Web access management (WAM) is a form of access management that authorizes users for web applications. Prevalent in the 1990s and 2000s as web applications became more mainstream, WAM solutions provided enterprises much needed control to ensure that the appropriate users had access to the right web-based applications. However, with the rise of APIs, mobile and cloud-based applications, WAM solutions are becoming less able to handle modern enterprise business demands.
A look at legacy WAM
A common legacy WAM deployment architecture would control application access by deploying agents (small software packages or plugins) on each web server, so that the agents can communicate back to centralized policy servers to enforce access control.
This deployment approach was designed to secure web resources hosted on-premises in enterprise data centers. In these environments, you could install and upgrade agents on server resources that you controlled, and the network traffic between agents and centralized policy servers also occurred on local networks you controlled.
Why is legacy WAM less relevant today?
Legacy WAM products born in the 1990s and 2000s have largely failed to keep up with modern business requirements and have been lacking in innovation. During this time, modern access management solutions were developed to specifically address the rise of APIs, mobile and cloud. Because WAM came from a different era and was built to solve different types of problems, it's not best suited to solve modern access issues. In the cases where a legacy WAM solution is functionally able to provide a solution, the end result is typically fragile and expensive.
This is due to where WAM is in its product lifecycle. Current WAM solutions that can be purchased today are typically just upgraded and patched, without new product releases. Some of the most well known solutions even have official end of life dates, forcing enterprises who use those solutions to seek out modern vendors.
The evolution of WAM
The original WAM solutions were built when smartphones didn't exist and the vast majority of enterprise IT infrastructure resided on-premises. Why does this matter? Because security concerns were quite different at that time. Internet connections were slower, employees didn't work from their mobile phones and work was typically done at an office within a secured network perimeter.
But as Internet bandwidth and connectivity improves, mobile phones are used everywhere and employee applications reside in the cloud, the "office" can now mean a coffee shop, your home or even an airplane. During this shift, the traditional model of network perimeter-based security became less relevant.
While legacy WAM products were designed during the days of network perimeter-based security, modern access management solutions have been designed in the age of mobile, cloud and identity-driven security.
What is modern access management?
The legacy WAM approach encounters limitations when you don't have the same control over remote cloud-based apps, mobile apps or APIs. Modern access management solutions control access to all these different apps and APIs by supporting agent-based and proxy-based deployment models. A proxy-based model alleviates the need for installing agents on each server, and instead routes all access requests through a centralized server that leverages standard communication protocols like HTTP or HTTPS.
This option provides additional flexibility for situations specific to an enterprise's current and future needs.
Modern access management also support and integrate with other complementary identity and access management (IAM) capabilities. As identity-driven security grows in importance, modern access management solutions integrate seamlessly with advanced multi-factor authentication (MFA) and single sign-on (SSO) solutions. Today's modern access management solution provides authorization for a user to access a wide range of on-premises and cloud-based apps and services, while MFA and SSO provide secure authentication to ensure users are who they say they are. Modern solutions are also becoming increasingly intelligent and can use a variety of criteria to determine whether or not to grant access to a user.
Moving to modern access management
The rapid improvements in technology have enabled a new breed of modern access management solutions, and also dictated the need for a successor to legacy WAM. Some WAM products already have official end-of-life dates while others continue to operate on a patch-and-fix model. On the other hand, modern access management solutions continue to innovate and make use of new technologies, such as GPS on mobile devices to provide context-based access policies.
Enterprises have an increasingly diverse portfolio of applications spanning SaaS, public cloud, private cloud and on-premises software. Modern access management solutions are designed to be flexible to handle these diverse portfolios and future business growth. In the end, this provides an improved user experience, improved security and a more scalable solution than legacy WAM. To learn more about how about how enterprises can benefit from modern access management, check out Gartner's 2017 Magic Quadrant on Access Management.