As I mentioned in a previous post, I attended the 13th CISO Roundtable in Zeist on December 14th. The participants—all senior Security and Risk management leaders—engaged in a lively discussion. Floris van den Dool, the Accenture EALA Security Lead, managed to deliver yet another successful gathering focused on Security Management. The subject of the meeting, “The Future of Identity Management,” had clearly been on the participant’s minds, as they face every day complex decisions about their organisations with an eye on new developments and organizational change.
The consensus was that Security and Identity Management can no longer be delivered purely within of the boundaries of the enterprise, and that new ideas are necessary to face the challenges that come with de-perimetrization and Cloud Computing.
As a speaker at the event, I realized that few things are more annoying to security professionals than listening to somebody claiming to predict the future. So instead, I started by explaining my approach to trend analysis and projection of the changes in the realm of Identity Management.
First I stated that—if anything—it is necessary to leave behind either a pessimistic or a naive optimistic stance: either believing that the future is “more of the same” or “completely new” are false assumptions. What we actually see both in technology and business practices is that the new coexists with the old, and that the old gives birth to the new.
The combined result of these movements is what I call “eclosion”, from the French éclosion, meaning to hatch or be hatched, using an image from biological sciences.
In a more descriptive way I like to think of change not as evolution or the displacement of one class of systems by another, but as the constant unfolding and opening up of reality. Here, to avoid an excessively wide discussion of these matters I want to focus on the plane of conceptual transformation and more specifically on the changes driving security and identity. In the realm of ideas, we should speak of “differentiation.” The following lines describe a series of conceptual differentiations in the space of Security, Identity and Cloud Computing.
Security and Identity Trends
I listed six key trends which sum up the current transformation:
- The protection and compliance focus which I&AM inherits from the Security Domain will not disappear, but it will have a lesser role in the IT landscape than it has now.
- Centralised control models over identities will be reserved for very restricted areas of the IT infrastructures, while at the same time organisations implement federated and decentralised assurance services.
- Privacy and Data Protection concerns will be seen as essential, but increasingly not as a central management task and instead as rooted on the individual choices and different varieties of identity.
- I&AM as a Service will experience rapid adoption but a single model will not exist and corporations will have sometimes partly hosted and partly on-premises solutions.
- The intellectual structure of Security and I&AM will change, moving from a focus on Risk Management, to a balance of Risk and Trust Management.
- Security will rely even more on defences in depth, a variety of identities and identity assurance levels while deploying risk-based and attribute-based controls .
Each of these trends has in itself a counter-balancing phenomenon which on the one hand represents the continuation of the past, but also a reformulation of it. Change by differentiation leads to increased complexity.
Cloud Computing is not itself a phenomenon caused by changes in Security or Identity disciplines, but the culmination of a trend that has been always present towards virtualisation, shared capabilities, resilient remote resources and networking. The Cloud itself is at the same time the continuation of the old and the appearance of new concepts (differentiations) in infrastructure and application services. This has a very important effect on the future of Security and Identity Management.
Following the development of Cloud Computing, we will see two major trends arising: I&AM “for” the Cloud, and I&AM “in” the Cloud; essentially security services to protect the Cloud (hosted) environments, and security services offered by hosted platforms. The two are inseparable.
In Accenture we have adopted the terms of Security “in” and “for” the Cloud to reflect two “views” we find among clients and specialists: Security for the Cloud: Securing the broader IT application and data workloads as they migrate from corporate data centres into cloud services. Security in the Cloud: Cloud as a delivery model for security vendor solutions – for example identity management as a service, or compliance – as a service
The core of the conceptual differentiation taking place at this level is between Trust Management and Risk Management. On the one hand, Security In the Cloud is a view that reflects the ideas of Trust Definition and Trust Establishment, leading to a stance centred on Trust Management. In this “world” Identity is seen as Distinction and Membership. On the other hand, Security For the Cloud is a view that reflects the ideas of Trust Enforcement and Trust Validation, leading to a stance centred on Risk Management. In this “world” Identity is seen as Object and Context.
These views reflect different action perspectives and different participants: For Security in the cloud, we have the Subjective position, the position of the business leader, the owner, the strategist, but also that of the group, the organisation, Society in general. For Security for the cloud we have the Objective position, the position of the implementer, the controller, the auditor, but also that of the engineer, the technologist, the IT organisations in general,
Trust Definition and Trust Establishment are reflected in a view of Security “in” the Cloud, and answer the question: How do we benefit from operating in the Cloud; how to we manage trust with our clients, colleagues, staff, partners, etc.
Trust Enforcement and Trust Validation are reflected in a view of Security “for” the Cloud, seeking assurances in terms of Data Control, Compliance, Protection and Privacy.
When developing these ideas I also said that further analysis shows even deeper conceptual differentiations: Four theoretical perspectives underlie the apparent division into two “views”
Trust Definition: Security seen from the perspective of Direction and Identity seen as Distinction.
Trust Establishment: Security seen from the perspective of Selection and Identity seen as Membership.
Trust Enforcement: Security seen from the perspective of Protection and Identity seen as Object.
Trust Validation: Security seen from the perspective of Detection and Identity seen as Context.
I closed my presentation by explaining how the delivery of security “in” the Cloud is a precondition for the realisation of security “for” the Cloud. An excessive focus on security “for” the Cloud assumes that the client is outside of the Cloud world and needs assurances to adopt Cloud-based solutions, while the view focused on security “in” the Cloud seems to reflect the target state of any Cloud initiative: security as a service “in” the Cloud.
The Risk-centred “view” will predominate in the context of deciding how to adopt Cloud-based strategies, the Trust-centred “view” will predominate in the context of delivering or exploiting Cloud-based services, but the two views are part of the same big picture and have to be mastered in the Cloud Security Strategy.
As a general position in Information Security and I&AM it is advisable to keep in mind that the disciplines of Trust Definition and Allocation are still not well developed and tend to stay in the background. In the new world of Cloud Computing, nevertheless, it is essential to develop a balance between these disciplines and the more conventional and developed perspectives of Trust Enforcement and Validation.