Part Three: A New Paradigm in IAG: Designing Future-Oriented Software on the Cloud and for the Cloud

Simplicity and Usability!  If I could sum up the focus of my software design efforts in simple words, they would be “simple and usable”. One could create the most beautiful software in the world, but if it isn’t intuitive and easy-to-use then it could quite easily fail in the eyes of the user, and cause configuration, deployment and productivity issues. That’s why in my time as a software engineer I’ve aimed to apply a certain level of creativity in design, to ensure that the software delivered to a customer does what’s required of it, in as easy-to-use manner as can be developed.

What I love about modern, cloud-based software development platforms is that they provide engineers like me the ability to achieve the panacea of simplicity and usability. And what’s even better, is that this can be achieved without sacrificing product functionality, at reasonable cost.

So, when asked, I jumped at the opportunity to develop a new breed of software for addressing identity and access management (IAM) requirements in the cloud. Having been focused on on-premise solutions for IAM for a number of years, I couldn’t wait to get started on building a cloud solution for this marketplace.

A commonly used measure of success in software implementations is “time to go-live,” which is often seen as a critical project success factor. I prefer, however, to consider “time to productivity” as a better measure of success, which typically involves starting from procuring license to install, implement rollout and so on. For me, the exciting thing about the cloud is this whole cycle can be dramatically cut down if we can design a simple, easy-to-use, cloud-based solution that can enable the customer to get started almost instantaneously.

Isn’t this factor alone convincing enough to consider redesigning a cloud based solution that addresses the needs of IAM? Needless to say,should customers have a cloud-first approach with their own IT strategy, this new solution supports customer strategic initiatives while also extending the solutions technically to support other cloud solutions.  Let me share how some of these concepts manifested into SAP Cloud Identity Access Governance.

Cloud Benefits of SAP Cloud Identity Access Governance

With a cloud-based solution, most people’s experience I think will have been that “ease-of-use” is no longer the desire, it’s the expectation. And from a software design perspective it’s now a de-facto standard that ease-of-use and usability are a given. And so has been my experience in developing a new IAM solution for the cloud.

I’m happy to say that this new solution, SAP Cloud Identity Access Governance, which is being delivered as a range of cloud services starting with SAP Cloud Identity Access Governance, access analysis service, has provided an ability for the development team to produce a truly easy-to-use application that I’m convinced users will enjoy using. For me, that’s a huge “tick in a box”. But more than this, utilizing the SAP HANA Cloud Platform as the basis for this new service has also enabled us to achieve a range of functional and capability advantages too.

• With an ever changing world in terms of technology and business users accessing applications, this demands an improved yet simplified processes to address compliance needs as well as optimizing the user’s individual access to systems.

• Addressing access analysis and risks associated with access like critical access requests, segregation of duties (SoD) violations are proving to be increasingly complex, especially with heterogeneous software system landscapes and application environments.

• It’s a sizable problem to handle long running background processes, making decisions based on outdated results and adherence to compliance in a timely manner.

• With a cloud-based approach, our software design has enabled us to do new things, which make the process of IAM easier, and quicker.

Moving from Traditional Periodic Batches to Event-Driven Analysis

Traditionally, periodic batch jobs are necessary to perform access analysis and provide results. This is time consuming and causes some time delay the process.  Event driven access analysis identifies the changes that are relevant for access risk rules and process them in near real time so that there is no delay in responding to the access violations, meaning that access risks can be mitigated more quickly and easily, with less chance for adverse impact on the business.

Optimized Assessment Algorithms

Speed of calculation in any analytic system can affect the time it takes to make decisions based on the result of those calculations. So to reduce the redundancy of access analysis results we segmented the complex analysis algorithm in to small isolated pieces, thereby gaining performance improvements in the calculation of results while also enabling improved scalability. Speedy, well informed decisions can therefore result.

Normalized Authorization Model and Localized Analysis

One aim when designing the access analysis service, was to achieve more flexible and extendable analysis capabilities. With the improved approach of event/trigger driven analysis, we’re able to produce real-time access analysis results, as soon as there is an access change. This new approach of localized analysis helps reduce the complexities of technical connections to various applications. By just loading the authorizations and with a proper rule-set analysis can be performed. In essence, what we’ve really been able to deliver here is a system that can provide continuous access analysis for an organization, which is a breakthrough in terms of real-time analysis.

Cloud Based Multi-Tenant Applications

These allow customers to easily add compliance to the applications in their landscape. Simplified configurations out-of-box standard rule-set as well as easily customizable in excel and upload. As this solutions is subscription based, customers do need to have their own landscape to run this compliance process. Surely this will aid the auditing process (and associated costs) for many organizations.

Plug and Play & Instant Results with Smart Sequencing

The solution is designed to connect to various systems in a plug and play mechanism, which means leveraging SAP underlying basis layer to standardize the APIs that will allow us to extract the information require for access analysis. Well that’s one side of the story, with all the improvements in algorithms and power of SAP HANA and authorization change event-based analysis, there is still a wait to get access analysis results. This is where the smart sequencing comes in, allowing us to sequence the analysis blocks smartly to bring instant results.

What Do You Think?

It’s been a pleasure to work on the design of the access analysis service, and now the solution is in-market I’m looking forward to hearing customer feedback. Having now turned my attention to the creation of related SAP Cloud Identity Access Governance services, I hope to apply more of the same design thinking to these too.

For More on Identity and Access Governance (IAG)

Read the other blogs in the series:

• Part One: A New Paradigm in Identity and Access Governance (IAG)
• Part Two: A New Paradigm in IAG: Simple Access Analysis for the Enterprise