Webinar Recording

Legacy IAM System vs. Modern IAM Platforms - Should You Stay or Should You Go?


Log in and watch the full video!

Application and infrastructure architectures are continuously changing in order to mirror the demands and challenges of organizational needs. A common problem with legacy systems is the inability to understand and adapt to the new business models in an ever-changing world.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Hello, good afternoon or good morning, ladies and gentlemen, welcome to this webinar legacy IAM system versus modern IAM platforms. Should you stay or should you go? This webinar is sponsored by fork the speakers today. First of all, me, but yes, Imbar I'm directory director practice. I am at cooking now will be joined by two people. I will be joined by LA. She is senior product marketing manager at, for and later on, I will be joined by Steve CTO and founder at hub city media. Before we start some very quick information about cooking a call, the obligatory housekeeping notes and, and look at our today's agenda. Then I will start with my first introductory part, not to long so that we have time for Elany and Steve, a Kohl services. We are focusing on delivering content and services on identity and access cybersecurity and artificial intelligence and various formats.
That is research that is webinars like these. We do advisory projects. We do conferences e-learning and meetups all around our areas of expertise. When we talk about research, we are looking at different types of documents. Most famous is our leadership compass, an overview on the tech market segment and where we identify leaders and help making decisions. Mainly we have executive views, short documents, really for executive C level management. We have advisory notes with more in-depth information on top hot topics on strategies on architectures. And we have the leadership brief, very condensed, two pagers covering different challenges that need immediate attention. If we look at what we do in advisory, we do strategy. We do portfolio management together with our customers. We look at technology and that projects, we do that together with our end user customers. Very important. Our, our events, most of most important is of course the EIC, our flagship event that will take place in may in Munich, the EIC 2020, the 14th edition of that.
But next week, there will be the cybersecurity leadership summit together with the cyber access summit in Berlin followed by the a impact event in Munich and very interesting. And I'm to that cyber world in February in three locations in, in Abuja, that's it for cooking a cold part. Now we come to the housekeeping notes. First of all, audio control all of our participants centrally you don't to take care of that. We are controlling these, and it's also not necessary to, to change anything. There we are recording this webinar. So the recording as a podcast will be made available, available almost properly tomorrow. And we also will provide the slide text with all the information that is presented with contact information, everything like that. Very important. There will be a questions and answers session after our three short presentations. And that is your chance to enter your questions into the discussion and we will take care of them.
So Elany, Steven me will have a look at your questions and try to answer them as good and as comprehensively as possible. So please use this opportunity to enter your questions at any time, and we will pick them up after the presentation, the agenda, as you can see for part with the fourth, of course, being the Q a session, I will start out with an introductory part, looking at IM as the necessary security infrastructure and the facilitator of a massive hybrid new it, reality Laney will then kick in with the power of digital identity at the complexities that can be addressed with a modern identity platform. So really looking in more reality view on what I presented before that, and Steve then will talk about migration strategies and the methodical approach to selecting the right approach for any given environment. So we get from the Analyst Analyst part to the more technical part to the implementation part.
So we have lots to cover today and that's it for the introduction. So without further do, I will start my short introduction into that topic. So first of all, we look at where we start, we start at yeah, where many organizations are. We are close to 2020. So there is, I am in almost any organization already in place. And it's really an important infrastructure. It's security, it's efficiency, it's administration. And if you look at the list to the left, I think you can find yourself in that again, it's traditional life cycles, provisioning, access governance. That is re-certification. If it works traditional authentication with user and password, some tokens, some VPNs, we have traditional authorization roles, roles, and roles. And we have many have started already with that. We have consumer identities whenever required, and it's somehow integrated into some into that. So these are requirements that have been raised years before and the requirements have changed.
And if you look at change requirements, then we see that what your business, what your business departments are most probably demanding of you. If you are running an I am service, they demand high flexibility. They demand high delivery speed for new digital services. Because now we are talking about business, we're talking about money, we're talking about income. We're talking about real user contact and customer contact. They are thinking of software as a service, more and more. They are thinking of course of containers and orchestration. And I know that Elany and Steve will talk about that for their platform afterwards, as well, many applications demand for an identity API. They no longer want to be actively provisioned with connectors as we did it before they really want to interact with the identity landscape directly. And of course, security and zero trust is something that demands for strong identities for reliable secure identities.
If you dig a bit deeper into that, this is the picture that co usually uses to show these three dimensions of the future of IM the core areas that we described before they won't go away. So we have IGA, we have access Federation and authorization, and many organizations already have understood that privileged access management is an important building block that needs to be provided as well, but things are evolving and they're evolving in various dimensions. They're changing in the way that application infrastructures are deployed, usually still on premises, but also in the cloud hybrid infrastructures, mixing both of the letter and serverless without even knowing where the actual instance of your services, current running and orchestrated, orchestrated new types of identities, employees, consumers, customers, partners, things, and much more things could be devices could be mobile phones could be senses, whatever you want to think of.
