by Earl Perkins | March 5, 2014 | 6 Comments
One of the things that I enjoy about working at Gartner is the ability to participate with clients and providers in industry, government, commercial, consumer and other sources in more precisely defining key terms and phrases resonating in the markets. In some cases, terms may come from sources outside of markets, but most of the time terms that later go on to be ‘famous’ get their start in marketing, for better or worse. Take for example the Internet of Things, or IoT. There is debate on its origin, but I have seen references to the term or ones similar to it dating from the 1990s, and ironically not from marketing. IoT is ok as a term, but it is awkward to continue to refer to “things” in your writing, so what will likely occur is a move to “objects”, “entities”, “identities” or “elements” when seeking precision in writing about what the “thing” really is in the IoT. From a security perspective (which is what I will endeavor to focus on), I’m more likely to write about securing the Internet of Things, but then refer to securing “objects” henceforth rather than “things”. This seems trivial, but adopting some basic rules in the way we express the terms I believe is important to ultimately understanding this industry movement.
The next issue then arises as to the actual definition of the IoT. At present, it is an embracing term that Gartner defines as “the network of physical objects that contains embedded technology to communicate and sense or interact with the objects’ internal state or the external environment.” The key words in this definition are network, physical, embedded, communicate, sense, and state. Strictly speaking, The IoT doesn’t have to be the global Internet, but it can be an internet or private network. The objects in the IoT may also be passive in that they are simply tags, and what they communicate is an identity, like a bar code or RFID tag, for example. Even with this definition, the potential for defining objects that we interact with every day is profound, and I believe that’s one reason why many feel intuitively that this is something big, something disruptive, an inflection point in the way we view computing and networking. From a security perspective, a draft definition for IoT security can be “governance, practices, technologies and services used to secure the networks and objects that make up the Internet of Things.” An object itself can be a collection of other objects or individual elements, to make matters more complex, so securing the object means potentially securing the software, firmware and hardware of each as a single unit. You can see how interesting securing the IoT can become.
The concept of the IoT isn’t new at all. If you ask many engineers and technicians in industrial enterprises today, they will tell you that they have been dealing with devices and embedded technologies as defined here for decades. They can tell you about sensors that detect heat, pressure, temperature and other state changes, sensors that have been embedded in physical equipment that signal back their results over a network so that another device or system with processing capacity can analyze and make yet other changes in state (“lower the temperature”, “reduce the pressure”) for the environment where the sensors reside. RFID tags have been identifying millions of manufacturing components for years to systems that track them. The objects of the IoT have been available for some time. But the recent advances in some of the technology platforms and software have begun to move much of the ‘industrial’ IoT technologies into the mainstream, into commercial and even consumer spaces. The sheer level of innovation in combining the objects of the IoT into value delivery scenarios is mounting. Creative entrepreneurs are providing industry, business and the consumer with scenarios almost daily, some that will be destined to disrupt existing markets forever.
This leads me back to the security question– where does that leave those accountable for security and risk within their enterprise when it comes to understanding, embracing and managing this new world? The question is valid, but unless your enterprise is actually engaged in manufacturing objects of the IoT or delivering services for the IoT, the impact of the IoT in the short term is likely to look more like your current concerns around BYOD (where ‘device’ takes on a new meaning) and mobile security needs. Think about it– most smartphones today have several sensors within, each contributing to the human experience with the phone. In essence, you’re hold an object of the IoT in your hand today.
Another area, however, where securing IoT takes on present-day urgency is in operational technology, or OT. That’s another term whose definition I will explore in a later blog, but for now, consider the industry terms associated with OT, such as industrial control, industrial automation, process control. OT was part of the IoT before it was cool to be, and objects of the IoT exist everywhere in oil and gas, utility, manufacturing, transportation, health care– practically any industry where there are industrial-grade concerns not handled by general-purpose computer systems and networks. The industrial IoT itself is undergoing updating and upgrading, so many of the same technologies you will find in commercial and consumer markets for the IoT– sensors, embedded systems, machine-to-machine (M2M) communications, RFID tags– they already exist in OT. A strategy for securing infrastructures that use such systems to create changes of state is now one of the top concerns facing security and risk planners in enterprises today. What changes will traditional IT security undergo to embrace OT security? That too will be one of our next topics.
