Skip to main content

Identity and Access Management seeks its real identity

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

The Gartner Identity and Access Management (IAM) summit took place in London on March 17th and 18th 2014 with this year's event bringing together a large community of analysts, technology partners and customers to consider the state of the industry and the challenges ahead. Topics ranged from those catering for the traditional demands to discuss IAM programme management and best practice routes to ROI, through to a meeting of minds around the dynamic ‘Nexus of Forces’ (Cloud, Mobile, Big Data and Business Socialisation) and how IAM solutions need to adapt to meet changing demand.

The Gartner IAM summit isn’t just another industry event for us but a real landmark in our calendar. It’s here that we get the chance to take stock of the industry around us, validate some of our thinking and/or set our minds to how we had better adapt our approach to meet the moving targets our customers set.

For those who didn't get the chance to go, a few observations from this year's IAM summit:

IAM seeks its real identity

Ironically, the IAM industry has often lacked a sense of an identity. Just what problem is IAM trying to solve? Security? Compliance? Cost saving and business efficiency? All of the above? And just what does define an IAM solution? Do customers need enterprise grade IAM suites for cradle-to-grave user lifecycle management, or point solutions to deliver control or keep out the bad guys?
A quick tour of the sponsor showcase floor is probably as good as any method you can get for taking a quick snapshot of how vendors are lining themselves up to market solution portfolios against the most pressing concerns of the enterprise budget holder. This year's event wasn't lacking in quality or quantity of offerings from those present, but it remains difficult to isolate a common clarity of vision across the field of suppliers from strong authentication providers, privileged identity management vendors, GRC tool and major suite providers.
What is clear however is that customers are going to need help identifying and integrating best-of-breed technology into their delivery models be they cloud or on-premise, and they are going to have to find a way to do this without becoming locked in to dependencies on individual components in what is a still maturing IAM market.

There is more effort needed for IAM to win over the business

We haven't been alone in being confident to send out the message that with IAM, IT Security can get closer to the holy grail - becoming a business enabler rather than continuing its life as the unloved inhibitor to user efficiency that it sometimes seems.
This has been well borne out as increasing year-on-year we have seen with customer projects which leverage IAM to deliver new portals and services to customers and employees alike. Some realism is still need here however.
Were the sessions on IAM stakeholder management at this year's summit more sparsely attended or had the topics discussed in these sessions moved on significantly from previous years? Possibly not, but there are few misconceptions in IAM as to the moving nature of focus for CISOs and business leaders - and most of the developments in the industry are lining up to be fully on track with enabling that full IT vision.

Standards are sticking

IAM certainly isn't the only corner of the IT industry where the battle between the best intentioned open and standards based frameworks versus the necessary 'evil' of proprietary based solutions has been fought. It's been an attritional battle at times, and looking back over the journey it's interesting to compare the hype of the past versus the reality of today.
So where are we now?
SAML adoption is well underway, OAuth and OpenID Connect bring together a few loose ends and, though it is early days (in standards adoption terms at least), SCIM is showing strong potential. How close are we really to a point of standards maturity and convergence though? A look at almost any real world IAM implementation today will tell you that we are not there yet. Legacy dinosaurs and 'interesting' workaround sticky-tape solutions may lurk around any corner of course but the presence of readily exploitable interfaces cannot be guaranteed in all SaaS offerings.
Trends are being observed however and identity focussed standards are becoming more productised. This gives us good reason to be optimistic that future IAM challenges will continue to be more around the what than the how.

Keeping the bad guys out shouldn’t impact the good guys too

For some time analysts have also been promoting the idea of "People Centric Security" (PCS). Here the notion of 'least privilege' security is turned on its head to follow the thinking that "everything that isn't forbidden is allowed". This may be enough to strike fear into the heart of any security administrator or product owner who has accountability for a high value asset, but the advice of course is to take a pragmatic approach.
Analysts stress that PCS presents an opportunity to cut bureaucracy and costs while increasing staff morale and agility. Its all about finding the right balance between cost, value and security. Applying PCS principles in the right areas, and against the right assets brings opportunity for real business benefit. Note however that more and more, user-centric solution design at any level will be mandated as the norm, rather than the exception.

IAM is an opportunity to enhance your brand

In a environment where "every user is a consumer" it bears highlighting that a users first interaction with a service will typically be through the IAM layer. This may be for (self) registration, logon or perhaps for account management or password reset requests.
What this means is that IAM is uniquely positioned to enhance a users perception of a service. IAM user journeys need to focus on delivering a first class user experience, making these operations clear, simple and easy to complete quickly. Furthermore your branding shouldn't be left behind the front door. With user centric solutions coming more to the fore, we can exploit IAM to build a strong user experience right from the start.

The Identity of things

The Internet of Things leads us to the Identity of Things. Big Data, SIEM and IAM leads us to Identity and Access Intelligence ("Identity intelligence gets a brain"). There is widespread acceptance that these areas are a given rather than predictions, but the IAM industry has some collective head scratching to get through to deliver business value from the promise.
Moreso IAM needs to keep pace with the demands for new delivery and pricing models that are shaping IT generally. Bringing IAM to SaaS leads us to IDaaS (Identity and Access Management as a Service), a model that needs to accept all of the opportunities and challenges discussed here. The IDaaS solutions of tomorrow need to be clear in vision, articulated to the business, adaptable for integration with both cloud and on-premise solutions and, perhaps above all, focussed on meeting the high expectations of the end user in order for the services they enable to deliver the business value needed.
Colin Miles is CTO at Pirean