Product Analysis: The Identity Access Management Migration Problem

Identity Access management (IAM) is part of the scaffolding that keeps the internet secure and convenient. IAMs deal with the management of identities online — including storage and retrieval of user data, secure user validation, password management, encryption and much more. All of which maintain secure connectivity for our many online presences. This document will look into the landscape of IAM providers and talk through some issues faced by the players, particularly issues with migration. Many players are committed to this field and they’re all competing to enable value and security for businesses and workplace systems.

The field is highlighted by the team at G2 in the chart below:

Best Identity and Access Management (IAM) Software in 2023 | G2

Some notable competitions in the landscape are:

Small to medium sized businesses

• ForgeRock: An IAM that provides a comprehensive product suite of IAM tools designed to eliminate the need for multiple logins while providing enhanced security for employees and consumers using a company’s online systems. Supports LDAP, SCIM, SAML, OAuth, and other protocols.
• JumpCloud: A cloud-based directory platform that allows you to manage user identities, access, and devices across different systems and applications. It supports LDAP, RDBMS, SCIM, SAML, and other protocols.
• HelloID: A cloud-based IAM service that simplifies user provisioning, single sign-on, self-service, and reporting. It supports LDAP, SCIM, SAML, OAuth, and other protocols.
• OneLogin: A cloud-based single sign-on and identity management solution that connects users to various applications and systems. It supports LDAP, SCIM, SAML, OAuth, and other protocols.

Small to large/enterprise businesses

• Secret Double Octopus: A passwordless authentication solution that uses multi-channel cryptography to secure user access to applications and resources. It supports LDAP, SCIM, SAML, OAuth, and other protocols.
• Oracle Identity Management: A comprehensive suite of products that provides identity governance, access management, directory services, and identity analytics. It supports LDAP, SCIM, SAML, OAuth, and other protocols.
• Microsoft Azure Active Directory: A cloud-based identity and access management service that integrates with Microsoft Office 365 and other Microsoft cloud services. It supports LDAP, SCIM, SAML, OAuth, and other protocols.
• Okta Workforce Identity: A cloud-based identity and access management platform that enables secure and seamless access to applications and resources. It supports LDAP, SCIM, SAML, OAuth, and other protocols.
• Ping Identity: A platform that delivers identity and access management solutions for cloud, mobile, and enterprise applications. It supports various protocols and standards, such as LDAP, SCIM, SAML, OAuth, and OpenID Connect.

One of the considerations when choosing a provider is that the transaction is an ongoing relationship, not just a one-time interaction. Due to the Saas platform nature, there is a considerable time and effort cost to transition into or out of an IAM supplier relationship. This ensures that scalability is paramount to an IAM solution, because you need a solution that can grow with your application as it grows.

Data migration is certainly possible, and it’s in the best interest of each IAM solution to be able to migrate data into their platforms from other platforms.

Migration Considerations and timelines

General Migration considerations are the type and volume of data, the compatibility and security of the systems, the downtime and disruption of the services, the cost and time of the project, and the quality and accuracy of the results. You will also need to evaluate different tools and methods. According to Ubisecure Documentation, some migration options are big bang migration, trickle migration. Some other options are parallel migration, hybrid migration and online migration. These methods each have their pros and cons and have the capacity to succeed depending on needs of each situation.

Big bang migration requires heavy planning beforehand with a high onus on the change management team to prepare the tooling and systems. The actual migration is short, about a few hours to a few weeks maximum to minimize disruption to the system. That said, because of the intensity of big bang migration, there is disruption to the users during migration but minimal disruptions before and after. This is best for small flexible systems, that can manage the reduced reliability for a short amount of time.

Trickle migration is a more flexible system for large migrations. This is migration while trying to minimize downtime to the system. The migration takes longer than big bang but the system can be maintained while the migration is ongoing. This method requires less warning, but it does require rigorous continuous testing to ensure that you avoid synchronization problems across old and new when the system undergoes the migration.

Internal Oracle docs mention a trickle migration method when they had an upgrade to their internal systems. This roll-out was first offered in 2021 fully for new customers but wasn’t implemented for existing system, rolling out in just a few months: Migrating to OCI IAM: What Oracle IDCS customers need to know.

Okta Example

As a case study in data migration for a Saas IAM system we can look at what is available when migration to Okta. Depending on your source system, the type and volume of data, and your migration goals, there are different options including:

• Okta User Migration Guide: This is a white paper that gives you an overview of the best practices and considerations for migrating user data to Okta.
• Okta Users API and Okta Groups API: These are RESTful APIs that allow you to create, update, delete, and query users and groups in Okta programmatically. You can use these APIs to perform bulk migration with credentials or incremental migration with credentials from a source system such as a database or a CSV file.
• Okta Inline Password Hook: This is a feature that allows you to migrate user passwords from another system to Okta without requiring users to reset their passwords. It works by intercepting user sign-in requests and verifying their passwords against the source system. If the password is valid, it is stored in Okta and the user is authenticated.
• Okta Directory Integrations: These are pre-built connectors that allow you to integrate Okta with various directory services such as Active Directory, LDAP, Workday, Google Cloud Directory Sync, and more. You can use these connectors to synchronize user data between Okta and the directory service bi-directionally or uni-directionally.

Product Manager Recommendations for IAM Service Providers

For any product recommendation, I caveat that first and foremost a PM should listen to the needs and priorities of their customers. From the outside in, the IAM industry puts high value on customer care and uptime. Reliability and Security are north stars in this industry, as trust is a virtue that takes a long time to build and a short time to lose. This is important for general upkeep of the service, but this is especially vital during times of migration for customers.

During migrations for smaller clients, building well tested integrated toolkits is important. This tool can encompass techniques such as: data replication, change data capture or event sourcing. This can be a quick big bang migration with redundancy and a restore points built in. For larger systems, an integration of toolkits and a dedicated best practice documentation will likely be needed for a trickle migration plan or a combo plan. The combination refers to a series of big bang migrations what can merge systems depending on microservice architecture. This includes white papers, but also custom tooling for the enterprise customer use-case to make sure that key reliability-critical information is migrated effectively. This is especially important to avoid data consistency issues in a large system while avoiding sharing data stores across microservices.

As we move towards more decentralized lives, IAM systems will only continue to grow in importance. As solutions scale and offerings change across the many providers, migration will remain a pain-point for customers looking to maximize value. Understanding and solving for this pain point will transform these necessary hurdles to opportunities for the right provider.