Category: Internet of Things Operational Technology OT Security Security Tags:
by Earl Perkins | January 30, 2014 | 1 Comment
When you read about the Internet of Things (IoT) in the press, it can get very confusing, particularly if you want to consider how one might go about securing the IoT. First, there isn’t universal agreement on what the IoT really is, whether it is literally architecture, infrastructure, marketing, or something else. Gartner has a definition for the IoT as do others, so I don’t know that this is a big issue. What we DO know is that the increasing attention focused on an interconnected world of devices far greater in number and variety than PCs, tablets and smartphones uncovers a fundamental truth for all enterprises that buy or sell products and services in the security markets. That truth is that the way decision-makers in enterprises think of the practice of security has to change. Their vision of information security, of IT security, of operational technology (OT) security, of physical security– is now obsolete.
Now why would I say something like that? After all, we still need a strategy for ensuring the confidentiality, integrity and availability of information. We need an infrastructure and practice that protects computer systems and networks. For many enterprises involved in industrial control and automation activities, we need that same protection for those operational systems that are the lifeblood of the enterprise. And yes, we need to continue the practice of protecting our physical infrastructure with the people and technology needed to secure our buildings and other physical assets. So what’s the issue?
Consider a world where the number of connected, communicating devices increases 100-fold. Those devices have hundreds of new form-factors for firmware, operating systems, communications protocols, and interfaces. Those devices are part of IT security, part of OT security, part of physical security. Those devices are interwoven and embedded into complex systems that need more machine-to-machine communications, more data collection, more analytics– more, more, more. But it isn’t just a matter of volume, it’s also a matter of complexity, and the expansion of the “threat surface”, the number of entry points into an enterprise (or multiple, linked enterprises). It is also a matter of the interconnectedness of the IoT, where problems in a physical security system can affect the OT systems, or the IT systems. It also means for example that we have to rethink the ideas of identity and access management, since we’re now going to have uniquely addressable devices and uniquely addressable humans, and complex relationships between humans and devices, devices and other devices– I think you’re starting to get the picture.
Perhaps it’s time to consider whether our current bias to the terms “information security” and “IT security” should remain. Perhaps we should consider a new term at the top of the security “pyramid” for many enterprises. By saying this, I am NOT lessening the importance of information in the new architecture of security– quite the contrary. What objects in the IoT have in common with traditional IT is their hunger for information. The devices of the IoT use that information to (among other things) literally change the state of the environment that device is in, whether it’s increasing temperatures for homes, shutting valves in water companies, or closing relays in an electric grid. But they still need reliable, accurate information to do so. Information is the currency of this new type of security. The ‘consumers’ of that information and the outcomes from decisions made with that information now expand a thousandfold.
So what adjective will we give “security” now in our enterprise? Will we continue to call our approach “information security” but with a broader definition set beneath it (and all of the changes to security risk, governance and management that may entail) or do we use something else? Gartner has a reputation of creating phrases that are used from time to time in the markets and with our clients. Perhaps it’s time we recommend another one. The issue isn’t the term, however. The issue is what enterprises must do to accommodate this new, combined way of looking at security, and the impact it will have on policy and practice. It just might give the idea of BYOD a whole new meaning. It will certainly change the calculus of risk. It’s very likely to change your plans for threat intelligence and incident management. It will change the way we secure our relationships with suppliers and partners. In any event, welcome to the new world of the unified security practice. Buckle your seat belts.
Category: EA Internet of Things Operational Technology Security Tags:
by Earl Perkins | January 20, 2014 | 8 Comments
Some of you no doubt noticed that Google announced their intention to buy a company known as Nest Labs for $3.2B U.S., one of their largest acquisitions ever. This blog isn’t about that acquisition, but it did get me to thinking about what such an acquisition means to our dialog on the security for the Internet of Things. It called to mind what is obvious in the way of concerns about securing a world of interconnected devices vs. what may not be obvious. I thought it would be appropriate to mention a few of the latter in the shadow of such a purchase. I realize that for many of you close to the industry, some of these concerns MAY already be obvious to you. If so, humor me so that I can point out some of them to the mainstream audience.
Concern #1 – For many devices in the IoT, programming and design is actually like a return to the ‘old’ days. While there are some similarities of IoT development to development and engineering for mobile devices (a lot in fact), many of these devices don’t have the user interface, the memory, the processing or the power you would find in a more general-purpose system like a tablet or smartphone. The devices are designed to work in harsh conditions in some cases for years with what comes from the hardware factory and the programmer. Embedded systems design figures prominently into many of these devices, and those devices are often required to communicate and interact directly with other devices, thus requiring a multi-layered understanding of machine-to-machine communications. Creating a security plan for such devices isn’t as easy as it appears. Let’s just take one example. If you are interested in installing some client code on a device of the IoT, you’ll have to make sure you talk with the designers and programmers at the beginning of the cycle to even see if they have the memory and processing to handle it. Early adopters of encryption in some systems are already finding this can be a big issue.
