Thursday, September 29, 2011

The Evolution of IAM: From Gate Keeping to Corporate Governance

Back when I was a young ankle biter taking my first tentative steps into the world of Identity and Access Management, it didn't even have a name. Admittedly, that was less than 15 years ago, but given how much IAM has matured in that time, it seems like much longer.

In those days, core IAM services such as credential management, entitlements management, user provisioning, access certification and directory integration were viewed very much as low-level, highly tactical I.T. functions. Use cases were generally simple in nature ("I need an account on System A, so I'll call my friend Mary on the helpdesk to give me an ID and password that I'll never need to change"). Regulatory mandates were less stringent, identity theft was less widespread, and very few enterprise applications were web-enabled. In fact, one of my very first identity projects in the 1990s involved devising a Web SSO solution for legacy host applications that were in the process of being "webified" (believe me, you don't want to know how I got there, but let's just say that it involved some pretty creative CGI scripting).

The first generation of identity services (I'll broadly categorize them under the heading IAM 1.0) focused primarily on basic credential management that emphasized the need to prevent unauthorized users from accessing protected information assets but added very little business value. Typically, user accounts were provisioned by standing up a directory and writing some scripts to provide basic automation. It was not uncommon for organizations to stand up unique directories for every application. In those Wild West days, I.T. departments generally did whatever they wanted, with little regard for governance or operational efficiency. Predictably, this led to the proliferation of directories and passwords, not to mention rogue accounts. To compound matters, entitlements were assigned in a cumulative fashion; very few organizations had developed the processes or tools that allowed for revocation of entitlements upon a job change.

Several vendors released tools that aimed to help organizations deal with these challenges. IAM 1.0 products were largely pure-play offerings; for example, metadirectories such as Microsoft MIIS and IBM Tivoli Directory Integrator, and web single sign-on suites such as Netegrity SiteMinder and Oblix CoreID. Yet few if any vendors offered any coherent vision for IAM, since it was still viewed very much as a back office I.T. function rather than a business enabler. Best practices were virtually non-existent, and standards such as SAML, SPML and XACML were still several years from adoption. Hence, IAM 1.0 offerings tended to adopt a highly operational focus and didn't always play nicely with other tools in the enterprise.

We can date the birth of IAM 2.0 to about the mid-2000s. By that time, it had become apparent to many organizations that manual user provisioning processes were incurring significant costs in terms of operational overhead and lost productivity. Meanwhile, regulatory mandates were becoming increasingly stringent, placing additional burden on I.T. departments. This led to the emergence of complex identity suites such as Thor Xellerate (later Oracle Identity Manager) and Waveset Lighthouse (Sun Identity Manager) that emphasized user provisioning automation but were frequently expensive to implement, difficult to maintain, and often failed to deliver promised benefits due to the continued focus on IAM as an I.T. "tool" rather than as a corporate governance asset.

This almost singular focus on user provisioning, as I noted yesterday, resulted in IAM implementations that frequently ran over budget and were in many cases poorly conceived due to inadequate governance and the lack of widely accepted best practices. The TCO of these solutions was further inflated by the extensive training and highly specialized skills that were required to implement and maintain them. There was a widespread misconceptionencouraged in no small part by product vendors themselvesthat an identity management suite was a silver bullet that would solve world hunger; all you had to do was install it (if only that were true).

To this day, many organizations still bear the scars from IAM 2.0 projects that were expensive failures, so it isn't unsurprising that the notion of "identity management" is still treated with derision in some I.T. departments.

Nevertheless, we've come a long way in the past few years. The lessons learned from those early failures have informed a set of widely accepted best practices, and identity management offerings are beginning to reflect this maturation. Accordingly, the percentage of unsuccessful IAM projects has fallen dramatically in recent years.

Meanwhile, the notion of identity management itself has evolved out of the I.T. back office and into the boardroom. This is in no small part due to an explosion in the number of high profile and expensive breaches (like this one, and this one) resulting from inadequate controls. The enterprise also has to contend with the proliferation of cloud computing, mobile devices, the increasing use of external consultants, and remote workforces. All of these factors increase the urgency for organizations to embrace a holistic IAM strategy.

IAM 3.0 reflects both the maturation that comes with experience and the evolving demands of a technology landscape that has experienced radical change over the past several years. In fact, the term "identity management" is itself becoming somewhat anachronistic, as it no longer truly reflects the challenges with which organizations are faced. Identity governance is a far more appropriate term, and next generation IAM offerings such as SailPoint IdentityIQ increasingly reflect this paradigm shift. Such offerings place less emphasis on traditional IAM functions such as user provisioning and credential management, but focus more on GRC, reporting, identity analytics and centralized policy enforcement. From a technology perspective, customers are increasingly demanding streamlined, scalable solutions that emphasize ease of implementation, particularly in an era of constrained budgets. The days of vast, intrusive and complex identity suites are over.

Identity federation, directory virtualization, RBAC, ABAC, contextual authorization and next-generation entitlements management all form part of the IAM 3.0 picture. Automated user provisioning is still important, but is no longer the dominant consideration it once was. In order to become more business relevant and thus more achievable, provisioning needs to be considered in the context of a holistic identity lifecycle, which requires IAM practitioners to adopt a change of mindset.

Personally, I'm excited by the changes we're seeing in the IAM landscape right now. Many of them are long overdue, but change is always painful and I suspect that there will be many in the community who cling onto the old way of doing things. That is unfortunate, but an inevitable fact of life in this business.

No comments:

Post a Comment