THINGS TO REMEMBER FOR IDM MIGRATION




Nowadays every organization implements Identity Management solution to manage access to their assets and resources. To meet the new business needs, organizations either upgrade their existing Identity Management solution or migrate to new solution.

Upgrading the existing solution is comparatively simpler as most of the detailed documents are provided by vendors itself but migration to new solution is more complex because there’s no documentation provided by the vendor and there’s a lot of dependencies on the existing implementation, so it’s very important to plan the migration properly to avoid unnecessary delays and to make the migration successful. Most of the migration projects delay either because of lack of planning & preparation.
Before kicking-off the actual migration, here are the few questions which must be answered:

1.      Do we have up-to-date documentation of existing implementation?
2.      Do we have a document which contains all the dependencies for migration?
3.      Should we go for a big-bang approach or phased approach?
4.      What are the expectations from the new IDM System?


Let’s discuss these questions one by one.

Understanding the existing implementation is the main prerequisite to define the scope & budget of any migration project. Generally, most of the companies don’t maintain up-to-date documentation but organization must have at-least Requirement & Design documents. If any organization doesn’t have the same, they must perform assessment of existing implementation.

IDM system manages access to various systems/application and in every IDM implementation there are always some common artifacts which are shared across multiple applications, so it’s really important to document these kinds of dependencies for each and every application/system. This will help in defining the roadmap for migration.

Big-Bang vs Phased Approach? Sr. Management is interested in this question because they need to plan the budget & resources accordingly. Answer completely depends upon the type of implementation. I have seen organizations which were using IDM as a backend engine for provisioning for couple of applications/systems only and I have also seen organizations which had thousands of applications/systems. Generally, phased approach is recommended because:
  • Reduced Risk: Provides ability to learn and improve from each phase.
  • Flexible Timelines: Easy to accommodate any unplanned item
  • Better Budget Planning: Phased approach t allows us to plan the budget accordingly
  • Same Resources: Big-bang approach requires many resources because each resource will be engaging at the same time but in phased approach same resources can be used for each phase. 
  • Higher Success Rate: As we learn and improve from each phase, this maximizes the success rate 
  • Happy Management: Continuous delivery in each phase keeps the management happy

IDM is a centralized system and replacing the same is a big step for any organization. Additionally, everyone has higher expectations from the new IDM solution as they investing more money & time in a similar solution, so it’s really important to understand the limitations and pain-points with existing system.

Next item which we need to discuss is HOW SHOULD WE MIGRATE?

As part of planning, we need to answer two key questions:
  1. What would be our Primary IDM and Secondary IDM during the migration?
  2. When are we going to make a switch between IDMs like Secondary will become Primary and Primary will become Secondary for each application?

Always remember one core principle for IDM migration (exceptions are there and I will explain):

“ONE AND ONLY ONE IDM SYSTEM MUST BE ALLOWED TO WRITE IN THE TARGET APPLICATION/SYSTEM AND OTHER IDM MUST READ (NOT WRITE) FROM THE SAME TARGET APPLICATION/SYSTEM”

I always get the follow-up question on this principle, why should we follow this principle?

The answer is to maintain auditing which is the core function of any IDM system. If IDM1 is creating accounts in Application1 and at the same time IDM2 also starts creating the accounts in the same system then accounts created by IDM2 will be considered as Rogue Accounts for IDM1 but they are not Rogue Accounts. This can impact existing monitoring & alerting system and will require more effort to explain the same to auditors. This will increase chances for TRUE-NEGATIVE scenarios.

I mentioned above about the exception with the principle, I’ll explain the same with another example. Suppose IDM1 is creating Type A accounts in Application1 & IDM2 is creating Type B accounts in same application; these two types of accounts are represented as different applications in IDM systems which is a common design approach we follow when we have to manage multiple types of accounts in the same application. This approach allows us to create logical boundary during the migration so we can allow two IDM systems to write in the same application. This is not recommended but can be used if it’s difficult to migrate the features of that application together.
Let’s go through the definitions of Primary and Secondary IDM.

  • Primary IDM: IDM which will be responsible for WRITE operations in a particular application
  • Secondary IDM: IDM which will be responsible for only READ (Not Write) operations in the same application.

Note: This is possible that at any given time, both the IDMs can behave as Primary IDMs but for different applications.

Now going back to our questions, we must identify our Primary IDM and Secondary IDM for each application and also define the timelines when are we going to make the switch. Just deploying the artifacts/objects/components into new IDM will not add any value until we turn-off the write operations from existing IDM, so we must define timelines to make this move.


Sometimes we run into situations when 

  •  Some object/artifacts are common between few applications, and
  •  Migration of those applications is not possible at the same time due to increased scope or other applications specific dependencies
To overcome such situations, one must be prepared for making modifications in existing IDM. Sometimes this small effort can make our migration easier. I have seen organization which don’t allow any new development/code change in existing IDM which is not good. Sometimes it is also required to build a bridge between existing IDM and new IDM.  

HOW TO DEFINE PHASES:

Defining the phases with correct scope is really important for migration project. This is where we need the help from dependency document which we discussed above. First phase must contain application(s)/system(s) which have zero dependency or least dependency on others and we need to apply the same formula to define other phases as well.

As a best practice, connectors for authoritative systems should be migrated in the last phase. This can be migrated in the first phase as well but will require additional effort and will add unnecessary complexity. Migrating such connectors in the last phase will have the minimal impact to downstream application(s). 


I feel that I can write for next 2 hours on the same topic 😉 but would like to end here. This is just based on my learning while working in migration projects (Note: Sharing as a recommendation only)

!!! Happy Learning !!!






Disclaimer

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information

Posted by at
Labels: , , , , , , , , , , , , , , , , ,