Concern #2 – I’ve noticed a lot of detailed attention paid fo the development of power sources for many devices in the IoT. This has led me to wonder whether or not one of the more interesting attack vectors of the future may be a “denial of power” attack, where someone conversant in the design and architecture of such systems interested in disabling them works out a way to deny those systems of power, either by getting them to do processing in an excessive way (like denial of service attacks in networking) or to otherwise impact the way power is used in the device. This is even true for those devices that might be permanently installed with “regular” attachments to power, such as a sensor for lighting systems in a city. You’ll then need to consider the physical security of the power source to ensure that you are really providing a 360 degree view of securing the device.
Concern #3 – I’ve been reading with interest the discussions about the identities of devices, and whether or not some aspects of traditional identity and access management can be used to address the IoT. While I’m certain that issues will arise regarding authenticating and authorizing access of applications running on devices of the IoT, I was thinking more about the scale of such implementations and how a device might have a relationship with another device, which has a relationship with a human, which has a— you get the idea. There are going to be some interesting designs for security management when you have to give everyone and everything a name and then work out the relationships between them to know what kind of access they should be provided.
My identifying these concerns wasn’t mean to depress you. I am also not the first one to think about them or consider them. But on the road to securing the Internet of Things, I think they bear consideration.
Category: Internet of Things Operational Technology Security Tags: embedded systems, Internet of Things, IoT, M2M, machine-to-machine communications, security
by Earl Perkins | January 10, 2014 | 1 Comment
Welcome to my first blog post in my new role within the Gartner security analyst team. I am starting a series of posts on two relatively new areas of Gartner security coverage.
The first will comment on security and risk management issues and concerns with the industrial control and automation infrastructure found in many enterprises, especially those involving critical infrastructure such as utilities, oil and gas firms, manufacturing, transportation, and others. Gartner refers to this infrastructure as “operational technology” (OT) to distinguish it from traditional IT infrastructure. Gartner refers to OT as hardware and software that detect or cause a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise. Technologies such as SCADA, process control networking and distributed control systems are examples of OT. Media coverage regarding OT has grown in frequency as vulnerabilities are discovered and threats to OT systems and networks increase in frequency and sophistication.
The second will comment on security and risk management issues and concerns for what the markets now call the “Internet of Things”, or IoT. As many of you already know, The IoT is the network of physical objects that contains embedded technology to communicate and sense or interact with the objects’ internal state or the external environment. It ranges across myriad industries and examples, from devices to monitor health and exercise to smart watches to traffic flow sensors to intelligent smoke alarms to— well, you get the idea. The IoT is currently one of the most interesting concepts for innovators and entrepreneurs, and design ideas and product proposals are ricocheting across the market faster than professional ice hockey players. While not all of the IoT demands enterprise-class security, there are enough concerns about privacy and misuse of data or device to merit consideration.
Gartner has already published research in OT and the IoT, and some security research has also been published on these fields as well. But the growth and position of these technologies for enterprise users and consumers demand more, and research in 2014 will focus on areas such as embedded systems security, securing smart cities, and business continuity/disaster recovery concerns in a world of OT and the IoT. We welcome your comments as we tackle some of the major security issues of the day for OT and the IoT here in this blog. Let’s get the discussion started.
Category: Applications Cloud EA IAM Internet of Things Operational Technology Security Strategic Planning Tags:
by Earl Perkins | December 19, 2012 | 1 Comment
2012 has been quite a year for identity and access management for our clients and for the IT and business world in general. The amount of interest and inquiry has grown to unbelievable rates. Our research has been read, discussed, questioned and challenged. Our IAM Summit in Las Vegas had its strongest attendance since the summit’s inception. IAM vendors and service providers have been working with Gartner in record numbers to discuss their product and service roadmaps and futures. New ones have appeared almost monthly. While not necessarily a record year in mergers and acquisitions by IAM solution providers, it was robust. Actions by clients and providers alike point to an inflection point in IAM for 2013– in the way it is planned, produced, purchased and put into production.
Clients using IAM are growing more mature in IAM usage, demanding more of solution providers, and innovating as a result of the changing dynamics in business. Clients selecting IAM tools for the first time are asking harder and more penetrating questions regarding capabilities, pricing, and the nature of relationships with providers. The broader impacts of IT changes in mobile, cloud, social media and information (i.e. the Gartner Nexus of Forces) are being felt as IAM customers struggle to keep up with challenges and choices.
