What's in Store for 2011 in the World of Identity?
Happy 2011 everyone. Best wishes in this New Year. May this year bring you closer to your dreams and goals.
Continuing from some of the points I made in my last blog, I figured we could start the year by making some bold predictions about what may be ahead of us, the identirati, in 2011. Nothing beats controversy in the wake of the New Year’s celebration.
To achieve controversy, I will violate one of the principles of our blog etiquette and mention vendors and players by name (lots of them this time). And I hope that once you read this article you agree with me that making this exception was warranted.
Identity Administration Reaches Maturity
Provisioning, reconciliation, access request and approval are already mainstream and, in a way, a commoditized functionality within IAM, just like Web Access Management has been for several years. We predict an increase in adoption, deployment and automation of identity lifecycle processes, including significant migration from manual, homegrown, or obsolete (ala Sun Identity Manager) solutions to leading ones, with an eye towards service-orientation and where possible, managed services models (which could be on-premise, in-the-cloud or hybrid – the latter one we have defined as identity management co-sourcing).
Access Governance becomes the Cutting Edge
This one is easy to call out, since it is already at play. The increased complexity of regulations, and their deeper permeation into areas of the organization is forcing organizations to adopt access governance frameworks which can help them achieve, and more importantly remain, compliant in a way that scales and is sustainable. Hence we will see significant focus and budget allocations given to areas such as role management, role governance, privilege user management, continuous auditing, access recertification and segregation of duty policy enforcement, all of which are today on the “bleeding edge”.
This trend will bring acceleration to adjacent security approaches, which have reached a significant state of maturity, such as Identity Activity Monitoring (intersection of IAM and SIEM) and DLP. The goal being modern access governance helps organizations achieve unprecedented visibility over who is really doing what, and whether she should be allowed to do it.
Strong Authentication Becomes Authentication
Technology maturity and cost reduction, along with the need to provide stronger security control to sensitive assets, will make the adoption of multi-factor authentication more feasible and mainstream, such that strong authentication as we know it today will be the standard moving forward. Organizational awareness and discipline about assessing risks, and mapping those risks levels to appropriate assurance levels, which will in turn map to authentication strength, will make this adoption process more rational (different from what the FIFEC trend of October 2005 created). This time around, more educated buyers will be able to determine the kind of solution and price point that makes sense from both a cost and usability perspective.
Some interesting data points we see in this area, particularly in sectors such as Healthcare (where one of our advisors Shahid Shah makes interesting predictions for 2011) – driven by the Meaningful Use adoption incentives, and in Retail, is that the adoption of ESSO (Enterprise Single Sign-On) solutions, being pushed as a viable approach to provide stronger authentication. An example might be the use of smart RFID-enabled badges, to not only mitigate security risks, but remarkably, to provide quick logon and context switching across applications or workstations. Isn’t that beautiful? We could claim to be living in the days where the prophecy of better security without the sacrifice of user convenience became a reality.
I recall Earl Perkins once stating at the Gartner IAM Summit in 2008, that passwords were dead, and while I think they will soon become extinct, 2011 will not be the year of their extinction. Sadly, I predict passwords will go on to plague the cloud, as I alluded to in a recent 3-part article on access governance in the cloud age – unfortunately, cloud applications as an aggregate will trail the substantial improvement in authentication strength that the enterprise environment will make. But not to worry, at some point (certainly beyond 2011) cloud vendors will realize that federation is a good thing for them and we will go on to eradicate passwords. Will we live to see that one? I believe so.
Another interesting observation I would like to make in the future of strong authentication is how some of the mechanisms for achieving two-factor authentication that used to rely on SMS or IVR delivered OTP (one-time passwords) to a mobile device, may no longer be considered two-factor, since most of the computing nowadays is done on the [smart] mobile device. So we will start to see a “grayscale” of authentication mechanisms and authentication strength, hopefully aligned with a current understanding of identity assurance.
The Emergence of Identity Brokers for Consumer Identities
As discussed during PayPal’s Andrew Nash keynote at the Gartner IAM Summit in November 2010, it seems likely conditions are in place to propitiate the emergence of an Identity Broker (citing Andrew Nash’s definition) in 2011.
And I concur with Andrew’s viewpoint that Identity Brokers should be advocates of consumer privacy and protection, adhering to the three Asimov-inspired laws of Identity Brokers:
- An Identity Broker may not injure a consumer, or through inaction, allow a consumer to come to harm.
- An Identity Broker must obey orders given by consumers, except where orders would conflict with the first law.
