifferentlanguagesandusedifferentstorageapproaches.Somekeytakeawaysofthisapproachare:

1. Microservicesdefineclearboundaries,butkeeptheseboundariessmallandnotcorrupted

2. Microservicesareindependentlydeployablebyfullyautomateddeploymentmachinery,whichisparticularlyusefulindeployingservicesoncloud-basedPaaSenvironments,suchasAmazonWebServices,GoogleandMicrosoftAzure.

3. Microservicesmaybewrittenindifferentprogramminglanguagesandusedifferentdatastoragetechnologies

4. Microservicessupportsecurity,monitoring,andassociatedhookstodeploycodeacrossmultipleservices

TechVision is currently drafting a report titled “Microservices Enterprise Level-Set” to bepublishedinearly2018whichwilladdtotheexplanationofmicroservicesandstrategiestobroadlyleveragethisapproach.Forthepurposesofthisreport,microservicesarecomponentsthat can be thought of as independently replaceable and upgradeable building blocks orservices.Nowthatwe’vedescribedmicroservicesatagenerallevel,we’llnextfocusondescribinghowmicroservicesandIAMfittogetherandthebenefitstotheenterprise.

What Is an IAM Microservice? Identity and access management typically involves a number of functions regarding the



establishment,managementanduseofidentitiesbuiltintoamonolithicapplicationtoprovideaccessto informationassupportedbypolicies.Theenterprisegoalis toprovideendusers(andapplications)withappropriateaccesstoenterprisesystemsandapplications.Theword“access”hastwoprimarycomponents:authenticationandauthorization.

1. Withinauthentication,systemsandapplicationsidentifywhosomeoneorsomethingisbylookingatahostofattributes:loginIDs,passwords,digitalcertificates,federation,one-timepasswordtokens,etc.

2. Withinauthorization,attributessuchasroles,groupmembershiporotherattributesoraffiliationsareusedtograntordenyaccess.

Theattributesnecessary fordeterminingwhether toauthenticateandauthorizeaperson,service, application or thing must be provisioned and properly managed throughout thelifecycleofthatperson,applicationorthing.ThatleavesuswithahostoftypicalIAMfunctionsthatcanbeisolatedintoatomicunitssuchas:● User(orapplicationorthing)identitycreate● Userauthenticate● Userauthorize● Sessionvalidation● Useridentitymodify● Useridentityaudit● Useridentitydisableordelete

Amicroservicesapproachlookstotranslatethesespecificbusinessneedssuchasestablishingauser’sidentity,authenticatingauser,authorizingtheiraccesstoservices,makingchanges,auditing and removing a user to self-contained programs responsible for providing theappropriate functions.Thesearetypical IAMfunctionsthatgetaggregated inmassive IAMsolutions; thismodel decomposes these functions and reassembles them as needed. Eachfunctioncanbeindependentlydeveloped,maintainedandupdated.Suchoverarchingfunctionsmayalsohavemanypermutations.Forexample,a‘useridentitycreate’ function may involve self-registration through a web page or app, or it may betriggeredfromaneventintheenterpriseHRsystem(e.g.,newhire).Theprocessmayrequireworkflowsandapprovals,anditmaybenecessarytologandaudittheseprocesses.Similarly,userauthenticationmayinvolveapassword,adigitalcertificate,biometricdataandsoforth;so there is an additional level of granularity associated with the overall authenticationprocess.A setof authenticationmicroservices couldbedeveloped tohandleeachof thesepermutations.

Howtheservicescommunicatewitheachotherdependsontheapplication’srequirements,but inmany cases DevOps focuses on REST (Representational State Transfer) as a usefulintegrationmethodbecauseofitscomparativelylowercomplexityoverotherprotocols.RESTis anarchitecturalstyle that sets certain constraints fordesigningandbuilding large-scaledistributedsystems.Asanarchitecturalstyle,RESThasverybroadapplication.ThedesignsofbothHTTP1.1andalsoURIsfollowRESTfulprinciples.Manyotherwebservicesalsofollow



theRESTarchitecturalstyle.ExamplesincludeOAuth2.0andOpenIDConnect1.0.InREST,IAMfunctionsarereferredtoas‘resources’thataretypicallyexposedatanAPIendpoint.AnendpointbyitselfisjustareferencetoaURIthatacceptswebrequeststhatareRESTful.IAMsolutionscanapplyRESTfulprinciplestodefinecommonendpointsforHTTP-basedAPIsthataccesswebresourcesandcollectionsofwebresourcesforthefollowingrepresentativeidentityandaccessmanagementoperations,forexample:● AuthenticationLogin● AuthenticationLogout● Session(cookie)Information● Tokenattributeretrieval● Tokenvalidation● Logging● Authorization● OAuth2.0Authorization● OpenIDConnect1.0● UserSelf-Registration● ResettingForgottenPasswords● DashboardService● IdentityManagement(creating,reading,updating,deletingidentities)● RealmManagement(creating,reading,updating,deletingrealms)● SecureTokenService(STS)

