Let’s talk about digital identity with John Jellema, VP of Product Management at Ubisecure.

This is a special, bonus episode on Hybrid IAM, in the lead up to the Gartner Identity and Access Management Summit 2023. Oscar is joined by John Jellema, VP of Product Management at Ubisecure to explore the hot topic of Hybrid IAM including what is meant by hybrid IAM, why and when to consider hybrid IAM, benefits and drawbacks and considerations for orchestration between different clouds.

[Transcript below]

“Where I think identity access management is going, growing, and continuing is around the areas of security.”

For more from John take a look at his blogs or contact the team. Find more information and resources on our Hybrid IAM page.

Join us at the Gartner Identity and Access Management Summit, on the 6-7th March in London. Find the booth and session details or book a demo with the Ubisecure team.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: In the lead up to Gardner Identity and Access Management Summit 2023 in London. The Let’s talk about digital identity team have released this special episode to discuss Hybrid IAM. A trending topic in the identity management industry, IAM stakeholders are increasingly interested in understanding what Hybrid IAM really means, how we can solve modern ID challenges, and how to evaluate whether Hybrid IAM is a suitable business choice for their current identity projects.

For today’s episode and to help answer those questions, I am joined by John Jellema, Vice President of Product Management at Ubisecure. Hello, John.

John Jellema: Hi Oscar. Thanks for having me on the podcast.

Oscar: Very welcome. So, John, let’s talk about digital identity and as usual we want to hear a bit more about our guest. So please tell us about yourself and your journey to this world of identity.

John: Sure, absolutely. I started in a very old Internet company back in the United States in 1997. Moved over to Amsterdam, where I became a product owner on several security services for Verizon, the global telco. The last of which was operating an anti DDOS platform, so to ensure availability of circuits all over the globe through some of the largest DDOS attacks. Ran that platform for about 15 years and then I came over here to Ubisecure about five years ago.

I’m intensely interested in the personal access, the capabilities and the dynamic future of identity management. As we move from employee identity management into true global functioning personal identity management. That’s why I’m here at Ubisecure.

Oscar: Excellent. So, John, to get started with talking about Hybrid IAM. What do we mean when we talk about Hybrid IAM?

John: It’s a good question. It’s confusing a lot of times. There’s a lot of material out there if you search for the term hybrid IAM, what different folks are referring to or meaning. In practical terms, it’s using two dissimilar services or two dissimilar location areas to have a service deployed at the same time.

So, a lot of organisations – I mean we’re 20 – 25 years into this thing called ‘the internet’ with user accounts, and there are lots of legacy systems. That’s a term that is widely used for employee identity and access management, or your log on service that you do, or your access when you sign into your laptop or an internal machine.

It’s functionally – a legacy IAM is functionally, a server or a private cloud, at this point in time that a corporation or an organisation runs for themselves and hybrid IAM is linking that legacy service with a cloud-based service. So, something that is on a public cloud like Azure from Microsoft or AWS, Amazon Web Services, where you can get compute functionality from one of the larger providers in a dynamically scalable environment.

So, it’s kind of old school and new school coupled together and that gives you hybrid. That’s the functional area of what hybrid IAM is. Of course, the detail is, why would anyone want to have a hybrid IAM? Why add complexity? Those kinds of pieces. And the answer is, you really have different use cases.

So, your legacy service like I suggested was a B2E, so business to enterprise or business to employee. Where your public cloud-based service, that is the new component in hybrid IAM, is really you’re reaching out to consumers or citizens or business partners. So, you’re doing something that’s kind of different to what your existing business was doing, and you don’t want to have the complication of trying to onboard lots of non-employees into your employee IAM system.

Oscar: Yeah, indeed. Often, I talk with customers and they have those requirements. They might need hybrid. One might think but why don’t you stick to on prem or why don’t you do only cloud, but often both requirements are needed and hybrid IAM is what is needed.

When could you consider choosing hybrid?

John: For myself as a legacy networking individual, I would consider hybrid at any moment in time where I could make a logical DMARC. So, I’m trying to make a division in between which systems are running. It’s true, like you suggested, Oscar. You could have two implementations of your legacy stack running on your own prem, and you could say one of those is for internal and one of those is for external.

The driver or the key would kind of be, well does your legacy stack IAM actually do all of – does it serve all of the use cases? Does it do all of the functions that your new users are looking for? So, how do I integrate with a business partner or how do I offer services in a consumer way or a citizen manner? If you’re a government organisation.

