As your organization undergoes its digital transformation, you'll want to include your identity and access management (IAM) systems among the systems that get migrated to the cloud. However, there are certain challenges that you'll need to consider before, during and after your cloud migration.
The benefits of moving your IAM to the cloud
For most organizations, there are clear benefits in moving IAM systems to the cloud. Not only should total cost of ownership be reduced as staffers spend less time on maintaining data-center infrastructure, but identity-based applications should work more smoothly for staffers and customers alike.
"There's an increased demand in the customer-identity use case, i.e., customers who can quickly log in and sign out of smooth experiences as they can on Netflix or Amazon," said Yev Koup, a senior product marketing manager at Ping Identity. "Other companies want as smooth and convenient an experience for their own customers."
Koup also sees a trend toward greater demand for smooth and easy integration in the IT space, where IAM systems must work well with other applications and technologies.
Factors to consider before you begin your cloud migration
That said, should you move your IAM systems to the cloud? There are several issues to consider before you even decide to begin your cloud migration.
- You need to inventory and map out all your IAM assets. How many different systems do your staffers or customers need to log into? Where is that data stored? Are you using a single-sign-on (SSO) solution?
- Will there be compatibility and dependency issues after these assets are moved to the cloud? Will data flows need to be remapped?
- Are there some IAM systems that should not move to the cloud? Some systems require high throughput and low latency and might be best left on-premises. You also might not want to move mission-critical systems or databases that contain trade secrets or proprietary data, which includes IAM systems for some types of organizations.
"Financial institutions often don't want their data happening in the cloud," Koup said. "They want to be first rescuers if something goes wrong, and they have teams that are very capable of doing this. Governments also often want to keep things on-premises."
- Are there compliance issues concerning the geographic location of your customers' personal data? For example, Koup pointed out that Canadian residents' data is required to stay in Canada.
- Will your organization save money by migrating IAM to the cloud? You may have long-term software-licensing and service contracts or may have recently invested in database hardware. You also need to factor in the cost of retraining and reassigning staffers whose responsibilities will change after migration.
- Consider working with an experienced outside company to help smooth the migration process.
"Usually for larger organizations, this is a big project," Koup told us. "They need a process and a migration path and plan. Companies like Ping can help. Partially it's a fear of the unknown — it helps to get a partner involved."
Decisions to make before and during cloud migration
Once your company has weighed all those factors and decided to migrate its IAM systems to the cloud, then there are other decisions to make before the migration begins.
- Do you want to use the "public" cloud, aka Amazon Web Services, Microsoft Azure and the like? Or maybe a "private" cloud in which the infrastructure is under your organization's total control, despite the higher cost? Would a hybrid public-private model work best?
- You need to determine how the data will be migrated. Will transmission through the internet be fast enough -- and secure enough? Or would it be better to send hard drives and tapes to the data center on the back of a guarded truck? As low-tech as the latter option sounds, it may be faster.
"Security's generally a little bit higher when you're in the cloud, even though you are relying on a third-party vendor," said Koup. "There are risks, but the risks of being in the cloud are lower than if you have to manage the configuration on your own premises."
- You may want to consider an identity-orchestration solution to smooth and simplify the process.
"The nice thing about orchestration is that as things continue to change for the business, you can update back-end components a lot quicker and on the fly," Koup told us, adding that Ping's own Da Vinci orchestration software "lets you preview and see end-user experience before you deploy."
- This may sound counterintuitive, but you also need to craft a cloud-exit strategy in case the cloud migration doesn't work out. So don't auction off those data-center servers right away.
After the migration process begins, do it the right way:
- Don't migrate your systems too fast. Do them incrementally and perform A/B testing after every step to make sure everything is still working as it should.
- Wait a bit before switching staffers and customers over to the cloud systems. As with the data migration, it's better to slowly switch over different systems one by one than everything at once.
"Work closely with your identity or cloud providers," said Koup. "Phase in applications slowly and work with the vendor's professional services team. It costs more to do it this way, but it will be a smoother process."
Post-migration issues that may arise
There are also challenges that may not present themselves until after the IAM cloud migration is complete. You need to prepare yourself for the possibility that:
- The total cost of keeping your IAM data in the cloud might end up being more than you anticipated. Be prepared to encounter unforeseen expenses.
- Your applications might not work as well post-migration and might have compatibility issues with the cloud environment. Despite all your planning, there will likely be a few surprises.
- You may have underestimated your technical requirements and might need to add more storage, memory or data throughput to your IAM cloud instance.
- If the data flows and IAM interfaces change substantially, then employees beyond IT staffers might need retraining to adapt.
Despite all these potential pitfalls, Ping Identity's Koup thinks it's well worth moving IAM systems to the cloud.
"You'll get greater scalability and resiliency," he told us. "There will be a lot less behind-the-scenes work to integrate new functions and features, which will improve your total cost of ownership. You may pay higher licensing fees [for your IAM solution], but you'll have less expenditure on manpower or infrastructure or scaling."