Surprisingly perhaps, use of the cloud to store and provision user credentials are still low within business; but it is beginning to grow. The reason for this slow growth probably has less to do with trust or the lack of it as it does with a growing experience in handling cloud vendor contracts.
Wisegate, a peer-driven IT research company that generates resources through collaboration of its senior-level IT professional membership base, recently surveyed more than 100 CISOs to get their thoughts and insights on the current state of IAM maturity within business. Today, I’ll share parts of those insights by focusing on the attitudes toward IAM and the cloud, and providing insights into the revolution of businesses adopting cloud credentialing.
In the Beginning
When the cloud first started, there were minimal options when it came to selecting service providers. The providers that existed held ascendancy and embraced ‘take it or leave it’ contracts. There was no negotiating, risk was pushed toward the customer, and contract terms were rigid.
As we all know, user credentials are business-critical, and with a rigid contract most companies chose to ‘leave it’ and I don’t blame them.
Times are Changing
The balance of power is changing, thankfully. With more cloud providers, businesses get just that: more. The competition is greater so business has the ability to negotiate and gain more over contract terms within providers. Business is gaining more experience in learning how to handle cloud contracts, which is a necessity since larger companies can easily use more than 1,000 different cloud services.
Business and cloud vendors are finding new ways to strike a balance. For example, cloud vendors are learning to deliver critical tasks like audits, and business is learning to balance paper audits with third party confirmations and on-site physical inspections.
Growth is Occurring
Although cloud-based IAM provisioning is low, it shows signs of growth and adoption over the next few years. In the survey of CISO Wisegate members, we found the following to show strong signs of growth :
- 2014: 2 percent of companies used the cloud for identity management ‘moderately’
- 2014: Zero companies used the cloud for identity management ‘always’
- 2015: 13 percent were using the cloud ‘moderately’
- 2015: 2 percent were using the cloud ‘always’
Social Media is Lagging
Though the opportunity for fast growth is visible, there is still one area that shows little potential – and that’s the use of social media credentials. Small online service providers are allowing users to access Internet services through social media usernames and passwords. Why would a company do this? Well, it effectively pushes effort and responsibility (if not risk) to big companies like Twitter, Facebook, and LinkedIn, while simultaneously making access much simpler for the user.
The social media credentialing approach seems to have spawned the future of identity and access management with the use of third party companies to attest a user’s identity. It’s a compromise between the old government desire to effectively maintain a strict centralized national identity database and the more modern wild west of social media.
There are currently three initiatives in progress, all using social media as a valid resource:
- NSTIC: Promoted by the U.S. government
- Verify: Being developed by the U.K. government
- Identity 3.0: An open source being developed by the NFP Global Identity Foundation
Will the business world accept this new approach to IAM when it is currently rejecting the social media version, and if so, will it adopt a government or independent version?
In five years, things will certainly have evolved. CISOs will have the choice between maintaining their own expensive proprietary identity ecospheres, or tapping into an inexpensive wider one, and the U.S. and U.K. governments will press for their own systems to be used.
The Revolution of Choosing
When CISOs compare the cost of running their internal password management and maintenance efforts with piggybacking of a system effectively underwritten by government, I suspect things will change.
Overall it there is a slow improvement in business IAM maturity, and very little adoption of cloud credentialing. Business is still concentrating on maintaining its own proprietary identity ecospheres, and slowly improving them. We know, however, that a revolution is coming.[su_box title=”About Wisegate” style=”noise” box_color=”#336588″]
Wisegate is a member-based IT research company that serves the industry’s most senior-level IT practitioners. Wisegate’s editorial team keeps a pulse on what matters to IT via its members, and publishes member-based advice, best practices and collaborative insights for the IT industry’s most pressing and important issues. [/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.