You don’t necessarily want to expose all of the details or run the risk of co-mingling use access for everyone. So, putting an easy demarcation point, a DMARC point, in between the two services is key, and it will be a use case that kind of drives you to look out towards a public cloud. And it is that merging of the public cloud, that new service somewhere out there in the cloud infrastructure, along with your existing on prem legacy service or private cloud service, that really makes you hybrid.

There’s another aspect that people will, or organisations will oftentimes look at when they’re considering choosing hybrid, and that’s cost control. Your hardware or your legacy stack is expensive to run, operate. It takes your IT team an amount of time to manage and keep it going, to keep it secure, even for your employees. And you say, well, is there a way or a method to actually get all of this service function without having the core obligation. The core liability, the security risk of actually running things on prem.

Starting with B2D or a B2C out in the cloud. So, making an initial hybrid implementation that does a new feature for you, is a good starting point or a stepping off point. Where an organisation that has an existing platform, a legacy platform, can start looking in solving the question of going out to a hybrid and then eventually a full public cloud environment. Without going through the organisational trauma of completely upsetting everything. Or trying to make a dramatic shift of every use case all at once.

So, considering hybrid cloud can be for a couple of different reasons. Cost control, it can be new features, new functionality, and it can be along the general migration path, a growth path that an organisation is doing.

Oscar: Yeah, absolutely and if we go to see the benefits. Because also, mostly when we have an organisation that has to make a decision, do we go for hybrid, do we stay as we are? It’s important to know clearly, what are the benefits of choosing hybrid. So, for you, what are the main benefits of choosing hybrid IAM?

John: For me and as the head of product here at Ubisecure, it’s the same kind of decision we make in our own roadmap. We look at the use cases that customers are bringing forward in RFP’s. That’s reflective of the benefits or the benefit decision making process that we see a lot of companies doing, and that is, really a generational change.

They can be looking to utilise their IT staff, in more effective manner than managing this internal identity access management. There can be challenges with a merger acquisition, so if the company is actually considering expanding or being taken over. How do I actually make sure that my existing business partners, if I’m calling them internal at this moment, utilising my legacy stack of B2E for my partners, how can I do more for those external users?

And the more is, security as a primary driver. One of the big benefits of choosing a hybrid IAM is, like I’ve said, this big DMARC between your existing service and the new things that you’re trying to do. Or the better improved, more improved security that you’re trying for. It’s easier to implement multifactor for external users, if you’re on completely a new platform, you can multifactor that user in, and get good control points very easily. And then only with OIDC compliant tokens come back and process the specific pieces of information or specific access to your internal applications, that you might want to be giving to your partners.

So really using the public cloud, and that is the hybrid IAM, as an extra security layer or an extra layer of an onion, if you know that classic security model. That’s from my view, one of the largest benefits of choosing a hybrid IAM, you get more functions, different functions, altered functions that you don’t have to attempt to build into your legacy service. So, there’s no existing corporate disruption, while you’re growing your business, and that can be organically as your business grows or in-organically through merger and acquisition.

Oscar: Yeah, exactly. And do you see any drawbacks or downsides, that can be considered in [Hybrid IAM]?

John: Any time you add a complication right, and a hybrid IAM is a step function, you’re adding a complication, you’re talking about adding a second system. That can be considered to be a drawback. But if you consider the direction of IT in general, there are fewer and fewer prem based installations. More and more services that your corporation is using, whether that’s ticketing, whether that’s mail services, whether that’s applications for data processing or anything, more applications that we use are going towards the cloud. And there’s good reasons for going towards the cloud, that is public cloud, for all of these kinds of applications.

It’s much easier to ensure security. So, there can be security patches and feature additions that happen on a cloud environment in a much, much faster timeframe compared to what it takes to for all of us to, for example, install the latest image, latest security patch on our laptop or make a generational shift of our laptop. When all of the applications we’re using are out in the cloud, again the public cloud, then the world is just about access, and you can access those applications from anywhere you’re qualified to access them from.

So, bring your own device and as long as I can securely identify yourself or myself, then I should be able to use that item or that application. Again, be it email or be it our internal ticketing system, as an example. That’s a clear directional move that the entire world, not just identity and access management, but the entire world is moving. Saying, we no longer desire to have machine rooms in an office cabinet, or in a closet, in every office building, for every company individually.