Forinstance,asimpleUserAuthenticationmicroservicewouldinvokeusername/passwordauthenticationandreturnatokenIDthatapplicationscanpresentasacookievalueforotheroperations that require authentication, whileAuthentication Logout can be performed byusingthetokenIDtoterminatetheuser(orapplicationorthing)session.Inthisway,singlesign-on(SSO)andsinglelogout(SLO)canbesupported.Authorization,ontheotherhand,mayrequiredifferentmicroservicesdependingonthestateof theuserandapplication.Forexample,amicroservice’sRESTAPImightsimplyperformcookie validation in order to ensure the user/application/thing have maintained a validsessionfromapreviousauthenticationcall.AnothermicroserviceRESTAPImaybecalledtolookup attributes about the user/application/thing in order to allow the application toperform more fine-grained authorization based on the attribute values returned on thelookup. In fact, the logic to determine the authorization level would likely be anothermicroservicethatsimplyevaluatesreturnedattributevaluesviarulesandpassesa‘go/no-go’message to the application. There is also an opportunity for additional machinelearning/AI/predictive analytics to be applied here and could also be invoked via amicroservice.The key takeaway here is to understand that by making these standard IAM functionsavailable asmicroservices,DevOps canmake incremental, regular changes (assimpleasasinglechangeorpatchtoonelineofcode)withoutdisturbingtheentireITinfrastructure.Thissetsthestageforthecontinuousdevelopmentandcontinuousdeploymentmodelsthatarea



corepartoftheDevOpsapproach.

Granular Solutioning: Containers and API Gateways Delivering IAM functionality via microservices involves the identification of discrete IAMfunctionssuchasuserauthenticationwithinacompact,single-purposecodeset.Thissingle-purpose IAM microservice can then be easily and securely integrated into an in-housedeveloped or COTS application. This approach provides an environment for furtherintegrationofarelatedsetofmicroservicesasneededbyagroupofrelated,callableservices.These related services can include specific IAM services such as ‘authenticate identity’ or‘create identity’, and so forth.Typically, individual, relatedmicroservicesare ‘packaged’ insuchawayusingacontainerstructureoranAPIgateway.

Containers In many cases, applications may be ‘containerized’, so that once a business function issuccessfullyenabledthroughaseriesofinterconnectedmicroservices,thatbusinessfunctioncan be easily and quickly leveraged across the enterprise as a cloud service -whether aninternal, external or hybrid cloud. A container is the bundling of an application’s code,configurationanddependenciesintoasingleobject.Itcanbethoughtofasoperatingsystem-levelvirtualizationinthattheyaredesignedtorunanywhereandthereforeareindependentoftheexternalenvironment.Containersareintendedtobeverylightweightandfunctionasaunitofsoftwaredeliveryinsupport of microservices. Containers, therefore, are typically comprised of one or moremicroservicesthattakentogetherperformdiscretebusinessITfunctionsintheformofeasyto use building blocks that deliver environmental consistency, operational efficiency,developerproductivity,andversioncontrol.In theworld of IAM, a container called “Authenticate Identity”may be deployedwith thecontentsofthisparticularcontainerbeingthreeorfourindependentmicroservices.Eachofthesemicroserviceswillperformonespecificfunctionwithinatypicalauthenticationevent,such as password authentication, certificate authentication or biometric authentication.Depending on what data is passed to the container by the application, the appropriatemicroservicewithinthatcontainerwillbeinvoked.

API Gateways APIgatewaysareusedtointegratemultiplerelatedmicroservicesintoalogicallydiscreteandaddressable function. An API gateway functions as an “APIwrapper” such that individualmicroservicesbehaveasasingleapplicationtotheclient.AnAPIgatewayisoftenreferredtoas a “façade” that provides simple API interfaces to a complex subsystem (e.g., the IAMinfrastructure). It essentially decouples the interface that clients see (in this case APIconsumers which could be mobile apps, thin clients, application service accounts, smartmeters,homecoffeemakers,etc.)fromtheunderlyingimplementation.Inaddition,theAPIgatewaycanperformseveraladditionaltaskssuchasAPIlimitthrottling,logging,security,etc.API gateways provide consistent RESTful application programming interfaces (APIs) for



mobileandwebapplicationstoaccessbackendservices,whetheron-premiseorinthecloud.

Figure1:APIGatewayServicingIAMFunctionality

AsshowninFigure1,APIgatewaysprovideconsistentaccesstoidentityservicesformobile,web, service account and IoTdevice. All client requests go through theAPI gateway via aRESTful interface. TheAPI gateway then routes requests to the appropriatemicroservice.These requests are often handled by invokingmultiplemicroservices and aggregating theresults, as illustrated by multiple connections (e.g., lines) emanating from a singlemicroservicetomultipleunderlyinginfrastructure.SincethisgatewayprovidesclientspecificAPIsitreducesthenumberofround-tripsbetweentheclientandapplicationwhichreducesnetworklatencyanditalsosimplifiestheclientcode.

ThereareanumberofvendorsthatofferAPIgateways;IBM,Akana,Apigee,andCAallhavestrongsolutions.Additionally,AmazonprovidesanAPIGatewaywithinAWSthathandlesthetasksinvolvedinacceptingandprocessinglargepoolsofconcurrentAPIcalls,includingtrafficmanagement, authorization and access control,monitoring, andAPI versionmanagement.GoogleoffersGoogleCloudEndpointswithsimilarfunctionality,whileMicrosoftoffersAzureAPIManagementasasolution forpublishingAPIs toexternal and internalcustomers.Thecombination of API gateway vendors and the big three (Amazon, Google and Microsoft)provideastrongsetofservicesforenterprisesmovingtowardsmicroservicesandDevOps.