And this of course changes the traditional enterprise game and substantially. And we have the division of data. We are now looking at a more global approach towards access management. When we think of a more data focused security also then storage of data. So we have big data and analytics behind the course unstructured data think SharePoint, and we have operational technology with its own set of data on the factory floor. And if you look at, at the challenges that are arising here, there's lots to do that is no longer the traditional, the, the I am business that we are used to. So we really have to support the hybrid reality with identities inside and outside the, the enterprise boundaries, all types of users, data governance, not only access governance for an application will data governance, IEM for big data analytics, artificial intelligence, and machine learning. And this very important point.
We will have a look at that later managing access of everyone to potentially every system we've identified, identified for overarching trends affecting IAM. And that starts with exactly what I've mentioned before the identities and access, making sure that everybody who needs access to a service, wherever it is deployed, has this access wherever they are located, where they come from and how they authenticate. If they need access, they should have it. Of course, we've mentioned before zero trust. This is required, especially when you're outside a trusted environment. So this is very important and this is important for security, but also when it comes to requiring strong identities, APIs, and microservices, that is something that we will have a look at later when Elany and Steve do their part of course, strong support for APIs is required from applications from services, from backend services. And as we are moving towards a loosely coupled more decentralized infrastructure, we need to have, we need to make sure that microservices and container architectures are supported at the, when you stand up for cloud computing.
Finally, no slide without AI. AI requires a competent IM environment. So you have to make sure that the data that you're using is reliable for AI and AI also requires identity for itself. Think of bots. They need to be identified as well, very quickly as a block diagram, connecting everyone to every service to the left. We have the users to the right. We have some, some services as examples. So the consumers should maybe have access to a system that is actually running in a legacy application on premises. Employees want to have access to cloud services from the left bottom to the right top. So we need to make sure that they can be identified with the identity they come with. So that might be, we bring your own identity for a consumer or the traditional directory service for an employee, and they need to authenticate and authorize towards the individual applications through the appropriate protocols and systems.
And something must be in the middle that makes sure that all these works together. And that is what we consider to be this identity fabric term set of services loosely coupled well designed, combined via APIs to make sure that all these can happen and works smoothly. A bit more detail for that. You will find the same information in a more detailed manner here. So we have the users, we have the data sources where their identities are located as examples from internal IDP directory, server tools, social IDP for consumers or customers. And in the middle, we have all these components that together form the identity fabric. So we have Federation internally, internal and external, so we can make sure that we just like a Lego system. We put together the systems that we require. And we think if you think of what Steve and Laney will talk about later, these are services that might be already available in your IAM system.
So you might have an internal IDP. You might have web access management for internal applications, but to get to a more modern, more capable architecture that is future proof and allows this access from everyone to everything you might maybe need to change things you maybe need to augment additional components, maybe replace something and to get to a bigger picture, which makes sure that all these components be them legacy, be them modern and newly added work together smoothly in a set of well defined services, encapsulated APIs at the, as the entry point for all these systems and make sure that this all works together very smoothly. And then of course, we again have the target applications that might be public cloud. Private cloud might be something like an Azure ad might be something like an application that is just using existing IDP information that is already there.
So if we think back of the, of the toddler in the first slide, standing in front of that staircase and trying to solve these questions that we now raised, how can we get to a solution that is capable of solving all these problems? Then we have to make sure that we, on the one hand maintain existing services and you have an IAM that is required that might be extended. And to solve this, this twofold problem or challenge, it's not a problem. You need to make sure that on the one hand you integrate with an existing set of systems with the blue one being the legacy I am. And that might be a good starting point to at first, keep it running. But Steve, we'll talk about that later on as well. And also the legacy systems that are still in place. On the other hand, you want to have high flexibility and speed for new digital services.
As we've mentioned in the first slide on the right, right hand side, new digital services software as a service services and all this needs to be combined into a single architecture, into a single blueprint architecture. And that of course is again, this identity fabric concept that we think of. So APIs, well encapsulated services, well defined scalable services that does not mean that you don't only have one IDP might be five for different purposes. You might have different locations where you consolidate data or provide services more critical, more on premises, consumer oriented in a public cloud or serverless. So there might be scalability on various dimensions and this integration to the legacy part should take place with legacy integration capabilities. So such as fabric of course, needs to make sure that it's capable of integrating existing infrastructures. But on the other hand is also able and happy to provide APIs and an integration layer for the new digital services.
