It doesn’t matter what you call it; the question is, does it work?
Directory. Database. Hub. Warehouse. Lake. Lakehouse. Fabric. Mesh. No matter what you call it, organizations need a central repository for data that can drive other “things” in their organization. In the world of identity, it drives access, authorization, governance, and security—it also supports strategic initiatives like digital transformation, cloud migration, IT modernization, Zero Trust, M&A, and more.
These days we’re seeing a key trend among our customers in their journey to enhance access control and, in particular, their challenges around identity data, identity governance and administration (IGA) processes.
The trend is a move to a more systematic, strategic model to simultaneously support multiple functions of identity management (like IAM, IGA, PAM), based on a central identity repository containing “good” identity data. We are hearing this component called by MANY names, including but not limited to: Identity Warehouse, virtual directory, entitlement catalog, master user record, enterprise identity data bus, information point, attribute store, identity registry, identity metadata hub, identity exchange, single source of truth, identity lake… and more.
The challenge is that historically, identity stores have been (and still are) built with a specific function in mind: they have a portion of the identity profile stored in a particular format and aren’t easily extensible—they are not meant to be “everything to everyone.” It’s very difficult to design a system that checks every box of every system that needs access to identity data, and requires a set of capabilities that don’t come out of the box with most solutions.
That traditional approach is in contrast to the RadiantOne Platform’s role of unifying information from these different types of sources together to serve many functions. With RadiantOne in place, our customers can build an actionable data source to enable common access and governance models, to increase efficiency, deliver faster time-to-value for applications and services, and of course, better security.
One of the ways the idea of a central identity system is increasingly being articulated is with the concept of an “Identity Warehouse,” so let’s look at what that means, and what functions and capabilities we think it should deliver…
What is an Identity Warehouse?
An Identity Warehouse should be a comprehensive, always-available, always-up-to-date “source of truth” (pardon the cliché!) of all identity data in the enterprise. Maybe the idea of an “Identity Warehouse” has gotten a bad rap in your organization because it’s proven to be not-supportable, not-extensible, and doesn’t deliver the value it originally promised? That could be because the total scope of an ideal warehouse implementation was not fully planned out.
Some questions to consider. What kind of information does an Identity Warehouse need to store and make accessible? Entitlement information like roles and groups, yes, but also other profile information—location, phone numbers, department, and other attributes should be kept in a “warehouse.” Or an even more cutting edge use case, what about related information that may be outside the “traditional” realm of identity? In the world of insurance for example, we have customers who pull identity-adjacent data like claims and billing information into the user profile, to deliver their customers a more streamlined experience.
The Identity Warehouse needs to be more than a static source of entitlements; it needs to be real-time-accessible for making split-second access decisions; offer advanced integration, reconciliation, mapping and transformation tools; and ensure data quality and freshness with near real-time synchronization.
Analysts recognize this requirement: in his paper “The Role of Identity for Zero Trust” Martin Kuppinger, Founder and Principal Analyst of KuppingerCole Analysts writes:
“Common IGA solutions fail in the ability to federate information from various sources at real-time, and they commonly lack the depth of data integration and quality capabilities required for the Zero Trust use cases.”
There are many use cases, like Zero Trust, that require a common, attribute-rich identity source powering multiple “upstream” systems, enabling them to work in concert to deliver data-driven security.
Why IGA isn’t Sufficient for Building the Identity Warehouse
As anyone who has ever tried already knows, it’s not so easy to build that centralized repository (Identity Warehouse)—and usually involves the labor of a team of developers. Even then, this project often fails to return on its investment for several reasons. These custom solutions are:
- Not extensible (this leads to the creation of yet more identity silos)
- Not accessible at speeds required for making real-time access decisions (authentication, authorization)
- Lacking integration capabilities including de-duplication and the ability to create a central, complete profile for each user identity
- Lacking advanced, near real-time synchronization (over-rely on ETL and batch, hours-long or overnight synchronization processes) so data may be out-of-date and inconsistent, which is not ideal for an access scenario
- Not able to integrate “nonstandard” systems like custom databases
- Without tools for handling and automating groups (don’t underestimate the value of this capability, as groups management is a major pain point and an area where much can be done to automate and reduce administrative burden)
These shortcomings often result in a lengthened timeline for implementing IGA solutions and extra maintenance work as time goes on—a frustration we see a lot with customers who end up turning to Radiant mid-project when the deployment keeps meeting roadblock after roadblock.
