Over the past 15 years, the Identity and Access Management (IAM) industry has lived through an incredible evolution of business drivers. The shifts occurred faster then the market could respond, and the industry as a whole got caught in the undertow. This reality, in conjunction with other factors, has resulted in a scenario where IAM has been generally perceived as high value, but painful and expensive to implement.
However, over the past couple of years, the rise of cloud-based IAM, commonly referred to as Identity-as-a Service (IDaaS), has generated massive buzz because of its potential to re-boot IAM and deliver on its potential for greatness. My prediction for 2014, is that it will be the year IDaaS wipes out IAM’s bad rap and that IDaaS becomes the poster child for cloud services done right.
However…. before that can occur, we need to fix a glitch in the IAM Matrix.
What do I mean? To set the proper context, a crash course in IAM history is required:
Back in the mid 90’s, Web Single Sign-On (SSO) and its compatriot Web Access Management (WAM) were on the rise in the IT world. The business drivers back then were a combination of productivity and security. With web applications beginning to proliferate, SSO was a huge boost to user productivity, and WAM allowed customers to dial in to progressively greater levels of granularity about how users were or were not allowed to access applications.
An ample amount of companies emerged to address this market, as did a new class of IAM products for managing passwords and basic account provisioning. These companies positioned themselves as an alternative to a healthy set of existing vendors selling strong provisioning platforms designed mainly to onboard new hires, grant application access faster, reduce password-reset calls to the helpdesk, and automate account management. The heated competitive landscape forced the ‘hardcore’ provisioning vendors to retrofit a user-friendly experience for self-service password management into their products.
This wellspring of IAM activity occurred right after the dot-com implosion, and the industry was thriving. Then, the Enron, Tyco, WorldComm and Adelphia scandals happened and everything seemed to change overnight. The moment Sarbanes-Oxley was signed into law, it became the top priority for IT departments. That same year, HIPAA emerged as a major IAM driver. The Great Blackout of 2003 brought NERC/CIP, and then PCI launched a few years later.
Suddenly, IAM had a completely new set of drivers. If you could help a customer with compliance, the trumpets sounded and the angels sang and the CFO opened up his checkbook. CISOs were no longer interested in IAM for productivity, or even security for that matter – but they were extremely interested in how IAM could help with compliance and it’s first cousin, governance. The ripple effect on the market was immediate. SSO vendors started partnering or buying the lightweight provisioning/password management solutions and all IAM vendors marketed themselves as compliance solutions.
Thing is, compliance and governance require IAM features such as automated workflows, reconciliation and recertification – granular, specialized provisioning functions that only a subset of IAM products did well. However, all the noise and consolidation in the marketplace made it hard for buyers to separate the wheat from the chaff.
The bolt-on provisioning and compliance veneer that SSO vendors attached onto their core solutions withered in production environments. IT teams threw an inordinate amount of good money after bad trying to make it work. Soon enough, companies that had deployed those solutions to solve their governance problems were putting out RFPs again, in need of a solution that could meet their real world needs.
As painful as it as to endure, we learned some valuable lessons:
1) SSO is important, but mainly for productivity, not compliance and governance.
2) You can’t bolt governance onto something that was built as a productivity tool.
3) Really, you can’t. No matter how hard you try.
Fast forward to today.
IDaaS has swept across the land. The citizens are rejoicing because they are free from the tyranny of the data center, from heavy, project creep-laden consulting engagements, from annual support agreements and from having to do expensive and cumbersome upgrades every few years.
But…here’s the glitch:
Inexplicably, the IAM market is once again touting SSO with basic provisioning as the Holy Grail. Why this happening, I can’t quite say. However, we can fix this glitch! We have the benefit of being able to learn from history, to ask the right questions and make the right decisions.
SSO has great business value, but not for governance. Provisioning offers strong compliance and governance controls, but does not offer the productivity gains of SSO. And they are really, truly, really not the same thing.
So let’s make 2014 the year of IDaaS.
All we have to do is look back before we look forward. It really is that simple.
Ranjeet Vidwans | Vice President of Marketing and Business Development | Identropy
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.