So my final slide will be a set of a few set of, of recommendations, five key recommendations when it comes to yeah, thinking identity fabric as a way to go. And the, the way that that's LA and Steve will talk about will also show a way how that could be implemented with their building blocks that they're talking about, but how do we get there? So this is not no longer the technical part. It's really, how can you get there? Because now we are really moving towards business. Now we are creating an infrastructure that is far bigger, far more important than the traditional enterprise IM. So employee-centric IM no longer enough. You need to shift your focus from running the business to changing the business because you are part of the business. When you do IAM today, that means you need of course, to gain sponsorship from those important stakeholders you have.
And that is of course still the traditional IM, but much more importantly, in gaining more importance with digital transformation teams. That is the business. Second of course go identity fabric, evaluate the concept that I just outlined before as a logical architecture. And if you can agree to that, consolidate many services to deliver the functionality that business needs, identify and prioritize your roadmap to carry on how to start, how to continue, have a long term roadmap, have a program to do that structure, the services of your future identity fabric focus on quickly implementing, missing, required functional functional capabilities. So these low hanging fruits that every project manager is talking about, identify them and do them and talk about them and understand managing access to each service for everyone is still the key success factor. And then just start doing it gradually transform. So actually execute on your roadmap and execute what you think are the first important steps while having the bigger picture in mind at one part that is of importance and usually forgotten is educate, educate everyone who's involved in these processes, be it in IM be it in the digital transformation teams, make sure that they understand the capabilities of your identity infrastructure, your fabric, and that they can request and understand the next missing building blocks that require for extending the fabric and for providing required functionalities.
And that's it for my part. I think that's a great starting point also for Laney to start over. I want to remind all of you to enter your questions for the Q and a sessions later on. There are already a few I'm happy that that's already happened, but I now want to hand over to Laney Lulay senior product marketing manager for rock Laney. Are you there?
Hi everyone. I'm Lonnie Lu senior product marketing manager here at, for rock today. I will briefly go through the current IM landscape and its limitations, as well as go over the power of digital identity and the complexities that can be addressed with the modern identity platform. And then I will wrap up and hand it off to geo or Steve who will speak to the specifics of migration. So some of the problems we've dealt with in the past are beginning to emerge. Again, I think a lot of what Matthias presented fall into the buckets you see here, siloed identities, outdated security models, limited extensibility, poor scalability, and flexibility. And lastly, privacy requirements. These are the challenges businesses are facing today, and they're struggling to address these problems with their existing legacy systems. And that's why digital business needs the power of digital identity. It provides a holistic approach towards managing identities and orchestrating access for customers, workforce and things, and helps to ensure that every person and thing has easy access to what they need and, and that their interactions are safe and secure.
The only way to leverage the power of digital ID is to have a modern IM platform and a platform that goes beyond just identity. So identity alone is not enough in order to make the right security decisions. You need an IM platform that understands relationships in the context of the user. What type of device are they using? Was it suddenly jail broken? Does a user suddenly have a different geolocation or are they just on your network at home? All of these signals matter and a modern IM platform should be able to understand these signals and relationships and use it to inform the authentication flow. So you can get the right balance between security and usability. You can't do that with a legacy IM system legacy systems had its purpose at a point in time, and it probably did a good job for its time, but how's it holding up now with a modern, I am platform. You can be agile, you can leverage context and relationships and have the ability to deploy your way.
So agility, how quickly can you or your team evolve your authentication flow. And this is important because it takes into account multiple point of views. One from a user experience, point of view, an integration point of view, as well as the, as a deployment point of view. What you see here on the right is intelligent authentication, which is a dynamic orchestration engine that removes dependency on development and code. So you can quickly design and deliver a login experience for drop provides a graphical interface that enables you to plug in play different technologies, as well as tap into intelligence and databases. So you can improve and secure the user experience. And instead of just showing you the screenshot, I'd like to show you a, a demo video. So here, what we have is a Miami beach app. And in this example, the user logs in with their username and password, but as a vendor, you may recently discovered that in user has been targeted in Aing campaign.
And in this case, you want to know if your user's account is vulnerable. A low cost solution may entail calling out to a database such as have I been pawned to check for the username and password combination and, and use that result to inform the access decision and the login flow. And you can see how the nodes here, which are decision and integration points are connected to form a logic based login flow. And you can virtually integrate any technology into this flow, such as third party, risk solutions, identity, proofing, risk assessment, and so on. All of which can be tied into this logical decision tree. So within minutes, you can edit the login flow for an app, take the username and password combo and check it against a third party service and, and use its results to inform, inform that flow. It is saved and the user has to re-log in, and it shows that their password has been compromised. And then they get a request for changing their password immediately. So this has been a big driver for our customers who live in the agile world and have compliance or step up requirements that rapidly change. The driving force really is to only introduce additional friction, such as step up authentication when a user or their device poses a risk. And you can easily design that to, to accommodate that with our intelligent authentication.