Whether using containers or API gateways, the message here is that the DevOps modelrequires a viablemeans of integrating discrete IAM functionality into a set of unique butconsistentlyappliedcallableservices.ThisstartswithbreakingdownIAMfunctionalityintoatomic-levelfunctionsandthenre-assemblingthemintoaseriesofcallableservices.Thistype



of approach supports the true essence of what we characterize as loose-coupling andflexibility in providing identity services. DevOps allows necessary and regular changes toproductioncodetoregularlyrefreshtheenterpriseIAMcapability.ThisisinstarkcontrasttosearchingforandreplacinglogicinmultiplesiloedinstancesofredundantIAMfunctionalitythatmaytakeyearstodeploy.

Does Blockchain IAM Fit This Model? TechVision Research has published several research reports focused on blockchain andblockchain-basedIAM.Blockchain(ordistributedledgers)canprovidegreaterdiscoverabilityof an identity and secure connections to the dataneededtosupportatransaction.Eachblockinone’sblockchainmaycontain“pointers” toencryptedandsigned verifiable claims (e.g., a qualification,achievement,quality,orpieceofinformationaboutanentity'sbackgroundsuchasaname,government ID,payment provider, home address, or universitydegree)thatcanbeusedtoproveaspecificattestationinrealtime.Entities(people,organizations,devices)needtomakemany kinds of claims as part of their everydayactivities. As organizations progress towards digitaltransformation, entities need to be able to transmitinstantly verifiable claims (e.g., about their location,accomplishments, value and so forth) providingelectronicproof that theclaimisvalid.Theseclaimscansupport thenextgenerationofwebapplicationsas they provide the basis for authorizing entities toperform actions based on rich sets of credentialsissuedbytrustedparties.TechVision Research sees a synergistic relationship between IAM microservices andblockchain-basedIAMbecauseamassiveproliferationofidentitiesoverthenextfewyears-especially of “things”, will require a much more scalable and secure IAM ecosystem. Byexpandingthisecosystemtoincludeverifiableclaimsasaprincipalmeansofauthenticationandsubsequentauthorization,applicationdeveloperswillbeabletouseRESTendpointstoquicklyandsecurelyextendIAMtoabroaderrangeofclients,betheyend-users,applicationsordevices(e.g.,IoT“things”).

A much more in-depth discussion regarding blockchain-based IAM is provided in theTechVision Research report titled “Identity as the New Perimeter”, October, 2017 and“Blockchain-BasedIdentity”researchpublishedinOctober,2016.



The First Step: Enable an Identity Data Service MovingtoanIAMmicroservicesmodeltakessomepreparation.Thereisalotofcomplexityinvolved in performing identity operations across disparate systems, especially in largeenterprises. That said, identity operations can be decomposed in away that is easier fordevelopers to use in a way that helps the enterprise to establish a level of consistency,efficiencyandsecuritywhileprovidingregularupdates.To start the process enterprises should decompose business applications into discreteservices that provide a broad range of ‘common functionality’ required by applicationconsumers.Ahigh-levelexampleofthisisshowninFigure2,below.

Figure2:DecomposingApplicationsIntoMicroservices

Nearly every application contains functionality similar with the monolithic applicationillustratedontheleftofFigure2.Thesemonolithicapplicationsincludefunctionalitysuchasusermanagement,datamanagement,userinterface,billing,paymentsandsuchfunctionsthatare quite common. However, almost every application is also supported by a set of corefunctionsorservices.Thechallengeistodecomposethecommonservicesfromtheuniquecorefunctions.Attheendofthisdecompositionexercise,theapplicationshouldbecomprisedmainlyofitsuniquecore functions, while incorporating the common enterprise functions (e.g., authentication,identitymanagement,etc.)throughservicecallstotheIdentityServiceas illustratedontherightofFigure2.What is especially appealing to such a composable architecture is the ability to hidecomplexity,especiallyofcomplexIAMfunctions,fromapplicationdevelopersandoperationsstaff.Microservicesenablesan‘abstractionlayer’thatcandramaticallysimplifyapplication



development, integrationandoperationalsupport.Aswehavebeendescribingthroughoutthisreport,suchanabstractionlayeristheproductofanAPIsetthatservesupthenecessaryIAMfunctionstodevelopersandintegrators.WeillustratethisconceptmorefullyinFigure3,below.

Figure3:IdentityServicesAPI

ConsiderthatthefunctionalityenabledthroughthisAPIdescribedaboveisadeeperdiveintotheconcepts firstillustrated inFigure1earlier in thisdocument.The ‘exposedoperations’illustratedacross thetopof the IdentityServicesAPIexample inFigure3are the typesofservices that can be containerized or exposed via API Gateways in order to enable theseservicesinthe‘realworld’.

Asanexample,notetheIdentityOrchestrationServiceillustratedinFigure4,below:



Figure4:TyingItAllTogether

Whilemicroservicesprovidesadegreeofflexibilityandregularupdates,thechallengeistothen reassemble all the components into an integratedsolution.Thisiswhereidentityorchestrationcomesintoplay. The identity orchestration service supportsnumerousveryimportantcapabilitieswithintherealmofIAM, such as collecting identity data from numerousintegrated repositories (e.g., directories, databases, AD,etc.).Withintheidentity orchestrationservice,mappingrulesareinvokedtoassembleacompletepictureoftheidentityandmakethisdataavailablethroughthesecureidentityAPIsidentityaggregationmicroservice,showninthecenterofthediagram.Thispatternisoftenusedforentitlementcollection(buildinganentitlementcatalog),whichfurtherenablescoarseandfine-grainauthorizationmicroservice exposure. If attributes are changingfrequently–collectioncanbemoredynamicandinrealtimeandthecollectionpointdoesn’tneedtobepersistent(VirtualDirectory).All thisdecomposition ‘addsup’ toamuchmoreflexibleyetconsistentmeansforintegratingIAMfunctionsacrosstheenterprise.

