Ironically perhaps, the Identity and Access Management (IAM) industry has often lacked a sense of an identity. Just what problem is IAM trying to solve? Security? Compliance? Realising cost savings and enabling business efficiency? All of the above and more? And just what does define an IAM solution today? Do customers still need enterprise grade IAM suites for cradle-to-grave user lifecycle management, or are point controls and the low-cost / quick to deploy ‘as-a-Service’ type offerings now more in demand?
What we do know is that the demand for IAM solutions remains strong. There are clear indications from analysts in all corners that show that the business challenges around identity and access not only remain but may be growing both in terms of scale and priority. So against this background, what innovations in planning and technology will shape IAM to better deliver business value in the periods ahead?
Finding the right blend
The IAM market is generously served with a strong showing in both quantity and quality of the solutions that are currently available. Strong authentication providers, Privileged Identity Management solutions, GRC tools, major IAM suite vendors and others have all found messages and offerings that they believe resonate against business pain points today. To plot the right course through the maze, however, potential customers need help identifying and integrating the right technology stack into their delivery models, be they cloud or on-premise based. Often at the heart of this challenge is the need to decide between suite-based approaches (where coupling of solutions may be based more upon loyalty or an existing dependency on enterprise agreements) versus a best-of-breed approach. As the IAM market continues to move at pace, the best approaches will be those which avoid leaving customers locked-in to outdated or legacy solutions, as well as those which support a swap in/out of components that deliver value to the business at a point in time. There are frameworks which are emerging to support this model, allowing value from IAM to be realised in phases.
New challenges need new delivery models
The Internet of Things leads us to the Identity of Things. Big Data, SIEM and IAM lead us to Identity and Access Intelligence. There is widespread acceptance that these areas are a growing reality of today rather than predictions for the future. This leaves the IAM industry with some collective head scratching in order to find the solutions that will deliver business value. Even more significantly, IAM needs to keep pace with the demands for new delivery and pricing models that are shaping IT generally. Bringing IAM to SaaS leads us to IDaaS (Identity and Access Management as a Service), a model that needs to accept all of the opportunities and challenges presented today. The IDaaS solutions of tomorrow need to be clear in their stated vision, articulated to the business, adaptable for integration with both cloud and on-premise solutions, and, perhaps above all, focused on meeting the high expectations of the end user in order to realise the critical business goals for the services they enable.
Keeping the bad guys out shouldn’t affect the good guys too
People-based security models are notably innovative in that they turn the traditional notion of least privilege on its head and encourage the thinking that “everything that isn’t forbidden is allowed”. This may be enough to strike fear into the heart of any security administrator or product owner who has accountability for a high value asset, but the advice of course is to take a pragmatic approach. Such models present an opportunity to cut bureaucracy and costs while increasing staff morale and agility. The key here is to find the right balance between cost, value and security. Applying people centric principles in the right areas and against the right assets brings real opportunity for businesses to benefit. Note however that more and more, user-centric solution designs at any level will be mandated as the norm rather than the exception.
There is more effort needed for IAM to win over the business
For some time, IAM specialists have been able to send out the message that with the right IAM solutions, IT security can get closer to the holy grail and become a business enabler rather than continuing its life as the unloved inhibitor to user efficiency. This has been well borne out by the year-on-year increase in customer projects that leverage IAM to deliver new portals and services to customers and employees alike. A degree of realism is still needed here, however. IAM represents a significant investment for businesses, and care needs to be taken to map IAM imperatives to the value that will be returned. There should also be a focus on marketing the IAM story to stakeholders at all levels to increase solution adoption and support sustained investment.
Helping to make the standards stick
IAM isn’t the only corner of the IT industry where the battle between the best intentioned open standard based frameworks versus proprietary based solutions has been fought. Although it is perhaps still early (in standards adoption terms at least), SCIM is also showing potential for wider adoption. How close are we really to a point of standards maturity and convergence in IAM though? A look at almost any real world IAM implementation today will tell you that we are not there yet. Legacy dinosaurs and ‘interesting’ workaround sticky-tape solutions may lurk around any corner of course, but the presence of readily exploitable interfaces cannot be guaranteed in all SaaS offerings. There are noticeable trends, however, and identity-focused standards are becoming more productised. This gives us good reason to be optimistic that future IAM challenges will continue to be more around the what than the how.
IAM is an opportunity to enhance your brand
In an environment where every user is a consumer, it bears highlighting that the first interaction a user has with a service is typically through the IAM layer. This may be for (self) registration, logging in or perhaps applying for account management or password reset requests. What this means is that IAM is uniquely positioned to enhance a user’s perception of a service. IAM user journeys need to focus on delivering a first class user experience, making these operations clear, simple and easy to complete quickly. Furthermore, organizational branding shouldn’t be left behind the front door. With user centric solutions coming more to the fore, we can exploit IAM to build a strong user experience right from the start.
By Colin Miles, CTO, Pirean
About Pirean
Pirean helps businesses to provide secure access to all of their applications, on-premise, on mobile or cloud-based, for all the individuals with whom they interact, whether they be employees, customers or partners. The company delivers its industry expertise through a unique blend of software, consultancy and its Identity as a Service capabilities.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.