So with a modern IM platform, you can virtually integrate any technology into your access orchestration. And that includes third party risk solutions, such as strong authentication, behavioral biometrics, risk management, identity proofing, and so forth. And in the event in the event, you have a homegrown solution or require additional customization weight for draw can help you with that. So often when talking about access management, we traditionally understand it as the policy controls news to decide who has access to what under what conditions, but let's take it a step further. So if access management is the engine that drives your user experiences, then contextual relationships provide the data that helps feed that policy engine. So not only does this inform dynamic personalization to enrich the user experience, but you can also use it to secure their transactions. So here's a demo of a banking app experience.
So in this demo, we, we show a banking app protected by, for drop. We have a browser app in the background and the mobile app on the right it's the same vendor forge bank. And you have a customer coming in to interface with a bank. So in the back end, there are a variety of apps. There's a credit card app, a loan system, but from John's perspective, he gets a unified experience across all of the services he signed up for with his bank. And here you have John interacting with his bank. He can check his balance and have a look at his transactions.
And in meanwhile, in the background, we're doing continuous risk assessments. We know that he logged into his browser. Recently. We also know he is accessing it through specific channels and we can enable features like account freeze. So John lost his wallet and he's contacting support, and we can quickly freeze his credit card account since it's a low risk request. And now John he's considering paying off his credit card balance, which is another low risk requests. So we let him do that seamlessly. So as he continues to access his account from the bank's perspective, they need to continually do a risk assessment. So now John is trying to send 500 pounds to his friend, Bob.
And this is where, for example, you can configure an authorization policy to trigger step up authentication for transactions above 30 pounds. And we know he's using his iPhone mobile device. So all John needs to do is use face ID to authenticate and successfully transfer 500 pounds to Bob. And so users want seamless access to certain resources, but organizations still want to verify their identities before they access anything more sensitive. And this will also ensure that users will feel more confident in their vendor security measures. And this approach can be applied internally as well, where you have employees that need access to data to do their work, but occasionally they might need access to more sensitive data that would cause damage if exposed and all of this is achieved through digital identity, you can use the captured contextual signals of, of transactions to inform your continuous authentication and authorization in real time. And it, and it ultimately helps you to support a zero trust model.
So the last piece of complexity I want to address is deployment flexibility and scalability. Your business needs can be unpredictable. So the last thing you'll want to deal with is vendor lock in. You need flexibility in how your IM platform is deployed, whether that's continuing on with, on premises or deploying into public cloud environments, such as Amazon web services, Azure or Google cloud. And you may also need the ability to do things like hybrid deployments. The unique thing about a modern IM platform such as for drop is that no matter which deployment you choose, you get the full capability of the IAM platform. And that's where for drop is spend a lot of work in leveraging technologies like Kubernetes, to abstract out that complexity. So you can quickly deploy in an automated fashion. So here's a video I would like to share that demonstrates what we've done and how we've done it.
Time to market is critical for organizations to stay ahead of competition. That's why we built the forge rock identity platform to be cloud and DevOps ready. So you can accelerate business results at a global scale forge rock offers the fastest and most flexible multi-cloud deployment options by utilizing the power of Kubernetes technology. This means your organization can ensure optimal performance, availability, and reliability to meet customer demand. Don't struggle with complex deployments and resource limitations. You can easily deploy the forge rock identity platform with millions of identities in minutes on any cloud and Kubernetes environment using our open source forge ops projects available on GitHub with a full production ready deployment users can start interacting with your applications immediately. You can also start observing traffic via the monitoring dashboard, as well as receive alerts for important events for rock offers, a reference cloud model that is tuned for thousands of transactions per second. In less than five minutes, you can effortlessly deploy a highly available identity platform on any cloud that supports Kubernetes combined with monitoring, alerting, backup, and recovery. Your organization will be prepared to grow with global demand and tackle even the most sophisticated business challenge.
So summarize modern one is agility. You need the agility to respond to business needs and user demand. How quickly can you adopt and integrate modern protocols and methods as new technologies emerge, speed absolutely matters. You need to consider. Can you really do that with a platform that's legacy that's failing and not as flexible as newer platforms that are available today. Secondly is stability. If you have a legacy platform that's getting older and vendors are not keeping up with all the latest advances in the marketplace and in the industry, it's most likely going to be unstable. And if that's the case, can you trust your system? Can your users depend on your system? And lastly is scalability. We're all trying to grow our various organizations and businesses. Do you have a platform that can scale to meet the demands of today and tomorrow? Like whether it's the consumer side that needs to scale into the millions of users or enterprise where you might have to scale in order to address mergers and acquisitions, or you just have general growth to address whatever your reasons as a business you want that ability to scale. So going back to the title of our presentation today, should you stay or should you go, the answer really comes down to whether or not your business or organization can afford to stay with existing legacy systems as you continue to complexities. And now I would like Steve, who will dive deeper into the specifics of migration. Thank you.
