Identity Access Management (IAM) is a very complex aspect of IT. Finding someone that really understands it is a challenge. I have found one of those guys.
Corbin Links is an expert in the implementation of various forms of access management systems – commonly called Single Sign On by those of us that need to simplify. He is the author of a trilogy of books entitled “IAM Success Tips Volume 1-3”.
Corbin has gotten involved with load testing because many times his projects for large enterprises requires his team to ensure performance of IAM. We at LoadStorm are fortunate in having Corbin as a user of our load testing tool, and he has been a delightful customer. Recently, he asked if I would come on his podcast to share some thoughts about performance testing relative to IAM.
Below is a summary of our interview Corbin calls, Stressing Out Your Access Management System.
Stress Testing for IAM
Many times IAM implementations sidestep stress testing because of inadequate resources or skills. Any enterprise will have 3-4 environments of IAM at a minimum. That necessitates much more testing. Usually there will be both internal and public facing environments. Typical provisioning of IAM will typically take dozens of tests and tuning cycles.
Two of the biggest challenges to stress testing an access management system are budget and time. It is common to skip load testing because it comes at the end of a project that is already over budget anyway. If the funding issue doesn’t get you, then having someone available to actually build and run the tests might.
Corbin has been on projects that took 2 months just to install a big tool like LoadRunner and get the scripts created. Cost and staffing for LoadRunner were enormous drains on the project. He told me that IAM involves big heavy enterprise infrastructure that can run well into the millions of dollars. So, the erroneous perception of the CTO was that the load testing tool should be extremely expensive too. Corbin is changing that paradigm and saving his customers hundreds of thousands of dollars.
IAM Demands MORE Stess Testing
Corbin believes stress testing must happen at a minimum of 2 points in the cycle. It should be moved up into the development and debug stage, as well as test need to be run during the certification stage.
IAM implementers must be ready with a long term tool and staffing strategy so you don’t have to go hit up purchasing for more test runs later. He emphasizes that SaaS models are very beneficial because of the speed and simplicity of the testing. Also, he advocates purchasing subscriptions with unlimited testing runs as far superior to paying by the test.
Subsequent releases or configuration changes can hurt your performance, so enterprise systems need more regular testing. In access management especially, there are thousands of parameters that define what happens in a transaction through authentication and access rules. If you change one of those, the entire system has changed and must be tested again.
Since the application rules are accessed dynamically, which determines the path from one point of the application to another, it is important to have the ability to re-test constantly with confidence. He also emphasizes how Http versus Https is a big deal in IAM implementation. You must test both of them thoroughly and independently. There is lots of overhead incurred with secured transactions such as credentialing and they must be performance tested with care.
Corbin recommends a fixed price stress testing tool to eliminate the hassle and worry about the cost of extra test runs – which are almost guaranteed to occur. In his experience, access management systems may need to run stress tests maybe 5-10 times a day. No one has time to continually set it all up again. Worse, there are so many meetings in an enterprise setting that have to be called to get testing done again.
The Importance of Good Performance in IAM
Response times are crucial in access management systems. Both B2C external pools and large internal user pools must be considered in stress test coverage. Internal users will be more patient on a corporate portal because they must use the systems to do their job. However, in a B2C model the external users will not wait.
Implementers of IAM need to ensure that users will not have to wait because slower performance results in lost customers. See this blog post entitled Web Performance Tuning = 10% Profit for the facts about how 7-12% revenue is lost by making people wait.
This is a great cost justification for load testing. In most of Corbin’s access management system implementations stress testing is usually viewed as a cost center issue. If you have these statistics about revenue and performance, it will help you get further up the food chain to fund the testing to guarantee IAM will perform as well as it can.
He points out that there is incentive on the internal portal too. Many times companies don’t understand the value of IAM. If people start to wait for it, they will circumvent the access management system. Offline systems like spreadsheets and ad hoc document storage will become popular. If the system doesn’t work quickly, users will get creative to not use it.
Unique Requirements of IAM
Enterprise grade access management tools sometimes use front end login pages that are comprised of an insane number of objects. Many tiny pieces of Javascript and images. Corbin has seen one IAM tool that had over 100 nested CSS stylesheets for a login page.
Authentication checks on all of the objects create security overhead that is in addition to the normal requests of a web page! This extra processing poses challenges that most load testers haven’t encountered in other web applications. Corbin emphasizes the need to optimize these processes because they can kill performance adoption, which will in turn kill adoption of the access management system.
Extensive re-directs are common in access management systems. Front-end processes capture data about a user, then it must make a decision about the user before allowing the request to be serviced by the web application. There are many load testing tools that Corbin has used that can’t handle multiple re-directs. It is very important to test for that in IAM.
Access management implementers are usually over-tasked, and they aren’t load testing experts. So what should they focus on for quick certification? Hammer on the front door. Focus on the login process. It’s important to stress test with a file of many unique users and create a scenario that goes through a successful authentication. You need a heavy volume of concurrent users getting logged in, so find the peak number of users in your situation, such as 8:00am, and add about 25-50% of users. Then run a load test at that higher peak volume to have ensure you can have faith in the performance of your system.
Because access management utilizes methods such as sticky sessions and secure session cookies, you must test with many different users in the scenarios.
Gracious Host
Corbin asked me about the upcoming enhancements to LoadStorm. So I shared a few of those in the podcast – proxy recorder for scenario building, extra reporting data, scale up to 500,000 users, server-side monitoring during tests, and controlling geographic sources of traffic.
I thoroughly enjoyed the podcast interview, and I have had a great time working with Corbin on projects for his enterprise clients. I look forward to our next chance to work together.
Please check out the Identity Access Management Success Podcast with Corbin Links on iTunes.
Important resources mentioned on the show
* IAM Success Audio – Collectors Edition – http://bit.ly/iamcollectors
* Loadstorm.com – http://www.loadstorm.com
* Corbin Links on Twitter – http://www.twitter.com/corbinlinks
* Corbin Links’ new web contact page: http://www.corbinlinks.com
* Corbin Links on LinkedIn – http://www.linkedin.com/in/corbinlinks
* Comprehensive article on how to stress test an Access Management System – http://bit.ly/namstorming