Build or buy? Do we have the staff, talent, & budget to operate a new security service if we decide to build? In this talk, Alyssa Kelber & Jon Lehtinen deconstruct the myth that you need large teams & expensive software to run cloud-native Identity-as-a-Service platforms for your enterprise. They will share their experience building their own at Thomson Reuters using commercial off the shelf software, containerization, and native cloud services, as well as the lessons learned, business impact & costs savings over the year since the service’s launch.
Key takeaways:
Objective 1: Understand the LOE & benefits of building a sustainable IAM service using infra-as-code & devops, namely that the total cost of ownership of running commercial off the shelf software in a containerized, cloud-native fashion provides IDaaS-like functionality at a lower price point compared to turnkey IDaaS solutions.
Objective 2: Learn how to improve adoption rates for identity services & reduce friction through superior UX.
Objective 3: Grow confident that the skills to build IDaaS aren’t as specialized as one might think. The 3 engineers involved in this project had minimal cloud, container, and devops skills at project start, yet successfully designed and launched the system in a year, and have successfully iterated upon it for more than a year since it launched to production.
The presentation highlights how simple & cost-effective designing, building, & implementing a cloud-native IDaaS solution can be. It tells the story of how 2 engineers w/ modest AWS exposure were able to design, build, run, and iterate upon its new enterprise SSO/MFA service using off-the-shelf software and cloud-native services. We will start by highlighting how & why we pursued this model: We wanted a touchless, automated, global authentication service to modernize TR security services, but realized that we could do it at a price point much lower than turnkey IDaaS providers while also retaining control & customizability not available w/ managed IDaaS. We will do a deep dive of our architecture: Engineering a non-cloud-native COTS product to function in AWS as a cloud-ready service through containerization, multi-region availability, geo routing, autoscaling, auto configuration recovery, and triple-redundant failover. We will highlight the technical lessons learned along the way, such as secret & config management, keeping the IdP durable on ephemeral infrastructure, bridging cloud & on-prem DNS, and tying durable datastores to ephemeral infrastructure without breaking any component of the system.
When the service launched in Dec 2018, it was estimated to save TR $1.2mm/yr in total spend compared to the systems it replaced. After its first year, actual savings were higher. We will describe the effort (or lack thereof) in adding new features to the base service during post launch, including ID verification, app customizations, & CI/CD enhancements. We will discuss product upgrades, feature development and promotion, which are simplified due to its single, parameterized codebase.
Concluding w/ the business impacts of this work: A year on, the staff requirements remain light - only 3 fulltime engineers & 2 Ops contractors run all aspects of the service. Compared to the services it replaced, user adoption/enrollment for MFA completed w/in 1/5th the time as the previous system. App teams started self-service integrating immediately at launch, w/ 100+ integrations, mostly self-service, completed within the first two weeks. We will then dispel some misconceptions- such as the impact of multi-master data stores across regions, cloud v. on-prem directories, & other design “concessions.” We will share a link to our opensource repo where all the code for this project has been shared & invite the audience to check it out, critique, & contribute back. Then Q&A.
Key takeaways:
Objective 1: Understand the LOE & benefits of building a sustainable IAM service using infra-as-code & devops, namely that the total cost of ownership of running commercial off the shelf software in a containerized, cloud-native fashion provides IDaaS-like functionality at a lower price point compared to turnkey IDaaS solutions.
Objective 2: Learn how to improve adoption rates for identity services & reduce friction through superior UX.
Objective 3: Grow confident that the skills to build IDaaS aren’t as specialized as one might think. The 3 engineers involved in this project had minimal cloud, container, and devops skills at project start, yet successfully designed and launched the system in a year, and have successfully iterated upon it for more than a year since it launched to production.
Ocean’s Eleven is the story of a small group of people with a plan — and a killer soundtrack — who craft something extraordinary. It's also the blueprint for something no less ambitious: starting your own identity-focused meetup.
The ability for identity practitioners to network with their peers at a local/regional level on a periodic basis is invaluable, especially for those who do not have the means to travel to other events where such professionals gather. These local groups provide a forum for sharing technical presentations and real-world experiences that help not only the practitioner, but their employer as well.
IDPro reccognizes the value of these gatherings but also knows they can be hard to organize, promote, fund, and execute. Steve "Hutch" Hutchinson is no Brad Pitt but, using the crew from Ocean's 11, he will share the experiences and lessons learned from other professionals who have started their own such meetings. You'll learn how to gather your crew, formulate a plan, build your infrastructure, and execute on your meeting. He'll also share how IDPro is working to help make that job easier.
Key Takeaways:
- The importance of a local forum with a low barrier to entry for identity professionals to gather, share their experiences, and learn about innovations in the industry
- How to build a core group of practitioners to not just manage the meetings, but also to build a program that represents the culture of the region in which the gatherings are held
- Where to find resources to make your program valuable to your members. This includes how to find speakers, where to acquire funding, and connecting with other organizations to promote your meetings
