Maintenance – the vital defense longtail of any IAM solution

Increasing IAM complexity

The need for effective Identity Access Management (IAM) has never been greater, whether for humans trying to log in via a frontend client or machine-to-machine identities. And, with such a broad spectrum of gateways, APIs, SOAP interfaces, direct point-to-point integrations, or other transfer protocols, the challenge of authenticating identities and authorizing access is increasingly complex.

Cloud and the hybrid workplace

On top of this new developments and trends in IT add additional challenges, such as the migration to the cloud that many organizations have undertaken, some fully, while many have a hybrid architecture of apps, services, and servers. Another major challenge is catering for the new hybrid work policies at many organizations following the pandemic. Where users previously came to work, logged into the company network, and accessed systems, services and programs in a gated environment, working from home adds considerable complexity, particularly when staff access sensitive data. The opening up of organizations in this way has led to a significant rise in the use of APIs.

Fortifying the organization with IAM

One such tool to facilitate this is the Curity Identity Server, for which Ductus is an official service partner. Typically, we help customers deploy the solution, configure the identity server and authentication flows, and maintain the system – a critical requirement in the fortification of an organization, but something that can be easily underestimated or troublesome to manage inhouse.

Solution deployment

Not surprisingly, much focus is put into deploying a solution and configuring the setup. This includes everything the deployment of the Identity Server through to securing firewall endpoints, defining load balancer requirements, and connecting servers containing certificates and databases housing identity tokens. Standard cybersecurity procedures, including penetration testing and common exposure (CVE) classification and scoring, are also a key part of the process. All this must be done, and stress tested multiple times prior to launch. Obviously, depending on the industry, the level of complexity differs. A bank requires configuration to external authentication services such as BankID. In contrast, the level of certificate-based external communication between servers (and indeed regulatory requirements) will be far lower in an organization with only its staff accessing information.

Maintenance – key to a strong defense

As skilled a job as it is to deploy and configure an IAM solution, maintaining and monitoring it requires an equal skillset, even if it’s not as time-consuming. It typically involves upgrading the security platform and the different IAM and cybersecurity components, including the gateway and load balancer. Databases must also be cleaned up, maintained, and upgraded. Monitoring the system is vital. For instance, a burst of failed authentications can signify an attempted hacking attack or some other services like an external Bank identity server being down – which end customers must be informed about.

Maintenance skillsets

To manage the maintenance of an IAM system such as the Curity Identity Server, you have to know and work with OAuth and OpenID Connect. You may need to ensure regulatory frameworks such as PSD2 are met. You have to understand how to set up a server and network and be able to manage Java-based security products running on Linux servers. It’s a niche role, but not a full-time one, which can make it difficult to find and retain people with those skill sets – a risk many organizations don’t want to take.

Why outsourcing works

Outsourcing maintenance removes the headache of finding and keeping people with the required talents or relying on one person to handle the maintenance when they have other responsibilities to focus on. You also get experts with IAM experience from different industries, where they can apply best practices to your solution. Additionally, you can be assured the experts keep up with the latest regulations, releases, and trends in the field – sharing them with your IT security team.

If IAM maintenance is falling down the priority list for your IT security team, you could be lowering your defenses. Outsourcing it today will ensure it’s prioritized tomorrow and every day moving forward. We have clients throughout Sweden and across the globe who outsource their IAM maintenance with Ductus. Let’s discuss how we can help you.

Anders Essner

Phone: +46 (70) 513 56 19