Legacy Identity Infrastructures are Nearing End of Life, Now What?
These practical steps will help ensure a smooth transition
End of Life (EOL) is inevitable for most products. Fans of Black Cherry Vanilla Coke will remember when it was retired in 2007!
When it comes to EOL, software is one of the most cannibalistic product categories. New versions or next-generation technologies routinely make existing products obsolete.
Unlike packaged goods, EOL software often lives on once new releases and support ends. Look no further than the Windows operating system. Millions of older computers are still running Windows XP, for example.
The following table shows an example of what an EOL timeline might look like for a hypothetical IAM vendor:
While EOL desktop operating systems can live on adequately for years, despite posing a security threat due to a lack of new patches, Identity and Access Management (IAM) systems are a totally different animal. They function as the connective tissue for enterprise IT systems. Without IAM, access to applications, data, and other resources grinds to a halt. It truly is critical infrastructure, and as such IAM migration projects are fraught with complexity and risk.
In recent years, market-leading IAM products from Oracle and Broadcom (CA Technologies) reached EOL.
With many legacy IAM platforms showing their age and lacking the ability to bridge the gap with newer cloud identity systems, organizations should be making migration plans now. Especially with the growing use of multi-cloud and hybrid cloud/on-premises infrastructures. IT modernization projects are inevitable and IAM must follow along.
Here are three practical steps that can be used to plan and control the risk associated with legacy identity migration projects.
Phase 1 – Understand Exposure
It’s only a matter of time before every organization will need to undertake identity modernization. The first step involves taking stock of what IAM products are currently deployed for on-premises and cloud resources, what functions they provide (user management, single sign-on, authentication, access control, auditing, Java/LAMP apps, Windows .Net apps, etc.) and their interdependencies.
This should include performing an inventory of apps, grouped by impact and urgency, and also by what session mechanism (i.e. cookies, headers, SAML, OIDC) is used to pass identity into an app.
Here’s a sample discovery checklist:
Only 10-15% of apps and workloads are on the cloud today, meaning most apps still need to be supported on-premises.
2020 State of the Cloud Report
Phase 2 – Plan Identity Migration
Adhere to the “slow down to speed up” mantra. This will save time in the long run. Here are some important considerations and questions to ask when evaluating modern identity solutions prior to a migration:
- Does the new IAM system have the same functionality and feature set as the one it is replacing
- What identity repository(s) will be used?
- What session mechanisms are supported, cookie, HTTP Headers, SAML, OIDC, etc.?
- How is policy management performed for controlling roles, groups, and access permissions?
- Organize apps by grouping them according to migration priority and complexity.
- Apply Agile methodology techniques to de-risk migration using small stories, rapid iterations, and test-driven development.
- Rationalize policies and groups where possible
- Implement a screening process for compromised accounts
- As much as possible, preserve the UX to reduce concerns over phishing
- Document dependencies between apps and identity software
- Map out the network topology to understand how web agents and proxies interoperate with other systems.
Phase 3 – Migrate Identities
Moving identities from a legacy to a new IAM system is a complex multi-step process. Consider using automation tools and/or consulting services to perform the following:
- Inventory the existing identity and app infrastructure – both on-prem and in the cloud.
- Map out dependencies between apps and identity including the type of session being used.
- Perform the migration of identities and policies from the legacy to the new identity system.
- Move apps to the cloud and configure them to talk with the new identity system.
- Retire legacy identity software and decommission unneeded infrastructure.
Digital transformation of business processes using the cloud is inevitable, and already well underway at most organizations. Planning a migration strategy from legacy to modern identity systems, however, has been on the back burner often due to complexity concerns. With EOL on the horizon for most leading IAM platforms, enterprises should begin preparing now if they want to perform a controlled and not a forced move to a modern identity infrastructure.