Those are costly, they have a lot of Capex cost and it’s much easier to grow, scale, and use what you need in a public cloud offering. Starting with hybrid IAM, you get the benefit of having your existing platform being not disrupted. But you have the complication saying, now there’s this external or this additional application that your IT staff or your operations team, at least, have to pay attention. That you have internal users, Oscar and John log on to Ubisecure and you have external users, customer A, B or C logs on to our IDaaS platform. And there is extra work while corporation or organisation is going through this transition from legacy to public cloud. This transition is really hybrid IAM.

Oscar: Yeah, we can see there are many, many benefits a few, of course, drawbacks, especially complexity. If someone who is now considering, maybe already, this person made the decision that yeah, we’re going to do hybrid IAM. So, to try to visualise that – how to start the project, what happens at that moment? How to start the project? So, what are the goals or outcomes that will need to be achieved by the organisation?

John: It’s always hard to know, when starting a hybrid project is a good idea. Or replacing your existing service is a good idea. It’s best for every organisation to consider it, before they have a traumatic event like a security breach. Security breaches would be an obvious consideration or a security audit, which is one step back from a breach. Where your auditor says – hey, you’re not doing a very good job keeping your legacy system up to date. Or when you did this merger and acquisition, or integrated a business partner as B2B, or reached out to consumers or citizens as B2C, you’re starting to take on lots of liability, because you’re building a user database that’s incredibly huge. And GDPR says I should have a right to forget.

So, you have a lot of liability coming in there that you have to manage. Instead of waiting for a traumatic event, again, like a security breach or an audit event where suddenly your company is thrown into, again, a light state of trauma. Where they’re saying, I’m not going to pass my security audit next year, if I don’t resolve this kind of thing now.

We should all be kind of looking and saying, is my existing stack of software doing everything that I want? Does it serve all of the use cases that I want? Would it scale dynamically, if the marketing department said let’s go get a million more customer leads? So, could my platform scale, if we change business focus. Does it actually serve where the corporation is going, and does running internal services – is that a key function to my business?

If it’s not really a key function to your business, it’s a historical thing – you started in a B2E, so an employee or an internal enterprise-wide identity and access management platform. If you have one of those, and you’ve always had one of those because you think you need one of those, now is a good moment to actually look and say, do you really need one of those?

Can you look at Microsoft or Amazon services, here in Europe. Which are incredibly secure and incredibly compliant with all of the legislations and start to utilise hybrid to meet one of the use cases that your current platform isn’t able to do very quickly. And this for me, would be the motivation to start a hybrid project.

Is there a use case, is there a group of users that you’re not servicing very well? Is it for diversity, equity and inclusion, right? Your current UI isn’t compliant, or doesn’t look as nice as it should, or isn’t as accessible as it should be? That could be a good moment for considering, how to start a hybrid project.

Can I get a different UI as something that’s available? And again, a merger and acquisition, it’s a good kind of consideration. If you’re merging with a peer company, that same size, you don’t want to get rid of your application, they don’t want to get rid of their B2E application. Well, that sounds like the definition of a hybrid.

You need a centralised point where everybody can agree. So, there will really be obvious use cases. I think for all of our listeners, anybody who’s following this podcast, will understand that there’s a use case, that’s sitting on their desk, that isn’t being met by their current organisation and maybe can’t even be met by their current organisation.

It’s really hard for the current IT, or developer team to actually resolve and that’s going to be the genesis of the start moment of where to consider a hybrid project. Again, you don’t have to do a complete lift and shift, that’s the pure definition of a hybrid project. You can keep your existing platform, that runs, is very stable, services every use case that you currently have. And only use the hybrid public cloud service, for fulfilling those new use cases, or those difficult use cases, the ones that you aren’t currently able to do. That to me would be the starting moment for nearly all of our listeners.

Oscar: Yes, and yeah, it makes sense. And it’s a concept that actually, in this conversation with you, I’m hearing repeatedly so absolutely agree with that. How to use hybrid in order to implement, to deliver, these use cases, which are underserved by either the private cloud or the on prem. And that could be much easily and even more securely, probably more securely, delivered by using a public cloud based CIAM.

Would you also see some possible complications? Just thinking of, again, starting a project like this. Starting a project, project is having some progress – so what could be some possible complications here?

John: Absolutely. I mean there are complications when you’re putting on a second system. You do need to find a public cloud-based identity access management platform, an IDaaS service, that is secure, that is qualified to meet the use cases that you’ve identified. The reason to start the hybrid project in the first place.