- An Identity Broker must protect its own existence as long as such protection does not conflict with the first or second law.
A few questions still remains though: will these be viable? Which use case or service will be the one that adopts this model first? Who pays for what? And what happen when they die? Other than PayPal, will banks or financial services players move on this first? Or will it be the credit boroughs: Equifax, Experian, and TransUnion, who make the first entry? Or will it be the social network players (such as facebook)?
The year 2010 saw some great acquisitions take place, and this should continue in 2011, but I believe there will be some distinct trends on how these will continue to happen:
- Managed Identity Service Providers (MISPs) – Traditional MSSPs will inorganically evolve into MISPs. Some consulting firms will inorganically add MISP-oriented offerings to their clients, a few software vendors may start to add a MISP-like flavor to how their technology is consumed
- The tectonic plates will continue to move slowly – Oracle, after digesting the Sun acquisition, and completing the Passlogix integration will go back to the mall to buy a few more pieces to add its stack, as will CA and IBM. These are to be expected, if not demanded, whether for risk aversion (an OEM product whose maker is becoming weaker) or customer/market acquisition. You can pretty much say Privilege User Management and Role Management are ripe for the picking. So this is more of the continued movement of large tectonic plates. Identity Verification – whether this is for consumer registration and vetting, for external workforce on-boarding, or even internal workforce authentication, the market for identity verification will continue to evolve, and I anticipate a few players, most likely the established credit verification boroughs will make some moves in this area, or at least some strategic partnerships.
Cloud Identity Starts Getting Crowded
Right now, there only a few players in this space, and they are really starting to heat up. This is the type of disruption that's exciting to see, although real disruption typically occurs when a big software vendor joins the party. We predict that in 2011, a few large software vendors launch (or buy) a bona fide cloud identity offering.
…And Some New Comers
What I view as very exciting possibilities are possible volcanic eruptions that players like VMWare, RSA (or EMC), HP, Intel and even BMC could make in 2011. BMC has been quiet in this space, after their embarrassing exit following the acquisition of Open Network Technologies in 2005; but they will need to make some sort of inroad to tap the access governance bandwagon.
But let’s walk through the logic of a large player who is looking to enter the IAM space in 2011, what would be their rationale? Certainly, nobody would look to enter the space just to face off against Oracle, IBM or CA. So where would you enter where you can get good traction early on, and have enough room to grow? Here are my thoughts:
- Access Governance – areas such as compliance, access recertification and enforcing policy-based access (including SOD) are at the top of my mind for pretty much all organizations today, so anyone entering in this space (whether organically or through acquisitions) will be able to capitalize on some early returns and see a good opportunity to expand its market by innovating into areas such as SaaS or cloud-based delivery models. For any newcomer, the premise will most likely be to start with addressing SaaS or Cloud apps governance first, and then deal with the on-premise apps. Clearly the SaaS space has more potential for a successful entry.
- Mid market – large players that today offer point solutions to mid-market organizations, or large players that see the saturation and maturity of the Fortune 3000 market, will come up with new offerings to the mid-market (US$500M to US$2B in annual revenue). Here, there will be some innovative technologies that will have the advantage of being modern and not carry the legacy of the 1990 dinosaurs that dominate the Fortune 3000 segment; giving way to true service-enabled architectures, and open and modern standards (XACML, SAML, OpenID, OAuth, etc.) to make an entry into organizations. Likewise, these offerings will come with innovative licensing and delivery models more targeted and adjusted for the mid-market needs.
- Embedded IAM as Infrastructure-as-a-Service – or what we defined as IDaaS. Traditional platform players (ala VMWare or Intel), current platform as a service providers (ala Amazon), and to a lesser extend the dominant SaaS vendors (ala Salesforce.com) will be forced, either by their customers or by the natural evolution of their product and services roadmaps, to address identity and access management use cases, and to them, the natural play will be to embed identity into the platform. This will open up a new dimension in the way we all think about identity in the cloud, in the enterprise or on the network, and will generate an explosion of offerings and integration options, along with confusion in the marketplace, and will undoubtedly take away some of the market share of traditional IAM product vendors. I think this particular focus will validate some of the predictions the likes of Forrester Research and Gartner have made for some time, where the focus is much less on “provisioning” as we have come to know it, and more on the concept of a virtual identity that is assembled and consumed as and when needed by the system or application that requires it, and the “platform” will make this virtualization and consumption seamless.
So there you have it, a mouthful of bold statements and predictions, which I hope, will elicit some good discussions. I look forward to your comments.