In the last decade or so identity management projects and products evolved a lot about pure and simple user management and the implementation of the user life cycle within companies.
During this time the basic goals of most identity management projects were:
- Improve efficiency and manageability
- Reduce complexity
- Streamline user administration
- Enable simplified compliance
- Increase security through better access control and automated auditing, logging and reporting
- Generate return on investment through improvement of operation effectiveness and avoidance of lost user productivity
So when companies turn to IDM solutions they want to satisfy some basic business needs: improve overall security, enable easier compliance, and perhaps most importantly, save money.
Today we see a shift in where the technology and the vendors are heading. This is by no means an exhaustive list, but it should provide some good ideas to where the market is evolving.
Changing business drivers
In the past the real business benefit lay in improved costs efficiency. Nowadays we see a lot of companies that are in need to provide reporting related to their compliance to certain regulatory body. Being it a SOX, HIPAA, or some other regulation, companies need to be able to prove their employees have only the accesses they need to carry out their jobs. Nothing less, nothing more.
The relevance of having access to the proper information at the right time is key in this evolution. So we are seeing an evolution from cost effective identity management towards an identity management which can guarantee the protection of the companies most valuable information assets and prove this black on white.
Shifting interests in technology
I see new wish lists popping up for companies: strong authentication, single sign on, federation, context based authorization, and cloud computing. These concepts do not only add additional identity management layers on top of what is being used today, but require integration with current business applications to be successful.
Most of these shifting interests are driven by a more open and collaborating business world. Maintaining security on a satisfactory level is a real challenge.
Convergence of logical and physical security
Basically logical and physical security has the same goal: protect the assets of the company. You might have noticed too that very often physical and IT security is split in two separate departments, which tend to be separate power islands and not always communicate as they should. Because frankly, today there is a lot of overlap, not only in functionality (authentication / authorization), but also financially.
So convergence towards a more unified integration of the physical and logical security world seems inevitable. This could include:
- Using a single ID card for network and physical access
- Integration of the physical access into the identity management process and the user lifecycle (revoke building access automatically when employee leaves the company)
- one central identity administration for both logical and physical accesses
Trend capturing and detecting anomalies
Wouldn’t it be great that user behaviour could be monitored and that strange things would trigger an alert? For example, if an employee normally works from 9am to 5pm, and she tried to enter the building and/or logon to the computer somewhere in the middle of the night? Would this be normal? I guess not. This would be abnormal behaviour and could be detected by some intelligent IT watchdog.
Profiling the users in effort to distinguish normal from abnormal behaviour could prove beneficial in high-risk environments.
Identity management as a service (IDaaS)
Identity management as a service (IDaaS) refers to implementing the identity management concept through web services in a service-oriented architecture within the enterprise. Business applications, management applications or other services could call the IDaaS services autonomously or in some orchestrated way. Some vendors are already on this path. It involves a fundamental shift in how identity management products are conceived, designed and delivered.
Some companies are emerging which allow identity management as a service as a real third party service for their clients. Although the idea seems great at first, there’s a lot of consideration to do about the legal implications, about service levels, about overall security. The basic question in outsourcing an identity management solution towards a third party is a question of trust. Do you trust these external service providers enough to handle your authentication, authorization, auditing, and the general user lifecycle? What if they go bankrupt?
Personally I believe that IDaaS is a great new way in approaching identity management, but I suppose that no big company would have enough trust in an external IDaaS provider to really outsource this. A concept of an internal IDaaS provider inside the company network seems a lot more realistic, although at the end it might not be the most cost effective solution.
Integrate identity and security in applications easier than before
The needs of an application developer related to security and identity are divers as well:
- Who can access the application? -> access control
- What’s the identity of the user? -> authentication
- What are the functions the user can perform in the application? -> authorization
- How do I maintain an audit log? -> auditing
Although fairly basic, in the past very often application developers used in-house developed and maintained frameworks. This makes transitions towards emerging standards and new functionalities requested by new business drivers very cumbersome. Some vendors are replying to this need by offering the needed components for development of in-house business applications that are related to security and identity.
These identity and security functions are exposed as web services or by means of an API to the application developer that has from that moment on a standardized way to integrate these features.
This concept is very close to the previous IDaaS idea, in which some company-wide (web) services provide this functionality. The main advantage is that this way tends to enable a more open approach towards new business needs, such as for example identity federation.
Large companies already have implemented this kind of identity management into their business processes.
I know examples were the projects already went through multiple iterations, always integrating more business applications and user directories. Sometimes even handling company mergers and acquisitions.
But business is always evolving. Sometimes IDM has the answer to these business requests but sometimes it hasn’t. And most of the time when that happens, it’s because IDM systems are to vendor encapsulated, not open enough and not flexible enough to incorporate emerging standards.
The shifts mentioned in this article could open up classical IDM. Perhaps these shifts will succeed in finding their footprint, perhaps they will not.
That’s the problem in trying to predict the future.
Perhaps your constructive ideas or insights are better than mine. Feel free to share them with everybody in the comments below.