So that in and of itself is work, you have to go out and look for vendors. And an RFP for an element like this can be cost to an organisation where you don’t have manpower, or time to actually cover that cost. So, you know, all of the organisations, all of the listeners should look for an IDaaS service that can make quick, easy trials.

They ought to be able to very quickly demonstrate the security additives that they bring to you. They ought to be able to demonstrate the use cases, fulfil the use cases, and it should be easily consumable for you. It shouldn’t be overly complex to try and consider how to add this layer.

There are still disadvantages – you do have extra cost. We are talking a second system that’s actually running, and any time there’s more, more systems, more anything, there’s going to be more cost. Now, if it is in your organisation’s corporate transition to go from your own servers to a public cloud, and most corporations at this point have the gradual transition to cloud somewhere on the roadmap, a hybrid IAM is a good way to start learning how to move the organisation forward. But there needs to be budget for that, there is cost inside those elements.

You will have the integration complexities, so your prem based service or your existing service has to be able to be integrated with a public cloud. Your existing applications need to be compliant to some degree, or you have to have an engine that will actually take your non-standard applications and make them standard.

Whether that’s SAML or whether that’s OIDC, you have to be able to integrate and that’s oftentimes a challenge. Knowing what your applications are, being able to do a site survey of what your applications are versus your new use cases and being able to carry out that integration is complex. That’s the reason ourselves, as a vendor, and others in the space exist. Because it is complex and there are vendors out that can help you with this, with this kind of review or integration capability.

And one of the final pieces it’s got to be latency. So, it’s not a huge factor if you’re operating inside, for example, all inside Europe here. But you need to consider – is your transaction whatever is going on or takes place with that, new user coming on to the hybrid cloud platform, way out there someplace. And then coming through, authenticating themselves with whatever public service they’ve authenticated themselves, and then coming back into your infrastructure – is your application tolerant of that amount of latency?

So, there can be gaps or difficulties, complications, even if everything looks right on paper. Even if the IDaaS service functions well, there can still be difficulties with the application or the latency in between the two clouds, as it were. The public of the IDaaS and the private of your current service, and whether that’s prem or whether that’s your server is running out on an EC2 instance in AWS for example.

Oscar: Yes. It’s definitely good that you mentioned all this, possible scenarios like latency, different potential complications. Some might happen, for instance if the company has, let’s say, office in every continent. But if that’s not the case then it’s not a complication. But there are many scenarios, as you say that has to be taken into account.

When you mentioned earlier about mergers and acquisitions, one thing that came to my mind immediately was, okay, of course. I think if there’s a merger or acquisition, I think almost for sure that a hybrid IAM project is born. It’s almost for sure that. What if one of the, let’s say there are two companies only, what if one company uses one type of cloud, like you say Azure, and the other uses Amazon Web services? They are based in, both are Cloud, they both have their identity and access management. What about this type of orchestration? Coexistence between different clouds.

John: I mean functionally, in the very early days of a merger and acquisition, you’ve got to decide who gets an account on both platforms. Right. Your IT staff are suddenly going to have two accounts, and they’re going to have to manage two accounts, one in Azure and one in AWS. That’s for simple access, administrators are always over – your IT staff are always overburdened with too many systems to run.

As a company you’re going to have to decide, and maybe many companies already have, having gone through the COVID pandemic and everybody’s starting to work remotely. But you’re going to have to decide how to authenticate a human being onto a platform that isn’t on your premises. So, the laptop isn’t plugging on to a LAN, whether that’s wireless or whether that’s cable. They aren’t plugging onto a LAN in your office building, so they’re not behind your firewall, you can’t identify them as easily. And in any good zero trust policy, you shouldn’t necessarily trust anything from out there, in the open Internet.

That’s the kind of merger and acquisition problem you’re running into where you say, I’ve got a thousand-person company on AWS, I’ve got a thousand-person company on Azure. How do I actually pull these two together? A hybrid solution can be, you know, very easy to say – well, I don’t want 100% of the applications from company Azure versus company AWS,

I don’t want to give access to everything yet. We’re only in the early days of merger and acquisition, oftentimes in an M&A, there’s staff reduction. So, you don’t necessarily need two HR departments, you don’t necessarily need all of the sales staff. That’s not always true, you could be growing, but you’re going to go through an alteration of your corporate structure. And you can use a third platform.

So that could be either on azure, or on an AWS, or somewhere else. You could use a third identity and access management platform to say – Oscar, let’s all, you and I can all, you know, identify ourselves on this third platform. And that third platform has equal access back into specific applications found within company on AWS and specific, similar, applications found on company inside Azure.