A functional Identity Warehouse needs to be able to do a lot of “niche” tasks like managing six different versions of the attribute “telephone number” because it’s stored in differently formatted silos in the organization, and every consuming application expects its own particular version—but an IGA solution isn’t built for that.
As Martin puts it, “With identity data sprawling across a wide range of systems, providing the data at the right place, on-time, integrated across sources, and in the required quality is still an underestimated challenge in IAM (Identity and Access Management). The effort for integration can’t be successfully done per verification system but requires a centralized and specialized approach for unifying identity data and delivering this to the various IAM and cybersecurity tools.”
Without a central identity system in place, IAM projects are difficult and time-consuming to complete. Projects that start with a solid identity foundation, or are augmented by one along the way, are accelerated and enhanced.
Quality, Quality, Quality: The Importance of Good Identity Data, and How To Get It
Put another way, as Homan Farahmand writes in Gartner’s 2022 “Guidance for IGA“, “Identity data quality management (in support of the ILM process) is a key success factor for IGA initiatives.”
If you read the fine-print for implementing an IGA solution, you’ll find there is a lot of hidden prep work required to make it work right. To set the stage for success with IGA, Homan recommends implementing an Identity operations (“IdOps”) practice: “IdOps should deliver value faster by creating predictable delivery and change management of identity data due to life cycle events. IdOps uses technology to automate the delivery of identity data with the appropriate levels of governance and metadata to improve the use and value of data in the IGA system.”
Homan highlights the importance of a functional identity data architecture for supporting data quality. “Organizations need to evaluate their identity data models and use an appropriate IGA middleware tool…” to address common challenges in IGA (including handling multiple authoritative sources, performance and availability, diverse schemas, and of course, data quality.)
It all comes back to the requirement for good identity data management, to get good identity data, to drive good decisions.
How to Build an Identity Warehouse
What’s the best way to build a warehouse? Rip and replace, start from scratch, or use what you already have? Ideally you’ll be able to keep using existing investments without them holding you back from modern initiatives like cloud migration—a solution that pivots to meet whatever requirements the use case calls for. Hmmmm, I feel like I’ve heard of something that does this.
The fabric pattern that we are seeing across markets (for data and also for identity) is the response to the common problems of data sprawl that is so pervasive among large enterprises. When it comes to identity data, we’ve implemented this approach with our platform so that organizations can continue to leverage systems of identity that are working well, while unifying identity data into a centralized control plane to be used by a variety of initiatives.
So remember, an Identity Warehouse needs to be:
- Comprehensive (supports integration of entitlement AND profile data)
- Extensible, flexible (for example, generates different data structures and schemas)
- Capable of near-real time sync across multiple stores
- Accessible in real time, scalable to manage hundreds of attributes and hundreds of millions of objects
- Compatible with many systems, able to integrate new systems easily
- Adept at managing groups
The goal of building an Identity Warehouse is NOT to add another data store with one function in mind: when you build flexibility into the infrastructure, you’re simplifying the identity system so that all identity-related projects can be streamlined.
What are the Benefits of a Centralized System of Identity Data?
The payoff to building an Identity Warehouse with a fabric approach is that you get to use and re-use your data many times, without having to customize a solution for every new project. Whether you are navigating a merger/acquisition/divestiture, enabling collaboration with partners, automating lifecycle management, delivering identity insights to drive better security or user experience, an Identity Warehouse can optimize the process using your existing identity environment.
Subscribe to receive blog updates
Don’t miss the latest conversations and innovations from Radiant Logic, delivered straight to your in-box every week.