Identity and Access Management Myths
There are often practices and ideas that are very common - and very wrong. They are used often, but they usually fail miserably. These are the IAM myths, misconceptions, antipatterns and pitfalls. Identity and access management is not a simple field, that are many obstacles and complexities to handle. Quite understandably, there are many ways to do thing incorrectly, many dead ends. Due to the complexity, the dead ends are often not very obvious. Implementation teams may spend years, only to find out that the huge invested effort was utterly pointless.
This section of the documentation documents IAM myths - for you to be able to avoid them. Each myth starts with an idea that may look good at first sight. However, it ends up in tears.
Myth | Description |
---|---|
Artificial intelligence (AI) will do it for us. It will make better decisions than we do. It is going to save us! |
|
Building homebrew identity management solution may look like a great idea, but it is not. It is complex, expensive and frustrating experience. |
|
Storing all identity data in a single directory server may look attractive. It may even work for some simple cases. However, it usually leads to a complete mess in a long run. |
|
Deploying identity management solution in one big project was a very common approach back in 2000s. Despite numerous expensive failures, this approach is still tried even today. |
|
Identity cannot fit into a project. It is a never-ending program that constantly evolves. |
|
Identity governance and administration (IGA) is not about account synchronization. It is about policies, policies for access control and business-oriented governance policies. |
|
Creating a specialized table, database view or special-purpose API in from of your identity resource as a facade may look like a great idea, aligned with software architecture best practice. However, it usually complicates things quite a bit. |
|
Creating special-purpose roles that provide basic account properties was a common practice in old IDM systems from 2000s. This complication is not necessary any more. |
|
No dataset is pefect. There are gaps and inaccuracies, which may have quite disastrous effects for IAM automation. |
|
Policy definitions may look easy. There is a simple policy language that can easily describe anything. That sounds great, but it is not true. Policy definition is hard, complex and messy endeavor. |
|
Modern identity management systems have cool APIs, just waiting to be used for variety of purposes. However, such APIs are both easy to use and easy to abuse, leading to serious headaches down the road. |
|
Role-based access control (RBAC) is a well-known static access control model - or at least it was, back in 2000s. Modern RBAC models significantly evolved the concept, bringing dynamic and policy-driven approach. |
|
Single sign-on (SSO) is the first IAM component to deploy, as it brings the most value for the users. Unfortunatelly, it also brings nightmares for deployment engineers. |
|
It is very tempting to design an universal provisioning interface, a standard way to provision accounts to any kind of system. However, it is much harder than it looks. Quite surprisingly, it is usually a very bad idea to even try. |