Thanks. I think Matthias and Lonnie have, have really put forward a really good picture for sort of what modern identity looks like, what the capabilities are. And as a practitioner, our customers are constantly asking us, this is a great picture, you know, and unless you are starting from scratch, which many of us are not, you have an existing legacy platform that you have to deal with and how do we migrate from an existing legacy platform to a more modern deployment, to a more modern platform so that we can reap the benefits of, of everything that, that, that we've just talked about today. Ultimately it comes down to kind of two main categories, right? It's pretty obvious, same for many systems, not just exclusive to identity and access management, but we have a big bang strategy where we, you know, where we're gonna deploy a new system and, you know, and then cut over to that new system.
As soon as the new, new system's up and running, you know, that that works in some cases, in certain, in certain cases, it can work. It obviously allows you to very quickly move away from a legacy platform in some ways it's least complex, depending on the complexity of what you need to replace. So in some cases, the strategy's very simple, right? We gonna have the new system, we're gonna build it up and we're gonna cut over to it immediately. Still, there's a large application migration effort that, that you're gonna incur. Many of us are not working in a vacuum. Many of us are not using kind of a starting from fresh or, or have a simple systems to put in place. So it's gonna be a large migration effort and it is kind of high risk because once you flip the switch, there, there's a lot of things that, that could potentially go wrong.
So we only really recommend this approach for either small or simple deployments of, of legacy identity. When we go to migrate over to a, to a, to a more modern platform, what's more common is sort of a phased migration where we're going to play out the migration over time. It allows us to adapt things in a much more, you know, measured manner. We can sort of test the new system, the new functionality as we roll it out. And there, you know, as, as, as the slide indicates, there are, there are different forms of phase migration that we can, we can talk about you. There's not one way to do it. So what we've come up with is, is kind of a distillation of about three different phased migration types. And there are variations that you can come up with and combine all three of these or come up with even new ones.
But the ones we wanted to talk about today were parallel deployment. So both systems up and running and, and, and serving some primary function, but where they were actually running in parallel. And there was no deliberate kind of bidirectional data synchronization between the data stores, et cetera, but there were more or less two independent running systems. You have the new system running, running in parallel to the legacy system, but maybe there's splitting some functionality that the, the new functionality is being deployed. And the new is running on the new system, whereas the legacy platform, and then you sort of migrate over time. The next one is coexistence. Coexistence is really a, a, a more tricky approach. It's essentially the integration of the legacy and the modern system both are providing similar functionality or the same functionality so that you don't get any type of sort of user discontinuity, right?
Users basically can, can access either system. It doesn't look any different to them as far as how the, the functionality is. You know, if they're, if it's an access management deployment, they're seamlessly logging in back and forth between both scenarios, the old and the new system. So there's no point at no point in time as the user sort of inconvenience by the fact that you're actually running two systems. And the third, the third way to do the migration is augment. And in the augment scenario, it's a little bit different. It's kind of a combination of running in parallel and coexistence a bit. It allows you to augment your legacy system with functionality from the modern platform, such that, you know, you can bring new functionality quickly to the user base without having to actually shift or migrate at all. It's a way to augment the platform with modern capability without, without having to worry about a, a migration per se, but it does set the stage for a migration.
So we're gonna drill down to these each one in a little bit more detail. So in the parallel deployment, as I said, this is we're gonna deploy a new system alongside the old we're gonna get new features and capabilities only in the new platform. So if you can imagine having two provisioning systems running side by side, whereas the, you know, the, the old platform, the legacy platform is going to do some, some provisioning to some systems and the, the new platform is gonna do capabilities and, and provisioning on the old. So we're gonna migrate integrations from the legacy platform to the new platform over time. So we have two systems running. We basically take some time, some effort, and we, we can basically get the, the, the legacy platform functionality moved over to the new platform as needed over time, allows us to play that out fairly well.
So when should you use this approach? Well, if user experience is not crucial, or if it's hidden from the end user in some way, then this is a perfectly legitimate way to, to migrate over from a legacy to a modern platform, right? You know, user experience can be critical in certain situations, but in not, not necessarily in all situations, you might wanna use this approach. If the current system is not stable. So if you're doing a coexistence or you're doing an augment, you're integrating the legacy and the modern platform together. So if the, if the legacy system isn't stable or the performance isn't isn't right, then a parallel deployment may be more what you're looking for simply because simply because integration with the legacy system may cause some instability or additional instability. And then finally, if you, if you need new capabilities, but don't want to complicate the IM architecture.