Let’snowturntowhatthevendorsandserviceprovidersaredoingtodrivethismovementtowardsmicroservices-basedIAM.



Early Vendor Focus on IAM Microservices Many of the major IAM vendors have not been asleep at the wheel with respect tounderstanding, facilitating and furthering the development and usefulness of IAMmicroservices. That said, we see this movement as rapidly accelerating and recommendvendors and enterprises take a closer look at the opportunities associated with applyingmicroservicesandDevOpsapproachestoIAM.Whileweexamineafewoftheearlyleadersinthismovement,itbearsmentioningthatmorevendorsareclimbingonboardandre-architectingtheirsolutionstobetterfitamicroservices-centricDevOpsapproachtoIAM.We’lldescribetheofferingsandapproachof5vendorsthathavebeenearlymoversinthisspace:

• Cloudentity• ForgeRock• Okta• Microsoft• IBM

ThesevendorsrepresentsomenewplayersandestablishedIAMvendors.

Cloudentity Cloudentity,basedinSeattle,WA,hasbeeninbusinessforseveralyearsasasecurityandIAMconsultingcompanyandhasrecently transitionedtoaproduct/servicevendor.TechVisionhadtheopportunitytorecentlyinterviewNathanielCoffing,theirfounderandCEO.NathanielexplainedhesawauniqueopportunitytorespondtowhatheperceivedasamajorneedinFinance, Insurance,Telecommunications,Government,RetailandHealthcare industries.HeexplainedthattheywerelookingforsecureCustomerIdentityforcloud-native,hybrid-cloudandmulti-cloudapplications,andCloudentityrespondedwithanIAMmicroservicesofferingsoptimizedforspeedandflexibility.ThiswasproductizedastheCloudentityTRUSTEngine,which uses behavioral machine learning to deliver continuous adaptive authentication,authorizationandmanagementacrossusers-services-things.The Cloudentity service delivers a stateless identity solution built on a cloud-nativemicroservices architecture with RESTful APIs. Their solution provides what they term a“micro-perimeter”whichincludesamicroserviceAPIgatewayandabroadrangeofidentityfunctionalityincludingfulllifecyclemanagementofusers/services/things,userself-service,strongauthenticationandsessionmobility,andisdesignedspecificallyformoderncontainerarchitectures.Thehigh-levelCloudentitysolutionisshowninFigure5,below.



Figure5:TheCloudentitySolutionFramework

SomeoftheaspirationsbehindCloudentity’sIAMarchitectureandstrategyinclude:1. Attacksurfacereduction

a. Patchtheservice,nottheplatformb. Deployonlyrequiredfeaturesc. Identifyandprotecttransactionsatthemicroservicelevel

2. Moreefficientdeploymenta. EnablenewIAMfeaturesasmicroservices-reducesDevOpschurnasnewIAM

capabilitiesareadded,existingcapabilitiesarechangedanddefunctcapabilitiesremoved.

b. Cloudreadiness-asacloudnativesolution,CloudentityaimstobetterfacilitatedistributeddeploymentonglobalcloudservicessuchasAWS,MicrosoftAzure,Googleaswellashybridenvironments.

c. DevOps friendly - facilitates integration into the ContinuousIntegration/Continuous Delivery (CI/CD) pipeline - developed with amicroservicesfoundation.

d. AdaptableAPI-byvirtueofitsground-upmicroservicespedigree,theIAMAPIscanbeintegratedincustomerbusiness-specificwaysinordertoprovidemoreflexibility.

e. Scalable - again, as a comprehensive set of discrete IAM microservices,Cloudentity’s solution is intended to fit the deployment requirements for agloballyscalableinfrastructuredeployedonthecloud.

The Cloudentity TRUST Engine uses behavioral machine learning to deliver continuousadaptive authentication, authorization and relationship management between users/services/things. It employs an adaptive risk-based transaction authorization approach to



dynamicallyscoreriskacrossuserroles,transactionalcontextandriskprofiles.TheTRUSTEngine detects changing risk across behavioral, data security and threat intelligence,escalatingidentityrequirementsforauthorizationonhigherrisktransactionswhiledetecting,mitigatingandblockingsuspicioususers,devicesoractivities.Cloudentity’s micro-perimeter serves as the decentralized ‘nervous system’ of their IAMplatform,enablingthefollowingfeatures:

1. Securecontainers,APIsandmicroservicestoenable:a. Distributedauthenticationandauthorizationofusers,servicesandthingsb. Distributedsessionstorec. Federation-includingOAuth2,OpenIDConnectandSAML2d. Activityprofilinge. Integratedthreatintelligencef. Policypromotionbetweenenvironmentsg. Parameterinspection

2. Inboundtransactionalsecuritya. Verifiedclaimsb. SSLkeyoffloadingc. SSLkeyrotationd. Trafficinspectione. Parametervalidationf. Behavioralbaseline

