Thinking of the Future: Identity and Access Management

I spoke at 13th CISO Roundtable in Zeist, Netherlands on December 14th, 2010. This event had the participation of CISOs from Europe and the theme of the gathering was “The Future of Identity Management.”

How do you address such a challenging subject making sense of the fast changing landscape of Security and Identity and Access Management? I thought I would share a few of my ideas here.

The general trends transforming business also transform Identity and Access Management: in a few years, even the meaning of the terms we use are different. The key transformation has been that while in recent past Technology Vendors, Consultancies and Businesses tended to see I&AM as a minor complement to other Security programmes, it is now becoming evident that what we do with identities is at the heart of any initiative both for business and IT programmes.

We have left behind a period where the industry proposed I&AM as one more instrument to manage risk, reduce cost or achieve compliance, and a new era is starting, where we can see I&AM as a direct support for advanced business models and global operations.

We do not argue anymore that “doing” IAM is better than not doing it, or that you will have a better Risk Position if you have some centralised user access control. Instead, we clearly look into how Identity Management directly enhances business processes which require outsourcing, mobility, global reach, agility and transformation.

For sure at the same time we know that there will be no single “model” for Identity Management, and that the previous emphasis on Identity Provisioning or Compliance are just aspects of the great promise of our discipline.

Here are my views on the Future of Identity Management with a time range of 3 to 5 years:

  • The protection and compliance focus which we inherit from the Security Domain will not disappear, but it will have a lesser role in the IT landscape than it has now.
  • Centralised control models over identities will be reserved for very restricted areas of the IT infrastructures, while at the same time organisations implement federated and decentralised assurance services.
  • Privacy and Data Protection concerns will be seen as essential, but increasingly not as a central management task and instead as rooted on the individual choices and different varieties of identity.
  • Identity and Access Management as a Service will experience rapid adoption but –again—a single model will not exist and corporations will have sometimes partly hosted and partly on-premises solutions.
  • Above all, the intellectual structure of Security and Identity and Access Management will change, moving from a focus on Risk Management, to a balance of Risk and Trust Management.
  • Following the development of Cloud Computing, we will see two major trends arising: I&AM “for” the Cloud, and I&AM “in” the Cloud; essentially security services to protect the Cloud (hosted) environments, and security services offered by hosted platforms. The two are inseparable.
  • Given the perceived and real risks of network crime and disruption, security will rely even more on defences in depth, and a variety of identities and identity assurance levels while at the same time deploying more refined risk-based and attribute-based access controls (all of this enabled by I&AM solutions).

To facilitate these developments and make our discipline flourish, an intellectual transformation is necessary.

One of the factors that is holding us back and limits the promises of the future is what I call the “techno-centric” perspective. In fact I think that we share with the whole of the Security Domain this problem: we are still rooted on a world view which sees identities as data that are manipulated by “systems”, and we almost equate security exclusively with “risk management”.

A step needs to be taken to start working with identities as relationships, as business value and not as items that are checked out in templates or moved around by means of “engines.”

The “techno-centric” perspective is essentially a mechanistic view of the world which is inadequate to sustain the pace of change, the openness and the focus on the individual and the global markets.

Instead of an “enterprise” or an “organisational” identity for each individual we should have (in fact we already have) multiple individual Personas, as Mike Neuenschwander and other experts proposed several years ago. Instead of a few classes of identity ranging from “staff” to “contractor” we have already a definitive blurring of the boundaries of the enterprise and scenarios where “external” users actually have more complex and more security-demanding access rights than “internal” users.

The logic we need to address this fundamental change –especially when we start moving towards I&AM as a service solutions—is the logic of enablement, of trust, of external assurance and user centric protocols.

When considering the future of IM it is necessary to look into the future of the security disciplines as a whole and beyond. It makes no sense to continue talking about I&AM as some sort of isolated speciality anymore. What do we think about the future role of security in the new era?

I&AM needs to stop thinking about itself, to stop producing more and more detailed sub specialities and taxonomies of what it is about: provisioning, access, roles, governance, or compliance. We need to see our place in the Security Domain, an important one, but not exclusive.

In the same way as the security disciplines differentiate and new specialties appear, we will see the transformation of Identity Management showing on the one hand new techniques, but on the specialties which will not be technical at all and will reflect the strategic need for organisational change, global scale and business purposes. In this sense, Identity Management has changed and will continue to change to better reflect its real value for other Security disciplines, for business and for public life.