So if there's, you want get onto the new system, but this concept of augmentation or coexistence just seems like it's gonna complicate things, then, then this is sort of another way for you to migrate or, or maybe a lower risk way to migrate. So if they drill down a little bit of what the architecture looks like, this is a situation where for drop is deployed next to a legacy IDM provider. So in this case, this is two provisioning systems. If you see on the top, there's some delegated administration function that's being done by partners to the, for drop system. The administrators are accessing both systems. The end users are really dealing with the legacy. IM this is a case where we've deployed for drop to, to perform delegated administration on that L D a directory indicated they're on the right. Whereas the legacy IDM system is still brewing most of the provisioning here.
So we've kind of deployed a newer, more modern platform to perform a delegated admin function that's separate and distinct from the rest of your end users. So this is a, a sort of a, what I was talking about before, about having, you know, sort of the, the, the new functionality sort of hidden from your, from the rest of your population. Now, even though this is a, this is a, a parallel deployment. You can see you, you still are able now to take functionality from the legacy platform and move it to the modern platform if you'd like. So over time, as you, as you, as you have effort and, and budget to, to allocate towards this, you can move more functionality over and eventually abandon the legacy IBM system. As far as actual client use case. This is something that we actually did. We had an insurance customer here in north America that wanted to deploy delegated admin, to partner agent communities, and they couldn't do it in their legacy IM platform.
They really needed to use, they really needed to use a more modern platform in order to get it done. So what we did for them is we deployed for drop IDM and a delegated administration customization. We deployed it in a few weeks and, and basically now they can, they can plan to replace the legacy platform over six months. But essentially this was a way we could roll out new functionality, deploying the system in parallel and not really impacting any of the user capabilities. So a, a pretty good success. The third one we're gonna drill down to, into here migration strategy we're gonna drill into is coexistent. So here, this is, this is really has to do with either a partial or a full integration of the legacy and the new platform. The focus here is to provide kind of the best user experience. And we see this more in situations where we're migrating access management.
So, you know, very, very, very common use cases. Customer has a ton of applications integrated to a legacy access management platform. They wanna migrate all those applications over, but there's no way they can do it in a short period of time. It will take months to migrate all the applications. And there, there are customers that have hundreds of applications that are integrated into a system like this. So when should you use this approach? Because it is sort of technically challenging. I think first and foremost, you've gotta use it. If you really can't compromise on the user experience, you have to have minimal disruption. If you have many applications to migrate, and it's gonna be a long time to migrate that those applications over to the new platform, not because the platform is technically challenging, but just the sheer number of applications, maybe these applications are, are business critical.
Maybe there are many applications that are run by different groups, and it requires a lot of organizational coordination. This is a perfect strategy to use in that situation, because it technically reduces the burden on the application teams. You can actually migrate the applications over at your own pace and the cost, you know, of, of performing the integration, let's say is gonna be a fraction of the overall cost of the migration, right? Getting two systems into a coexistence mode might be a small amount of the project, whereas migrating all the applications, that's where the real work is. So this diagram kind of illustrates what a coexistence migration might look like. So here on the, on the left hand side, you have the legacy and system, it might be using a reverse proxy. It might be using agents to protect applications there on the lower left. Their, their legacy and platform is integrated to a single customer directory.
So all the identities are stored in one area and here have kind of showed how we have four drop access management and for drop identity gateway, protecting a set of already migrated apps. But again, integrated to the same directory. Now, the important thing here is that bit in the middle, the session synchronization, that's really the, where the rubber meets the road in terms of the coexistence integrated integration there, essentially what this allows is it allows customers to either log into the legacy system or the modern system, and still have the same user experience. It, it, it allows them to seamlessly kind of log into either. So again, this is a, a more complicated situation to get going, but a very powerful way to migrate from legacy to modern. So here we had a, a, you know, a customer use case. We've done this a number of times, but more recently we have a large retail banking customer that once to replace a legacy IM system, they really had a unstable legacy platform, about 400 applications, all done by different development teams within the bank.
They wanted no impact end user experience. So we're actually deploying for drop am and IG to replace that legacy platform, full coexistence, and about 12 to 24 months to migrate all the application once coexistence is in place. So again, this is a, a large, fairly large migration and coexistence is more or less necessary in these, in these cases finally augment. This is a very, this, a more interesting one. It's a way for us to deploy new capabilities to an old platform, kind of spruce up the old house, you know, with some new, exciting functionality, it's a hybrid between parallel coexistence. And I think it's the fastest way to get new features and functions into your, into your identity architecture. So maybe you should use this when you really don't have an appetite to fully replace the legacy system, but you eventually wanna replace the legacy system, but really what you need is some quick wins.