ForgeRock In June2017,ForgeRock introducedForgeRock IdentityMicroservices, a setof standards-basedidentitymicroservices,designedtoprovideawaytoincreaseapplicationsecuritybyintegratingidentityintoservice-to-serviceinteractions.TechVisionhastheopportunitytorecentlyinterviewLasseAndresen,ForgeRock’sco-founderandCTO.HedescribedForgeRock’sIdentityMicroservicesasallowingdeveloperstosecuretransactionsbetweenmicroservices,users,things,andotherentitiesbyvalidatingtheidentityof the caller and checking for proper authorization. ForgeRock has focused on both IoTsupport as well as Customer IAM and microservices can drive increased scalability andavailabilityforbothenvironments.ForgeRock’sIdentityMicroservicesareasubsetoftheForgeRockIdentityPlatformandrunas self-containedmicroservices ina statelessmode.This functionalityhelpsmicroservicesdevelopers provide identity services in their applications, independent of the platformtechnologyused.TheForgeRockIdentityMicroservicesaresupportedoncontainerssuchasDocker,KubernetesandCloudFoundry(discussedfurther,below).

Fourself-containedForgeRockIdentityMicroservicesarecurrentlyavailable:1. ForgeRock Authentication Microservice: This microservice will authenticate other

microservicestoensuretheyare legitimateservicesandwillprovideOAuth2-basedauthorizationtokenswithalimitedscopethatisboundtothecallingservice.



2. ForgeRock Token Validation Microservice: This microservice will offer a tokenintrospection endpoint and be able to validate authentication tokens issued by theForgeRock AuthenticationMicroservice aswell as ForgeRock OpenAccessManager(OpenAM).

3. ForgeRockTokenExchangeMicroservice:Thismicroservicewillvalidatetheidentityofauserandaservicethatistryingtocallanotherserviceonbehalfofauser.Itwillensurethatothermicroservicesinthesameenvironmentcantalktoeachotheronlyifthey are authorized to do that and with the minimum amount of authorizationnecessary.

4. ForgeRock Authorization Microservice: This microservice will provide localdeclarativevalidationofpoliciesaswellasproxyoverexternalpolicydecisionpoints(PDPs).ItisdesignedtouseexternalpolicydecisionpointssuchasForgeRockOpenAMonlywhenneeded.

CloudFoundryisanopensourcecloudcomputingPlatformasaService(PaaS)thatisavailableasfreeware,andalsoascommercialofferingsfromPivotalSoftware,IBMBluemix,Swisscom,HPandseveralothervendors.AllofthemajoriterationsofCloudFoundryofferacollectionofplatformelementsthatenabledeveloperstocreateandhostproductionversionsofonlineservicesandapplications.Theseplatformelementsincludefeaturesformonitoring,logging,messaging,authentication,trafficroutingandothertasks.OneofthecoreconceptsoftheCloudFoundryprojectisitsuseofaservicebroker.Aservicebrokeriscodethatenablesanapplicationinthecloudtoinvokeorpointtoaneededserviceforthatapplicationtorun.

Forexample,theForgeRockservicebrokersupportsOAuth2,allowingcustomerstoextendOpenAMcapabilitiestosecurethosemicroservices.OAuthisastandardforauthorizingaccesstoapplicationsanddata.OAuthpromotesa leastprivilegemodel, allowingauser tograntlimitedaccesstotheirapplicationsanddatabyissuingatokenwithlimitedcapability.OAuthisbeneficialbecauseithandsthemanagementofwebdelegationtotheactualresourceowner.OneofthesignificantadvancementsOAuthbringstothetableisformalizingtheprocessofdelegatingidentitymappingtousers.OAuthoriginatedthroughtheOpenIDprojectatTwitter,andbecameastandardwithinputfromGoogleandotherInternetcompanies.

Okta BasedinSanFrancisco,Oktawasfoundedin2009bytwoex-Salesforce.comemployees,andbecameapublicly-tradedcompanyin2017withover2,500customers.Unlikeotheridentityprovidersthataremovingtheiron-premiseofferingstothecloud,Oktastartedwithacloud-basedidentitymanagementservicebuiltonAWSandhasestablishedaleadershippositioninthisspace.TechVisionhadtheopportunitytointerviewEricBerg,Okta’sChiefProductOfficer,earlierthisyearashedescribeda strategyof enablingdevelopers to leverageOkta services.Thisvision was more clearly visible with the acquisition of developer identity tool vendorStormpath inMayof2017. InAugust,2017Oktaannouncedanewdevelopersedition foremployeeandcustomerIAMwithanexpandedportfolioofAPIsandnewdevelopertools



OktacurrentlyprovidesmultipleAPIendpointsthatfitintothemodelwearedescribingastheymaybeencapsulatedinaRESTfularchitectureandprovidespecificservicesincluding:

1. Authentication - The Okta Authentication API provides operations to authenticateusers,performmulti-factorenrollmentandverification,recoverforgottenpasswords,andunlockaccounts.ItcanbeusedasastandaloneAPItoprovidetheidentitylayerontopofyourexistingapplication,oritcanbeintegratedwiththeOktaSessionsAPItoobtainanOktasessioncookieandaccessappswithinOkta.

2. OAuth-TheOAuth2.0APIprovidesAPIsecurityviascopedaccesstokens,andOpenIDConnectprovidesuserauthenticationandanSSOlayerwhichislighterandeasiertousethanSAML.

3. OpenID-TheOpenIDConnectAPIendpointsenableclientstouseOIDCworkflowswithOkta.WithOpenIDConnect,aclientcanuseOktaasabroker.TheuserauthenticatesagainstidentityproviderslikeGoogle,Facebook,LinkedIn,orMicrosoft,andtheclientobtainsanOktasession.

