Build Your Own IDaaS: Lessons from Year One

  • TYPE: Session DATE: Tuesday, May 12, 2020 TIME: 14:20-14:40

Build or buy? Do we have the staff, talent, & budget to operate a new security service if we decide to build? In this talk, Alyssa Kelber & Jon Lehtinen deconstruct the myth that you need large teams & expensive software to run cloud-native Identity-as-a-Service platforms for your enterprise. They will share their experience building their own at Thomson Reuters using commercial off the shelf software, containerization, and native cloud services, as well as the lessons learned, business impact & costs savings over the year since the service’s launch.

Key takeaways:

Objective 1: Understand the LOE & benefits of building a sustainable IAM service using infra-as-code & devops, namely that the total cost of ownership of running commercial off the shelf software in a containerized, cloud-native fashion provides IDaaS-like functionality at a lower price point compared to turnkey IDaaS solutions.

Objective 2: Learn how to improve adoption rates for identity services & reduce friction through superior UX.

Objective 3: Grow confident that the skills to build IDaaS aren’t as specialized as one might think. The 3 engineers involved in this project had minimal cloud, container, and devops skills at project start, yet successfully designed and launched the system in a year, and have successfully iterated upon it for more than a year since it launched to production. 


The presentation highlights how simple & cost-effective designing, building, & implementing a cloud-native IDaaS solution can be. It tells the story of how 2 engineers w/ modest AWS exposure were able to design, build, run, and iterate upon its new enterprise SSO/MFA service using off-the-shelf software and cloud-native services. We will start by highlighting how & why we pursued this model: We wanted a touchless, automated, global authentication service to modernize TR security services, but realized that we could do it at a price point much lower than turnkey IDaaS providers while also retaining control & customizability not available w/ managed IDaaS. We will do a deep dive of our architecture: Engineering a non-cloud-native COTS product to function in AWS as a cloud-ready service through containerization, multi-region availability, geo routing, autoscaling, auto configuration recovery, and triple-redundant failover. We will highlight the technical lessons learned along the way, such as secret & config management, keeping the IdP durable on ephemeral infrastructure, bridging cloud & on-prem DNS, and tying durable datastores to ephemeral infrastructure without breaking any component of the system.

When the service launched in Dec 2018, it was estimated to save TR $1.2mm/yr in total spend compared to the systems it replaced. After its first year, actual savings were higher. We will describe the effort (or lack thereof) in adding new features to the base service during post launch, including ID verification, app customizations, & CI/CD enhancements. We will discuss product upgrades, feature development and promotion, which are simplified due to its single, parameterized codebase.

Concluding w/ the business impacts of this work: A year on, the staff requirements remain light - only 3 fulltime engineers & 2 Ops contractors run all aspects of the service. Compared to the services it replaced, user adoption/enrollment for MFA completed w/in 1/5th the time as the previous system. App teams started self-service integrating immediately at launch, w/ 100+ integrations, mostly self-service, completed within the first two weeks. We will then dispel some misconceptions- such as the impact of multi-master data stores across regions, cloud v. on-prem directories, & other design “concessions.” We will share a link to our opensource repo where all the code for this project has been shared & invite the audience to check it out, critique, & contribute back. Then Q&A.

Key takeaways:


Objective 1: Understand the LOE & benefits of building a sustainable IAM service using infra-as-code & devops, namely that the total cost of ownership of running commercial off the shelf software in a containerized, cloud-native fashion provides IDaaS-like functionality at a lower price point compared to turnkey IDaaS solutions.

Objective 2: Learn how to improve adoption rates for identity services & reduce friction through superior UX.

Objective 3: Grow confident that the skills to build IDaaS aren’t as specialized as one might think. The 3 engineers involved in this project had minimal cloud, container, and devops skills at project start, yet successfully designed and launched the system in a year, and have successfully iterated upon it for more than a year since it launched to production. 

Watch the video:  
Log in to download the presentation:  

Speakers:

Alyssa Kelber is an Identity Engineer at Thomson Reuters; focusing on implementing enterprise SSO & MFA services. Alyssa has the unique experience of being trained on the job as an engineer, coming from a technical program management background. Alyssa is specifically interested in assisting...

Jon Lehtinen specializes in both the strategy and execution of Identity & Access Management transformation in global-scale organizations like General Electric, Apollo Education Group, and Thomson Reuters. He works to deliver Identity solutions that provide the bedrock for information...


Moderator:

Session Links

Alyssa Kelber, Jon Lehtinen: Build Your Own IDaaS: Lessons from Year One


Virtual Event

Identity Fabrics & the Future of Identity Management

Language:
English
Contact person:

Ms. Jennifer Haas
+4921123707731
jeh@kuppingercole.com
  • May 12, 2020 09:00 - 15:00