At the recent Authenticate conference, Ian Glazer delivered a thought-provoking session that challenged conventional thinking about identity and access management (IAM) architectures. In his talk, he outlined a framework for understanding the architecture of modern IAM systems, emphasizing that the identity market has evolved far beyond its traditional boundaries. This framework breaks down identity systems into four essential components—Policy, Orchestration, Execution, and Data—and introduces the importance of understanding how these components function across different time phases: admin-time, run-time, and event-time.
The four components of modern identity systems
How does Policy, Orchestration, Execution, and Data come together to build a resilient and adaptive identity architecture? It’s all about shaping a comprehensive identity strategy that meets the evolving needs of modern enterprises and recognizes that identity cannot be a silo. Each component contributes to a cohesive and secure IAM system and why they matter for organizations looking to stay ahead in the digital identity space.
Policy
Policies are the rules that govern access and identity decisions. These rules can be created manually or automated, but they must be maintained, understood, and actionable. A key challenge in the policy layer is ensuring that policies are both understandable and effective, which can involve visualization tools and even conversational design. This makes it easier to translate policy into actionable steps, allowing for a more intuitive approach to identity governance.
As policies become more complex, it is essential to regularly review their impact and adjust them to align with changing business needs.
Orchestration
Orchestration involves coordinating the various identity services and systems to work together seamlessly. The orchestration needs to take into account a 10-year replacement cycle for the systems in question, offering new capabilities to older systems as business needs evolve.
The concept of an identity fabric—a confederacy of specialized, fit-for-purpose services—emerges from this orchestration. Successful orchestration requires a unified system of bookkeeping that tracks identity events across systems, from ticket creation to policy evaluation and provisioning. These records are critical for more than just IAM services; think of the value to cybersecurity!
Beyond coordination, orchestration also enhances security by providing visibility into how identity components interact. This unified approach ensures consistency and accountability throughout the identity lifecycle.
Execution
The execution layer is where identity management happens in practice. It includes functions like Single Sign-On (SSO), federation, and other standards-based protocols that facilitate secure access.
While standards are foundational to the execution layer, they often require careful implementation to balance security and usability. Standards, while critical for interoperability, are not always easy to understand and implement. This layer is where the “heavy lifting” occurs, providing the necessary infrastructure for user authentication, authorization, and access management.
The execution layer’s role in the architecture is to ensure that policies and orchestration directives are carried out accurately and securely.
Data
Historically, data has been treated as an afterthought in IAM systems, often limited to the immediate needs of the execution layer. We’ve taken to calling it “data exhaust” for a reason. However, as the industry shifts towards higher data volumes and speeds, there is a growing need for a more comprehensive data strategy.
Ian pointed out the emergence of the “identity data lake”—a centralized repository for identity data that enables more sophisticated analytics and insights. While some organizations have implemented these data lakes, the process has been costly and complex.
A robust data layer allows for better understanding of user behavior and identity patterns, enabling organizations to refine policies and improve security measures. As more organizations move towards an identity data lake model, the potential for real-time analytics and actionable insights grows.
Understanding the time of use in IAM: admin-time, run-time, and event-time
Beyond the four core components, Ian emphasized the importance of considering the time of use in identity systems. He introduced three key phases: admin-time, run-time, and event-time. Each phase groups functionalities and influences how organizations should plan for upgrades and replacements.
- Admin-time: This refers to the period when administrators configure and adjust identity settings, such as setting up policies or creating user roles.
- Run-time: This is when the identity system operates under regular conditions, handling tasks like authenticating users and managing access according to defined policies.
- Event-time: This phase is crucial for handling changes or exceptions in real-time, such as adapting access controls based on new information or security incidents. SGNL sees strong value in the event-time layer, where its solutions can dynamically adjust permissions as conditions change, ensuring that access remains tightly controlled even during unexpected events.
By analyzing these phases alongside the four components of identity architecture, organizations can better understand their current identity landscape and identify opportunities for improvement. Evaluating replacement cycles, determining time-of-use relevance, and mapping each component’s capabilities can reveal gaps and areas where new solutions like those from SGNL can offer a significant advantage.
Why this new approach matters for enterprises
Ian Glazer’s framework offers a practical way for enterprises to reimagine their IAM architecture. It shifts the focus from isolated identity functions to a holistic system that integrates policies, orchestration, execution, and data. This shift is especially important as organizations seek to balance security with agility in a rapidly changing digital environment.
SGNL’s role as a partner in the event-time layer aligns perfectly with this new way of thinking. By leveraging SGNL’s expertise in dynamically adjusting access during real-time events, organizations can enhance their overall identity strategy and stay ahead of emerging threats. This approach not only helps organizations improve their security posture but also ensures that identity systems remain adaptable and future-proof.
As Ian Glazer continues to share his thoughts in his latest blog series, it will be valuable to follow his insights and explore how this modern architecture can transform identity management. For those who missed his session, his first couple of blog posts in the series are already available here. This evolving perspective on identity architecture is sure to shape the next generation of IAM solutions, and SGNL is excited to be part of this journey.