4. Client Registration - The Dynamic Client Registration API provides operations toregister andmanage client applications for usewith Okta’s OAuth 2.0 and OpenIDConnectendpoints.

5. SessionManagement-Oktausesacookie-basedauthenticationmechanismtomaintainauser’sauthenticationsessionacrosswebrequests.TheOktaSessionsAPIprovidesoperationstocreateandmanageauthenticationsessionsforusers.

6. Applications-TheOktaApplicationAPIprovidesoperationstomanageapplicationsand/orapplicationaccessrightstousersorgroups.

7. Events - The Okta Events API provides read access to the system log and enablesexportingofeventdataasabatchjobforreportingoranalysis.

8. Factors-TheOktaFactorsAPIprovidesoperationstoenroll,manage,andverifyfactorsformulti-factorauthentication(MFA).

9. Groups-TheOktaGroupsAPIprovidesoperationstomanageOktagroupsandtheirusermembers.

10. IdentityProviders-TheOktaIdentityProvidersAPIprovidesoperationstomanagefederations with external Identity Providers (IDP), to support logging in withcredentials from Facebook, Google, LinkedIn, Microsoft, or an enterprise IdP usingSAML2.0protocol.

11. Logs - The Okta System Log API provides read access to the Okta system log, andprovidesmorefunctionalitythantheEventsAPI,containingmorestructureddata.

12. Admin Roles - The Okta Admin Roles API provides operations to manageadministrativeroleassignmentsforauser.

13. Schemas - Okta’s Universal Directory allows administrators to define custom userprofilesforOktausersandapplications.OktahasadoptedasubsetJSONSchemaDraft4 as the schema language to describe and validate extensible user profiles. JSONSchema is a lightweightdeclarative format fordescribing the structure, constraints,andvalidationofJSONdocuments.

14. Users - The Okta User API provides operations tomanage users, including create,modify,deactivate,passwordassignment,passwordupdateandmanymore.



Microsoft Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud based directory andidentitymanagementservice.AzureADservesasaplatformthatenablesdeveloperstodeliveraccess control to their applications, based oncentralizedpolicyand rules.AzureADsupportsRESTAPIs as service endpoints that enable sets of HTTPoperations (i.e., methods), which provide create,retrieve, update, or delete access to the AD service'sresources.

Azure AD services require client code to authenticatewithvalidcredentialsbeforecalling theservice'sAPI.Authentication is coordinated by Azure AD, andprovidestheclientapplicationwithanaccesstokenasproofoftheauthentication.ThetokenisthensenttotheAzure service in the HTTP Authorization header ofsubsequentRESTAPIrequests.Thetoken'sclaimsalsoprovideinformationtotheservice,allowingittovalidatetheclientandperformanyrequiredauthorization.InaccordancewiththeOAuth2AuthorizationFramework,AzureADsupportstwotypesofclients:

● Web/confidential clients runonawebserverandcanaccess resourcesunder theirown identity (for example, a service account or daemon), or obtain delegatedauthorizationtoaccessresourcesundertheidentityofasigned-inuser(forexample,awebapp).Onlyawebclient can securelymaintainandpresent itsowncredentialsduringAzureADauthenticationtoacquireanaccesstoken.

● Native/publicclientsareinstalledandrunonadevice.Theycanaccessresourcesonlyunderdelegatedauthorization,usingtheidentityofthesigned-inusertoacquireanaccesstokenonbehalfoftheuser.

IBM IBMisanestablishedIAMvendorwithIBMSecurityAccessManagerandIdentityManagerdeployedinthousandsoforganizations.CustomerscandevelopcustomapplicationsthatusetheIBMSecurityAccessManagerforMobileRESTapplicationprogramminginterfaces(APIs)thatareimplementedbasedonRESTservices.TheRESTAPIsareavailableforcustomerstoadministerthemanagementtasks,usingJAX-RS,outsideoftheIBMSecurityAccessManagerfor Mobile user interface. This includes exporting and importing configuration from oneenvironmenttoanotherorbackingupconfiguration.Additionally, customers can develop custom applications by using the REST applicationprogramminginterfaces(APIs)thatcomewiththeIBMSecurityIdentityManagerinsupportofidentitylifecyclemanagement.TheRESTAPIsenableidentityadministrationtasksoutsideoftheIBMSecurityIdentityManageruserinterface.TheRESTAPIsaresegregatedintoasetoffunctionalcomponentsofIBMSecurityIdentityManagerthatarelistedbelow:



● PersonManagement● Vieworedituserprofiles.● SystemUserManagement● SearchcapabilityfortheIBMSecurityIdentityManagersystemusersbasedon

uniqueidentifiers.● PasswordManagement● Changeorresetthepassword,andrecovertheforgottenpassword.● AccessManagement● Request,view,edit,ordeletetheaccess.● ActivityManagement● Viewandactonyouractivities.● DelegationManagement● Delegateactivities,view,edit,anddeletethedelegationschedule.● GenericSearchAPIs● AssortedsetofsearchcapabilitiesthatareprovidedbytheRESTAPIs.

Theseoverviewsofvariousvendors’capabilities in thisspacearecertainlynotexhaustive.However, it should be clear that the horse has left the barn with respect to the shiftingparadigmassociatedwithDevOps,microservicesandIAM.

