In May 2003, Nicholas Carr predicted the end of Corporate Computing: “Something happened in the first years of the 20th century that would have seemed unthinkable just a few decades earlier: Manufacturers began to shut down and dismantle their waterwheels, steam engines and electric generators. They no longer had to run their own dynamos; they could simply buy the electricity they needed, as they required it, from new utility suppliers. Power generation was being transformed from a corporate function into a utility. Now, almost exactly a century later, history is repeating itself. Information technology is undergoing the same transformation”. (Nicholas Carr, 2003. “IT Doesn’t Matter”. Harvard Business Review, May 2003.)
This change is now well underway, and here is what it means for Identity and Access Manaagement.
Let’s start with technology choices. Is there is a simple way of discriminating which technologies in the market point to the future and which ones cultivate the past. Is it too strong to say “thrive from the past”?
While there are criteria to determine the fit of a particular technology into an IT roadmap, we need to abandon the obvious approach. What does it mean, after all, to “fit” into an existing IT roadmap?
In most cases an IT roadmap will be a succession of upgrades and patches to pre-existing technologies, chosen under different circumstances and under now forgotten rationales. In this context, “fitting” can’t be more than trudging a path along an already unsuccessful IT story.
For example, in the traditional I&AM scope, typical services do not extend to user types outside the enterprise boundary (the dotted line in the diagram below).
As business expands, it is difficult to share information safely. Federation should address this but requires costly changes on for all parties. Small players never adopted Federation. Partners didn’t agree who was the identity provider, and who would control of user information.
In this context, the I&AM Roadmap becomes a succession of “upgrades” and “workarounds” where business programmes and both external and internal users have underperforming services.
Typical characteristics of the situation are:
•For every I&AM project delivered, there are always two or three in each organisation with severe challenges
•The “enterprise IT” approach appears unable to address Global requirements
•Typical challenges include: High CapEx and OpEx
•Large amount of integration & customisation required to support business applications
•Complex, costly compliance management
• “Solutions” are inflexible & expensive to change
Simultaneously, a gap appears in the market: technologies and solutions to cover employee, partner and joint venture authentication and provisioning with the right security levels and services are difficult to find.
In spite of this, business transformation does not stay still, and there is change: SAAS is adopted massively. Problem: This extends the reach of the business even more, and low-security solutions proliferate.
The change will continue as I&AM becomes a service, moves out of the Enterprise for external access routes including mobile workers and consumers. In a short time, I&AM services will scale to tens of millions of users in every major post industrial economy.
What does this mean? A sentence should be enough: The IT department never did I&AM well, it does not do I&AM now, and –as things evolve—will never do it in the future.
So, to return to our question: how to discriminate those technologies that thrive from the past from those the open the gates to the future? The criterion is: look out for those technologies that are there to be “implemented” by IT, or to “help” IT deliver I&AM services. Too little, too late. Those are, in my view the technologies and solutions that stand in the way of the great transformation.