You don't wanna throw good money after bad. You want some quick wins, you know, and time is essentially critical. So here I have an architecture where we have a legacy access management system where end users are accessing protected resources through a legacy system. And what we've been able to do is create flow. Let's say in legacy, am you have kind of a custom authentication flow we've can, in certain cases, we've deployed four draft access management and intelligent authentication using rest calls. So a lot of people have heard of for rock authentication trees, not many people know that they can actually perform rest services calls. So what we've been able to do here in this illustrates kind of calling out from the legacy off flow to a more modern off flow, excuse me. So that off tree flow implements the new functionality. And here in this particular client use case, we use this method to deploy multifactor authentication, enhanced authentication to a legacy platform.
Essentially the customer chose to deploy for drop am behind their legacy system to deploy MFA took just weeks to deploy this. Actually, our POC was almost less than a week where we did this and we showed the legacy platform actually calling out the, for drop for these more interesting multifactor integrations. And we could extend this to do many other things, even things like risk analysis and things like that on the inbound connection added, added the ability for us to add many other features and set the stage for eventual migration. So this is kind of a very kind of interesting use case and tool that we've been able to apply. So where do we go for here? I mean, there are some things beyond architecture you have to consider, excuse me, please plan ahead of your migration. You obviously need to, to do a fair amount of planning.
You need to decide which migration strategy best fits your use cases and how, and your, and your eventual goals engage in the experts. You know, we, there, there, we've probably done this before, so you do not, you don't have to do this. It's not the first time that you have to run through this. There are a lot of people with expertise, so please engage experts to do this. We, we can certainly help you and request a pilot. A lot of times we can implement this type of functionality, show you how it can be done so that you're, you're not out there. Kind of wondering if it's, if it's something you can do. So with that, I'll turn it back over to Matthias.
Thank you very much, Steve and Laney. That was very interesting to hear. Thank you very much. I hope we are all on unmuted now, and we have a set of questions here, but before we start again, the reminder, there's still a chance to add your questions. Now we have a good set already, but there is room for one or two more. So please provide you questions. Okay. First of all, I start in the, in the opposite direction with the questions, because some are very technically focused on what Steve just prepare presented versus a very detailed question regarding the, the session sync that you mentioned, I think in the second use case. So session sync, how was that accomplished? Is this, is this a standardized mechanism? Is this proprietary? How do you achieve that?
So it's a customization that you have to do, but what we try to do is leverage APIs and STKs in the legacy platform. So in, in this case, we've done it with, for rock. We've done it with lots of other platforms too, because this kind of access migration is, is fairly common. It's been going on for a long time. We've seen a few of these in our, in our 20 years. So it's, it's, you know, it is a customization, but we always try to leverage out of the box APIs or SDKs in order to synchronize a session. So when you, you know, if you can imagine you log to one system, you not only, you kind of intercept that login or you log in for the legacy system, and then you use the APIs of the other system to essentially log the person in to the other system. So you create a session on the other side, some of this can even be done. If you protect one system with the other, you sort of log in and provide a token to the, to the, to the other system. And then you sort of log in through natural mechanisms. So it is a customization, but we, you know, we always use out of the box kind of customizations or, or extension points to do it.
Okay, great. Thank you. Second, very technical question. Then we are done with technical ones. There was the, an Addapp sync from ad in this parallel example, how was that achieved? The syncing, the new L up from ad.
Yeah, so, so what that represented in that diagram is a, a set of operations that were separate. So what we were doing is we, we had both systems connected to the LDAP where we were, you know, both the legacy platform and the new platform were Mon were managing users in LDAP. It's just, they were managing a separate user population. So the legacy system primarily was, was being used to manage internal employees. Whereas the, the for drop system was being used to manage kind of partner accounts. So even though we had two systems, actively provisioning and deprovisioning to single LDAP, they were actually just operating on two separate user populations. So it wasn't so much a sync as it was. We were performing different operations on different populations and within the same.
Okay, great. Thank you. Very quick question. Very quick answer. Yes. Slides and recordings of the presentation will be made available tomorrow on the landing page for this event. That was one question. So make sure that the material can, is handed over also to the, to the attendees. One question, maybe you've mentioned the augment model, how difficult is it to then actually migrate away? And once you have augmented and build additional functionalities to an existing platform to, to make the final step to move away, how difficult is that from your experience? I mean, I don't know, maybe you want to provide pic or Steve.
Yeah. I can jump in and maybe Lonnie can, can cover a, the, you know, the, the definitely sets up the stage. I mean, at the very minimum, you have both platforms in the, in the system up and running really kind of depends on other factors. How many applications do you have? How many, how, how many integrations do you have in the legacy platform? That'll determine the complexity, but at the very minimum, you've kind of gone the first step, which is having the other system in place. So in terms of setting the stage, I think that's, that's definitely kind of a perfect kind of beginning or a perfect opener to a coexistence migration. If you don't have a lot of applications, you may just sort of migrate app, you know, legacy over, in which case, then it kind of turns into a parallel deployment with this extra augmentation feature. So it's kind of your choice.