Recommendations and Best Practices Byacknowledgingthatapplicationdevelopmentisshiftingtowardleveragingmicroservicesbasedarchitectures,enterprisesneedtounderstandthatthisevolutioninvolvesIAMinanot-so-minorway. Identitymicroservices can simplify how applications interactwith identityinformationwhileimprovingsecurityandconsistencyacrossapplicationsandcantaketheburdenofthiscomplexityoffoftheapplicationdevelopers’shoulders.Theseservicescanalsobereadilyupdatedandconsistentlyavailabletoanyappropriateidentityconsumer.

Keyenterpriserecommendationsandbestpracticesformicroservice-enabledIAMinclude:1. Organizations committed to a digital transformation strategy should spend time

focusingontheDevOpsparadigmdiscussedearlierinthisreport.Aniterativeprocessfromdesign,development,productionandretirementshouldbetterfitwithanAgiledevelopment model than the traditional waterfall model. You should start byexaminingyourowndevelopmentandoperationsprocessesanddeterminewhetherto embark upon an Agile Development program. If you move forward withAgile/DevOpsyoushould:

a. Ensuretheprogramisgovernedproperly.Solidifystakeholderbuy-infromthetop-down(keyexecutivesandapplication‘owners’)aswellasthebottom-up(applicationdevelopersandoperations).

b. IftheorganizationisalreadyembarkingonanagileDevOpsmodel,ensurethatIAMmicroservicesareconsideredkeybuildingblockstothisstrategy.

2. Applications should be inventoried to understand the current, inherent complexity



(assumingthereis)ofIAMintegrationandtobegintheprocessofdisentanglingIAMfromsiloedcodesupportingtheseapplications.Specificstepsinclude:

a. IdentifycommonalityacrossthemanywaysexistingapplicationsperformIAMfunctionssuchasidentityauthentication,authorization,lifecyclemanagementandsoforth.

b. ThecommonalitiesidentifiedwillleadtoasmallersubsetofkeyIAMfunctionsthat would be better served as microservices that are easily and securelycallablefromtheseapplications.

c. Understandthatinsomecases,existingapplicationswillbeverydifficult-ifnotimpossible, to refactor in order to remove the siloed IAM functionality.Applicationsthatfallintothiscategoryshouldberisk-rankedinordertofullycaptureandassesstheriskofleavingthemas-isratherthanassumingthecosttore-writetheapplications.

d. Develop a roadmap for application refactoring in order to prioritize andresourcetheDevOpseffort,understandtheresidualriskwhileintheprocessofrefactoring and identify possible mitigation approaches (e.g., increasingapplicationactivitymonitoring forhigh-riskapplications thatremain furtherdownintheroadmapforreasonssuchascomplexity,budget,resourcing,etc.

3. ThoroughlyassessyourexistingIAMinfrastructuretodetermineitsabilitytoenable

allnecessaryIAMservicestobecalledviaRESTfulendpointsfromwithinapplications.a. RequestthatyourcurrentIAMvendorprovideinformationregardingtheir

abilitytofunctioninamicroservicesorientedITecosystem.b. RequestthatyourIAMvendor(orsystemsintegrator)providecontactwith

othercustomersoftheirswhohaveembarkedonasimilarjourney,inordertofast-trackyourowndeployment.

4. Determine whether containerization or an API gateway is the better predominant

modelforenablingandsecuringIAMRESTendpoints.IfanAPIgatewaymodelsuitsyourorganizationbetter,spendtimeevaluatingAPIgatewayvendors’experiencewithIAMintegration.

5. Startwithasmaller,well-containeddeploymentstrategyinordertoavoidthepitfalls

oftheboil-the-ocean‘strategy’.a. Pickafewlower-riskapplicationstobeginwith,establishingaproof-of-concept

withaneyeonoperationalization.b. Oncetheconcepthasbeenproven, identify thehigherriskapplications from

yourdeployment roadmap to transition first asameans tobring immediatevalueandriskreduction.



Summary Whatdoes itmean tobe ‘cloud-first’?Manyof theorganizations thatTechVisionResearchworkswithonanongoingbasishaveadoptedacloud-firststrategyoverthepastseveralyears-withthenumbergrowingmorerapidlyday-by-day.Beingcloud-firstdoesn’tonlymeanthatyourunyourapplicationsandservicesonacloudplatform-whetherSaaS,PaaSorIaaS.Itmeansthatyourorganizationhastakenadeepandfocusedlookatdigitaltransformationandhasdeterminedthattheplacetostartthistransformationistoleveragemulti-tenant,elasticcloudinfrastructureasthe‘deliveryplatform’.But, it alsomeans thatyourorganizationhas inherently takenonamore loosely-coupled,federated and dynamic (e.g., virtualized) application integration and delivery model. AsTechVision Research has been expounding for the past three years, loose-coupling,virtualizationandfederationarethekeysto‘thefutureofidentitymanagement’.

WehavedescribedapathtowardevaluatingcurrentIAMservicesinadigitaltransformationcontext, breaking up monolithic services into smaller components and leveraging thesecomponents toprovidemore scalable,dynamicandavailable identity services.We’vealsoprovidedsomebackgroundonvendorsthatareinvestinginIAMmicroservices.Towalkthewalk,anorganizationmustconsidertheimportanceofIAMservicesandfunctionsthat are enabled in a secure, easy-to-consume manner. In this way, as new protocols,techniques and infrastructure approaches emerge (e.g., blockchain, distributed ledgers,verified claims), and old techniques fade away the impact on the IAM infrastructure willremainminimal.Doingsoisthesurestwayto‘futureproof’yourIAMstrategy.



