Understand Web Access Management—Then Move On

Figuring out how to secure users’ connections to applications is an age-old challenge that has developed alongside the digital transformation of the enterprise. Traditionally, businesses have addressed this issue with complex authorisation systems, many of which used web access management (WAM)—or on-premises single sign-on (SSO)—at the centre of their functionality.

WAM is a remnant of identity management of the past. Alongside the other legacy identity solutions that enterprises are outgrowing—like Active Directory (AD)—it is an inflexible approach to managing user access that just wasn’t designed to meet the demands of hybrid cloud adoption. As early-stage identity solutions face the limits of their capabilities, companies need to adopt modern identity and access management (IAM) solutions that have security and user experience at their core.

Let’s define web access management

WAM first appeared in the late 1990s as the internet took off. It’s used to control access to web resources through authentication management, policy-based authorisations, and, in some cases, SSO. Initial WAM products offered simple functions that helped share user credentials across multiple domains without requiring multiple logins. These included SSO servers such as Active Directory Federation Services (ADFS), Ping Access, CA SiteMinder, Oracle Access Manager (OAM), and IBM Tivoli Access Manager, as well as Lightweight Directory Access Protocol (LDAP) directories like those designed by Oracle and Novell.

As an on-prem system, WAM relies on multiple server components and network tools, including firewalls, load balancers, network segmentation, middleware, and database servers to secure access. It functions using two key identity operations:

• Authentication: Confirming that a given user is who they claim to be.
• Authorisation: Confirming that a user has permission to access a specific web page or product.

Once a user is validated across these functions, the WAM provider can deliver a temporary token to all resources the user has access to. The outcome of an access request can be recorded for auditing purposes and to determine when a user last logged in or whether they’ve attempted to gain access to sensitive or protected information.

Where WAM fails in the current identity landscape

As technology has evolved, companies have adopted new services that secure user access regardless of context, network, and location. These changes have challenged the WAM security model—that’s because it operates within private networks; can’t update regularly enough to support new systems; and doesn’t deliver cost-effective security. In response to this, WAM providers have stopped investing in new features and solely focus on their product support, making it an inflexible solution in an era of constant innovation.

In addition to lacking the ability to prevent the threats facing modern enterprises, WAM systems have become increasingly expensive to maintain, opening organisations to a number of risks:

• Wasted developer time: Maintaining operability between an identity provider and WAM while maintaining network architecture requirements slows down the process of launching new apps.
• Security vulnerabilities: WAM’s incompatibility with new authentication technologies and modern protocols can leave enterprises and their customers vulnerable to security breaches.
• Compatibility: WAM lacks native integration capabilities with applications such as Amazon AWS, Salesforce, Slack, and Office 365, making the enterprise more fragmented.
• Compromised customer engagement: WAM prevents businesses from reaping the benefits of modern marketing and analytics tools that enable them to take full control of their data.

On top of these limitations, WAM vendors have not developed a viable strategy for moving WAM to the cloud. As enterprises continue their transition to hybrid or fully cloud-based environments, this makes the usage of WAM unsustainable.

You don’t have to be stuck with WAM

Businesses can address WAM’s limitations by replacing it with integrated IAM solutions like Okta’s Identity Cloud. These more modern solutions—also known as identity as a service (IDaaS) providers—can securely connect users to any web application, regardless of location and architecture. They can be used as centralised solutions to secure cloud and mobile apps, as well as traditional on-prem apps previously protected by WAM.

Okta’s platform delivers multiple features beyond typical WAM solutions that improve security and deliver IAM in new use cases, including:

• Automating user onboarding and offboarding
• Consolidating AD domains and reducing a company’s AD footprint
• Meeting compliance requirements
• Providing secure access to VPNs and network applications

Modern IAM can operate in co-existence with WAM solutions or as a single solution for all apps—and its benefits are many. For one, Okta’s IAM solutions provide a single access platform for all resources, across various devices, locations, and infrastructure. Secondly, they don’t impact how your on-prem applications currently operate. Lastly, they make it easier for your organisation to grow into an agile, cloud-based entity at your own pace.

In order to enhance their infrastructure and keep up with the growth of cloud adoption, the modern enterprise needs to retire antiquated identity solutions. Using a comprehensive IAM solution, they can overcome the limitations of WAM and give effective user access to their systems.

For more information on how to modernise your identity stack with Okta download our WAM Modernisation and Migration Guide.