Again, it’s more complex. It’s not a straightforward kind of way, but that’s one of the easiest ways. Again, introducing a hybrid is one of the easiest ways of saying, I’m not going to immediately merge or try and slam the two corporations together. I’m simply going to set up another platform, that handles the who gets access to what, who is identified as what.

It’s actually not as strange as it sounds. Oftentimes when companies merge, you’ll see company John, company Oscar, and now we have the new company called Oscar John, right. You’ll merge the names of the company; your domains will merge and it’s a very easy transition. Saying we’re going to set up another platform. Again, could be a second one on AWS, could be a second one on Azure.

Doesn’t have to be overly complex. One of the IT departments is going to have more work, both of the IT departments are going to have access control work to do. But it shouldn’t be difficult, it shouldn’t be difficult for any company going through an M&A.

Oscar: Yes, indeed, John, we are going towards the end of this conversation with you about Hybrid IAM and for a closing question. A question that is always targeted to business leader, decision makers. What would you tell us, why should hybrid IAM be on their agendas?

John: It’s a good or a key question. It’s one that we’ve been thinking about here, inside Ubisecure for a couple of years now. Trying to resolve, how to best serve what we think the use cases are. The gradual migration from. I’ve said it a few times in the podcast – but the key point would be, a gradual migration from prem services to more secure cloud services. That ‘cloudisation’ or that migration towards cloud is going to be one of the drivers, and hybrid IAM can be an easy uptake. So, it can be a way you’re – the executive management team as well as the top end of your IT team, can start to get experience with things that aren’t their own, right. How to get onwards, how to move your company forward into a public cloud scenario.

You might already be doing this with using Office 365, and for example, not even realise that what you’re doing is, you’re taking your local Active Directory and you’re using it in a ‘clouded’ environment. Accessing all of the Microsoft applications or the Google applications, if you’re on on G suite. All the Google applications, out there in cloud, you’re not installing them on prem.

A second key driver would be for me security. Where I think identity access management is going, growing, and continuing is around the areas of security. We’ve all seen that passwords aren’t secure. You should have a fairly simple, good, memorable password that’s extremely long. For lots of, so for the big three ecosystems, those are all moving towards passwordless for the end user, which is fantastic. It makes it easy for me to log on to my phone or my laptop. Passwordless or Fido2 whichever ecosystem you happen to be most interested in.

But when you’re talking about business to business, or business to consumer, there’s the extra need of MFA. So, you need to have multi-factor authentication, you need to consider other areas of security, risk-based authentication on top of it. What your what your security stance is, how to see who is accessing what and block unneeded transactions or unwanted transactions very quickly. And moving towards a hybrid cloud again offers a good DMARC, offers a security point. Where you can lay or layover or add on multi-factor authentication for a user who is not in your system, is not identified in your system.

And probably one of the last pieces but it’s really important, especially for all of our European listeners. Is the European Union’s eIDAS project. The idea that myself as a European resident, will be able to have a digital wallet on my phone where I can conduct a majority of business with just about any organisation, public and private, anywhere on the continent. That means I can identify myself in a very strong manner, very easily, and I can chain or remain in control of all of my personal details. And that in and of itself, that kind of legislation is the clear driver that the digital world is moving.

So, you don’t want to necessarily have all of your consumers, or maybe even all of your employees, identifying themselves off their username and password and the MFA that you have on your local legacy implementation installation. You want to start considering how to move to a hybrid cloud or a full public cloud, hybrid being a good step.

So, it’s on your digital path, it’s going to be more secure, and there’s new technologies or legal requirements that are coming to your organisation. So those are going to be the three key drivers for, I think, any of our listeners.

Oscar: Yeah, definitely. Thanks a lot, John, for enlightening us about hybrid IAM. Tell us, if someone would like to follow this conversation with you, what are the best ways for that?

John: I think if anybody is interested in discussing hybrid IAM, they can reach out to anyone here at Ubisecure. We’re all very conversant on it, we – it is an opinionated field, and we’re happy to have the conversation to work through your use cases. Your specific areas of interest or your question on something that I might have said, and potentially you might disagree with. Reach out to us and we’re all available, you can find us that our ubisecure.com or reaching out to sales and we’re happy to have the conversation.

Oscar: Perfect, Again, thanks a lot John, and all the best.

John: Thank you very much, Oscar.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.