IAMaaS is not SaaS

The Cloud is many things and it is particularly one thing for those who approach it with the eyes of the computer revolution of the 20th Century: the Cloud phenomenon appears as an ever more slick incarnation of the out-sized computer, sitting somewhere remote and isolated, capable of everything, ever-present.

To the hammer, everything looks like nail, the saying goes, and that is how people tend to see the tools and technologies around the Cloud, and by doing this, the conventional observer misses the fact that the Cloud is not (and can’t be) a technological compound, but essentially reflects historical and sociological changes, a different context to the one where some of us learned to use the Personal Computer.

This is particularly the case with almost esoteric disciplines like Identity and Access Management (I&AM). To the techno-centric practitioner, I&AM is frozen in time at the moment somebody invented “provisioning” and “role management”, and since then the most important change has been that the number of I&AM vendors in the market has boiled down to a hard core of massive monolithic offerings which compete more on size and difficulty of implementation than on effectiveness and business value.

Equally, when thinking of the Cloud, I&AM specialists think more of complex platforms and software libraries that are offered to consumers in the well-known Software as a Service model (SaaS).

This conception is actually an obstacle for the progress of the Security disciplines, and of Identity and Access Management itself, as people limit their work to usage models that have very little to do with Identity and the possibilities of the Cloud.

Following the SaaS model, we see updated strategies from technology vendors trying their hands at sub sets of the art, for example in the areas of “risk based reporting” and “compliance”. These offerings have one thing in common, which is the lack of understanding of the over-arching importance of Authentication capabilities, over and above every other aspect of the Cloud.

Traditional thinking focuses on Unique User IDs, password management, well-defined roles and “user provisioning”, when not on risk-based reporting and application access control, but all of this will give way to new forms of identity management that will challenge at the same time the monolithic “platform” approach, and the niche vendor approach.

These won’t be vanquished by a new technology, the “next big thing”, but fundamentally by a new way of doing things in this space.

What is new in the world of identity stems from post-industrial, globalised commercial exchanges and human movements. The same forces that cross and cancel national boundaries, that transform the family and local life, radically transform business and enterprise structures.

The global, transnational enterprise is also global in the sense that it represents the existence and reproduction of identities that are vastly mobile and rootless, lacking firm context and defined loyalties. These “identities” are abstractions of biological persons, i.e. “equal individualities” which are entities with very little history and references to begin with.

In this context, no individual appears entirely validated, but only as a fragment of a legally existing person, and only as a function of a partial activity in the economy or as part of an organisation. In the global network, the activities of the individual are indirect and partial, or even better, the shadow of a real individual.
For this fundamental, non-technological reason the monolithic individual does not exist, and for this reason in dealing with identity we are not facing a definable object, but an activity. Professor Chadwick , a prominent British scholar in the specialty of Identity Management has formulated synthetically this with the formula: “ It does not matter who you are but what you can do”.

In this context, the global corporation can’t rely, and should not rely on unique validators or stable identities, but on stable roles, defined routes and managed channels of communications. As I have said in other posts, the key to Cloud value is a “variety of identities”.

Unique, flat, general and shared network spaces with stable identities are a dream of the past.

Now, in this context, something is still missing, and is still difficult to grasp if we stay with the techno-centric perspective. For the individual as a person, his “identity” continues to be unique and coherent, even if it is partial and unstable for the multiple organisations, contexts and realms he or she move in. For the organisation identity is fragmented, dispersed but still falsely understood as unique and defined.

This is the contradiction that we live in, the ideological framework that makes us think of Security as a profession bound to protect and defend; while it would be clear to all that we are missing the point and not responding to an historical challenge with such attitude. In fact, understanding that it is sociology and history which drive change and not technology would lead us to see that the whole promise of the new era is rooted in indirection, on mediation. For sure the machine is the instrument and the mediator, but the machine is only responding to the expansion of human action. It is this mediation that actually allows for anonymity and hence creates the context of fraud and crime (in so much as it underpins the context of freedom).

In seeing this, the controlling “protecting” technocratic spirit tries to turn against the basis of the historical period and tries to cancel anonymity as if it were some accidental unwanted feature of the present. This ignores the fact that both computing power in the hand of the individual and indirection of personal activity are the foundations of the digital global market. This market is indeed the product of uprooted, universalised, generic, global indirect activity that is not materially linked to the biological person (to the tax payer, the home owner, the corporate worker), but only indirectly and voluntarily so.

Is it not the case then that linking back the activities in the network to the “real biological person” is not only impossible but also counterproductive? Or better said, is it not the case that actually very successful business models always arise without such linking?

Here is my thesis: fragmentation of the identity is not a problem if a) when the person has the power to decide when and how to act through the network; b) if multiple identities, i.e. levels of action are acceptable for the business models; and c) if a variety of identities (and channels) are acceptable for commercial exchanges and human interaction in general.

The false perspectives disappear once we understand that technologies create their own “noise”. Indirection and abstraction create indirect mediated action and abstract, uprooted shadows of the individual.

In this context, is it a serious stance to abhor the unnamed anonymous “hacker” that is enabled precisely by the techniques of remote computing? Is it a meaningful stance to decry the risks of “attacks” to data just when we expose data to the global networks? Let’s be serious for a moment: the risk of fraud and impersonation is a derivative of multiple layers of indirection in commercial transactions.

For sure the way “forward” is not just to plan the rest of our lives as a war against masked aggressors and exotic hackers, but to adapt to this new context. For sure there will be new protocols, new assurance levels, new risk taking strategies, and a variety of identities on all sides, across all boundaries.

More specifically a variety of identities means: parallel or shared identities (or as Mike Neuenschwander would say: Personas); and simultaneously, concurrent flows of collaboration managed by the person and not by the enterprise or the Government.

What is the new model? Let’s put the answer in the negative for now:

Identity Management is not and can’t ever be a gubernatorial discipline to bring order where there is chaos, to simplify where there is complexity or to reduce options where there is freedom. Quite the opposite: Very soon I&AM will cease to be seen as part of Security and become just one more art of business risk taking.