Okay. Thank you, Annie. Anything to add from your side? No, I think that's good. Okay, perfect. Then, then next one, decentralization, do you consider this as an important goal for future IM solutions? So I've mentioned that in my first part as well. So this, this decentralizing orchestrating, how important is that also for, for, for stroke and for future strategies who wants to jump in?
Well, I, you know, in terms of access, we're seeing much more decentralization things like Federation, social login, those kind of things. I mean, that's, you know, decentralizing the, the, the identity provider functionality is kind of very key in a lot of areas. We're certainly seeing that, you know, there's definitely a lot more, you know, identity being beyond the walls of the enterprise, you know, certainly in terms of customer situation, but we're seeing it even more where people wanna delegate, you know, who can actually log in the system. I mean, maybe not necessarily in the enterprise use case, but if you have customers, you know, being able to let them choose their identity provider has, has always been attractive, but we're seeing it more and more because it reduces friction to onboard customers as well. Right. And if I, if I have a Google account and you're offering me login to my application or to you're, you know, to the application I wanna use using Google, I might, I might just, you know, it might be easier for me to do that than have to go through the whole account creation process. I think that one's very obvious win for decentralization in terms of provisioning. I, I think, you know, there, there's lots of even enterprise use cases where provisioning functions are being, are being distributed throughout the organization, but it's definitely, definitely, definitely. I see it more on the, on the access side, but, you know, decentralization seems to speed up things and as long as it's sort of orchestrated correctly,
Okay, so we have lots of questions, but only two minutes left. I pick out one, maybe one again, when it comes to, to proving success, which legacy technologies without finger pointing, do you have the expertise to migrate from some? So what, what has been rolled out being replaced with solution that you provide
As far as, as far as our expertise, it's all over the map. I mean, there, there are, you know, there, you know, I'll, I'll let the, I'll let, I'll let the, the audience kind of think about, you know, the different vendors that, you know, could, could kind of fall into a legacy, you know, into a legacy category. But, you know, all of those platforms are targets for migration and we've migrated quite a few of them over, you know, in, in the old days, the, the sort of legacy platforms kind of ruled the world. But at this, at this stage, many have not been receiving kind of continual investment. They're missing the boat, I guess, on trends as Lonnie showed, you know, kind of containerization as a big one, we're deploying lots of systems now, containerized, you know, legacy platforms typically don't have that as a feature. We're seeing legacy platforms not implement more modern authentication authorization protocols, O I D C you know, even Uma other protocols that are, are more modern. You know, those, if you've got a platform that looks like that, you've got a legacy one and pretty much we've migrated many of those legacy platforms over to, to modern, to more modern platforms. So I'll, I'll leave it up to the listeners imagination, I guess.
Okay, great. Thank you. We have more questions and I would, I would like to hand them over to Steve and so that you can get back to the, to the, to the, to the people who ask the questions. There's one that is a large one that I did not want to pick up because it's so huge, but I would like to pick it up offline after the webinars about what requirements does big data, AI and ML for upon an IAM system. And that has various different aspects, which are very interesting to discuss, but go beyond the Q and a session of such a webinar. But we have hand over the questions to Steve and Nannie as well, so she can get back. They can get back to you to the, or to the attendees. And if there are further questions, please get in touch with the speakers of that webinar today, the contact information will be in the slides, and I think it will be on the landing page where you can download the recording and the, and the slides for today. We are over 60 minutes now. So it's time for me to do the final round of famous last words, any do, what do you want to, to have the audience remember of this session today?
Well, just agility, you know, scalability, stability, those things matter to you. It's time to modernize. Thank you everyone for attending. Please reach out to me or Steve. Our emails are going to be in the deck. If you have any further questions, please feel free to reach out Steve.
Yeah, I'll just echo the thanks. Extremely interesting and, and complex topic, hard to cover in an hour, but definitely a rich, rich area. There's a lot to talk about. Look forward to seeing more of your questions. And again, thank you very much. I think we can certainly all agree modern is where we want to be. So it's hard to understand exactly how to get there, but you know, you're not alone it's been done before so we can help.
Great. So thank you very much, Steven, N for, for participating and for contributing to that interesting webinar. I want to close down this webinar. I want to thank all the attendees for providing the questions for taking part in this webinar. I'm looking forward to having you in one of our future webinars. And if you have the chance and you are in Europe or even Germany, I would love to talk to you next week at security leadership summit in Berlin. So thank you very much for contributing. Thank you for attending and that's it for today. Bye bye.