About TechVision World-class research requires world-class consulting analysts and our team is just that.Gainingvaluefromresearchalsomeanshavingaccesstoresearch.AllTechVisionResearchlicensesareenterpriselicenses;thismeanseveryonethatneedsaccesstocontentcanhaveit.Weknowmajortechnologyinitiativesinvolvemanydifferentskillsetsacrossanorganizationandlimitingcontenttoafewcancompromisetheeffectivenessoftheteamandthesuccessofthe initiative.Our research leveragesour team’s in-depthknowledgeaswell as their real-world consulting experience. We combine great analyst skills with real world clientexperiencestoprovideadeepandbalancedperspective.TechVisionConsultingbuildsoffourresearchwithspecificprojects tohelporganizationsbetterunderstand,architect,select,build,anddeployinfrastructuretechnologies.Ourwell-roundedexperienceandstronganalyticalskillshelpusseparatethehype fromthereality.This provides organizations with a deeper understanding of the full scope of vendorcapabilities, product life cycles, and a basis formakingmore informeddecisions.We alsosupport vendors when they carry out a product and strategy review and assessment, arequirementanalysis,atargetmarketassessment,atechnologytrendanalysis,ago-to-marketplanassessment,oragapanalysis.TechVisionUpdateswillprovideregularupdatesonthelatestdevelopmentswithrespecttotheissuesaddressedinthisreport.



About the Authors

Doug Simmonsbrings more than 25 years of experience in IT security, riskmanagement and identity and access management (IAM). He focuses on ITsecurity, risk management and IAM. Doug holds a doublemajor in ComputerScienceandBusinessAdministration.

WhileleadingconsultingatBurtonGroupfor10yearsandsecurity,andidentitymanagementconsultingatGartner for5years,Doughasperformedhundredsof engagements for largeenterprise clients in multiple vertical industries including financial services, health care,highereducation, federalandstategovernment,manufacturing,aerospace,energy,utilitiesandcriticalinfrastructure.

NickNikolshasmorethan25yearsofexperienceinthesoftwareindustry,architectingsolutionsanddevelopinginnovativeproductsforidentity,securityandcompliancemanagement,aswellasdirectoryservicesanddirectory/applicationintegration.

BeforeworkingwithTechVisionResearch,NickwasSeniorVicePresidentofProductManagementandCTOofCybersecurityatCATechnologies,wherehewasresponsibleforCA’sCybersecurityProductStrategyandRoadmap.AtCA,hewasparticularlyfocusedonmodernizingCA’sIdentity-centricSecurityportfolioandsuccessfullypromotedCA’sIdentityManagerandAccessGovernancesolutionintoaleadershippositionwithinGartner’sMagicQuadrantforIdentityGovernanceandAdministration.

GaryRowe isaseasonedtechnologyanalyst,consultant,advisor,executiveandentrepreneur.Mr.Rowehelpedarchitect,buildand sell twocompaniesandhasbeen on the forefrontthestandardization and business application of coreinfrastructure technologiesover the past35 years.Hewas President of Burton

Groupfrom1999to2010,theleadingtechnologyinfrastructureresearchandconsultingfirmthroughthesaleofBurtontoGartner.Mr.Rowehas personally led over 100 consulting engagements, 50+ educationalseminars,published over 50 research reports/articles and led three significanttechnology industryinitiatives. His combination of business skills and hisdeep understanding of technologyprovideabalancedperspective for clients.Coreareasof focus include identityandaccessmanagement, directoryintegration, cloud computing, security/risk management, digitaltransformation,ITbusinessmodelchanges,privacyandblockchain/distributedledger."



Related Reports Thefollowingreportsmightbehelpfulinyourcontinuedexplorationofthisdomain:

IdentityistheNewPerimeter

Authors: DougSimmons–ManagingDirector,Consulting/PrincipalConsultingAnalyst,NickNikols–ManagingDirector,Research/PrincipalConsultingAnalyst,GaryRowe–CEO/PrincipalConsultingAnalyst,GaryZimmerman–CMO/PrincipalConsultingAnalyst

Cloud-basedIdentityManagement

Authors: NickNikols–ManagingDirector,Research/PrincipalConsultingAnalyst,GaryRowe–CEO/PrincipalConsultingAnalyst

BankingonIdentityAuthors: DavidGoodman,D.Phil,PrincipalConsultingAnalyst

RhomaiosRam,PrincipalConsultingAnalyst

GettingtoKnowYourCustomers:TheEmergenceofCIAM

Authors: DavidGoodman,D.Phil,PrincipalConsultingAnalyst

Blockchain-basedIdentityManagement

Authors: DougSimmons–ManagingDirector,Consulting/PrincipalConsultingAnalyst

Context-basedIdentityManagementAuthors: DavidGoodman,D.Phil,PrincipalConsultingAnalyst

TheFutureofIdentityManagementAuthors: DougSimmons–ManagingDirector,Consulting/PrincipalConsultingAnalyst,

DavidGoodman,D.Phil,PrincipalConsultingAnalyst,GaryRowe–CEO/PrincipalConsultingAnalyst,BillBonney–PrincipalConsultingAnalyst

How Microservices Can Improve Your IAM Strategy 20180125 ......How Microservices Can Improve Your...

Documents

Transcript of How Microservices Can Improve Your IAM Strategy 20180125 ......How Microservices Can Improve Your...