Zero Trust

Give Your WAM & SSO Applications a Turbo Boost

Image of Classic Red Truck

One day, combustion engines may become illegal on roads and highways. But what if you have a favorite gasoline-powered car that you love to take out for joyrides? It’s your baby — you’ve had it for well over a decade, and you’ve taken care of it like a member of the family. On warm days, you roll down the windows, open the sunroof, and take off through the back roads to soak up the sun and fresh air.

Technologies have advanced far enough that what once worked great is no longer acceptable — fossil fuels are on their way out. But you have a car that you’re committed to keeping on the road.

What if you could keep the car, but update the obsolete components? You could remove the engine and replace it with a new crate motor — an electric one that’s designed to be dropped into and integrated with an existing vehicle. Your favorite car now has new life, running on the latest technology. Not only is it cleaner, but it’s also faster and more powerful than ever before.

That’s how Identity Orchestration can take your web access management (WAM) to entirely new levels of performance.

What is web access management (WAM)?

Web access management provides integration of identity and access management for web-based applications. Usually, your WAM asks for a username and password, but it could ask for an access token, which it uses to generate a one-time password. The WAM solution then matches your authorization level to the requested resource before granting or denying access.

Some of the top WAM providers include Oracle Access Management, AccessMatrix, NetIQ Access Manager, Symantec Siteminder, and IBM Tivoli Federated Identity Manager.

Web access management is still needed for on-premises

WAM was once at the forefront of cybersecurity technologies, but in recent years it has been unable to keep up with modern security demands. WAM was developed as a gatekeeper to either grant or deny access to an app. To get through the gate, you just need a specific key. 

Having applications behind an access manager, also means using a vendor that has you tightly coupled with its identity provider (IdP) solution as well. And when you’re tightly coupled with that, you’re married to their standards, their ways of doing things, and even where you put those identities. And that’s a problem.

Identity is never in one silo, and you can never have one identity bucket to rule them all. We need a way to make WAM work in multiple identity silos — but because WAM is so tightly coupled with one IdP, it can’t provide an answer.

WAM and getting to a Zero Trust architecture

When everything was on-premises (pre-2010s), and before anyone was thinking about Zero Trust, WAM was enough to authorize and authenticate a user to view certain content. But hackers’ technologies and techniques have advanced, and now it’s necessary to base user management on the pillars of Zero Trust. 

One of those pillars is the principle of least privilege access. If a manager wants visibility into their own sales, they shouldn’t have blanket access to look at all customer information. Instead, they’re granted the least amount of access that also satisfies their legitimate need.

The other pillar is continuous authentication. In the world of Zero Trust frameworks, you need to be evaluating access and authorization during runtime, continuously. The context can change in an instant, and you need to ensure that you’re providing only the right level of user access moment to moment.

WAM was built for a single purpose: show me that you have the right key. If you have a key that works in the door, you’re in no matter what. But if you come in and you’re wearing a ski mask (i.e., you’re masking your IP), the context has changed, even if you have the right key. You need a bouncer there to make those kinds of contextual runtime decisions.

WAM isn’t set up for a Zero Trust architecture, and it isn’t capable of providing the protection that today’s cybersecurity demands. But you don’t have to scrap your access management system and completely recode it to make it work with Zero Trust as you might think. 

Passwordless authentication, continuous authentication, & WAM

Identity providers like Ping and Okta are everywhere. They touch nearly every system, and to pull WAM out of your application is a non-starter. But what if you could modernize WAM without scrapping the framework? Like dropping an electric crate motor into an old car, identity orchestration can breathe new life into WAM. 

Rather than recoding your application, you can keep WAM and add modern orchestration to the mix. By bringing Identity Orchestration to WAM, you can set your application free from a locked one-to-one relationship to Ping, SiteMinder, or Azure. This gives you a vehicle to move into the future with superior technologies like passwordless authentication, risk-based decisions, and continuous authorization.

Identity Orchestration is a low-code solution. You don’t have to rewrite existing policies or apps or security postures that you’ve already created with WAM. 

What about modernizing SSO?

Single sign-on (SSO) is in a similar predicament as WAM. We still need SSO — no one wants to go through authentication every time they go to another app — but SSO alone isn’t enough. It’s another example of one-to-one connections that no longer fit the bill. 

SSO is only good if you’ve authenticated the user properly and that’s really where orchestration comes into play. Identity Orchestration can enhance SSO just like it can with WAM. It lets you use passwordless authentication or bring risk or intelligence about in the same way. You can introduce modern third-party identity tools and enhance what SSO does. 

So, in the same way, that orchestration jump-starts WAM, it can jump-start SSO — by bringing in third-party intelligence and working with different identity silos, no matter where those silos are. And all the while you’ve only signed in once. You retain SSO, even though you’re using different systems and your identity is in many places at once.

Modernizing WAM with Identity Orchestration

WAM and SSO are the vintage modes of transportation of the IAM world. On their own, they no longer compete with today’s high-performance vehicles. But Identity Orchestration can save you the pain and toil of completely recoding your applications from scratch to help you modernize easier and reach Zero Trust faster. 

By using an Identity Orchestration solution like Strata’s Maverics platform, you can give your old technologies new high-performing capabilities that protect your sensitive data — meeting your organization where you are today and extending the systems you already have in hand. Both now and into the future. 

Connect with an Identity Orchestration expert