Managing IAM middleware


There are a lot of different jobs in IT.

My first few positions were in software development. Then networking and infrastructure, and a bit later on, along-side security teams. When I was introduced to IAM in 2003 (then called ‘authentication and authorization’) it was so new there wasn’t a nice, tidy category for it. A few years later, I noticed Oracle had put IAM in a ‘middleware’ bucket so I guess that’s how we’ll refer to it — even if Wikipedia describes middleware a bit differently.

Implementing IAM middleware isn’t an overly natural thing to do. It isn’t the same as the standard application development, server rack upgrade or firewall install. So it can be useful to consider IAM projects and operations in comparison to these three common IT activities:

  • Software Development — Like application development, IAM has to consider user requirements including usability, attributes and business rules for data. BUT developing a single system is far easier than implementing IAM. There are more system integration points — it is middleware — making it technically more difficult. For a project manager, IAM also has more project teams to coordinate. For example, I’m currently working on a provisioning initiative that has five technical delivery teams and spans two large organizations.
  • Infrastructure — IAM typically (if not always) involves a directory, and directories, notably Microsoft AD implementations, are paired with operating systems. Infrastructure changes to these operating systems impact IAM and vice-versa. The big difference between IAM and infrastructure projects is that IAM middleware requires tailored configurations and/or custom software components. In a large organization, standard infrastructure (or infrastructure services) can meet their needs. IAM is not so standardized as the management of identity is more closely tied to business needs and strategy. Assuming
  • Information Security — Protecting privacy and access to information is part of both the IAM and security worlds, and IAM is often described as a sub-set of information security. But IAM is about letting people in and the remainder of info sec is about stopping access… Implementing IAM requires an understanding of these two different views in order to create solutions that meet compliance requirements while still meeting user needs for access.

Managing IAM middleware well is the goal and understanding the differences between IAM and traditional IT practice areas is key to successful projects.




Author: code

Mike Waddingham is an identity management consultant with over 30 years of industry experience. He is the owner of Code Technology Corp.