All of that sounds impressive, but what does it really mean for clients in 2013? What does it say about the future of IAM as a practice, a process, or a market?
IAM as a practice has finally gained a degree of credibility within maturing enterprises. Clients recognize the value of knowing who has access to what, who gave it to them, and what they’ve done with it. They leverage such knowledge not only for regulatory compliance purposes, but to enable business decision-makers to “index” decisions with a “who view”– to provide an identity context to decisions involving enterprise resources, supply chains, customer relationships and human resources. IAM as a process is now defined– there is more formalism and structure around employee, customer and partner onboarding, change management and offboarding of identities. There is better sharing of information between IAM systems and security systems that can also use that identity context in delivering their own answers to IT and the business alike, from data loss prevention to security information and event management, from network access control to governance, risk and compliance management. IAM as a market continues to grow at a formidable pace, addressing the increase in the means of delivery (via cloud and social media) as well as in access points (via mobile). Information is the delivery mechanism for identity context, but is also useful in providing a degree of granularity to the IAM experience, whether in authentication, authorization, provisioning or other capabilities.
2013 is going to be an exciting year for IAM and for clients that use it. Validation of all of those painful, pricey efforts to implement a robust identity data and log model will begin to bear fruit. IAM as a service (IDaaS) in the market will continue to grow in market presence, finding its place in realistic implementations that leverage the uniqueness of that delivery and challenge the status quo of enterprise solutions. The rise in mobile needs for IAM as well as the enabling of IAM options via mobile ensures a rich growth opportunity for innovation. Social media requirements as well as its contributions to IAM ensure a unique opportunity to redefine identity itself to be more encompassing than just for the enterprise. The quantity, quality and velocity of information from 2013 IAM systems will be dramatic, and clients will need to be careful that they don’t drown in a sea of IAM information by leveraging new skills sets and new analytics tools to ensure information becomes knowledge.
Happy New Year! And buckle your seatbelts. It’s going to be quite a ride.
Category: IAM Tags:
by Earl Perkins | August 31, 2012 | 1 Comment
In a previous blog, I had touched upon the concerns that I had regarding the U.S. efforts at moving toward a consensus on how to secure N. America’s critical infrastructure, particularly in the energy and utilities markets. I believe the point of that blog was that many people were beating the warning drums, but fewer were offering up practical advice about how to counter the threats.
I recently read yet another article regarding the U.S. government’s “interference” in answering operational technology (OT) security concerns. The general thrust of the article was that the government was once again going to bumble their way into industries that it did not understand well and create more problems than it would solve by applying regulation in some form. The latest attempts in this arena involved the U.S. Cyber Security Act of 2012, which did not pass Congress prior to their latest recess. The article went on to underscore the belief that if the government would just ‘stay out of the way’, the private sector would self-regulate in the necessary fashion to ensure a secure critical infrastructure.
I am not here to debate whether that is true or not, though watching events over the last 4 years in the financial services sector leaves me a bit cynical about the ability of individual industries to look out for the welfare of the average citizen. What I DID want to say is enough already with the whining about critical infrastructure– how scary it is, how no one understands it, how government or industry is going to create an apocalyptic scenario if they continue on the current path. Here are some suggestions instead:
1- For the private industries, quit whining and complaining about how no one understands the trouble you’ve seen in security, and start cooperating to reduce the number of different forums giving advice (some of it conflicting). I’m dizzy trying to track the number of studies being released by government and private sector groups alike, some with different terminology for the same things, others with conflicting information (e.g. “The sky is falling!! No it’s not!! Yes it is! No it’s not!!). Try prioritizing your venues for communication and information dissemination and collectively establish authoritative voices about the nature of the problem, the current state, and what can be done to address the problems. If you want to avoid regulation, be consistent with how you describe the problem to Congress by agreeing upon credible, factual sources rather than fighting it out in the media. You may not like the idea of government regulation, but at least they appear to be TRYING to do something, however misdirected you may feel it is;
2- For the government, quit your bickering over who’s in charge and sort out a strategic hierarchy. Bring some consistent to YOUR studies and reports as well, and come up with a taxonomy of which study is for which purpose and which group or infrastructure. In the case of energy and utilities, decide what the roles of DHS, ODNI, DOE, NRC, FERC, NIST (to name just a few), the White House, and Congress are and be clear about it. I know this isn’t likely to happen until after the election, but perhaps we can set this as an early goal for the next administration. In addition, quit changing the NERC CIP regulations long enough for consultants, integrators, and the companies affected by those regulations to have a stationary target. Most important of all, work with private sector to ensure that you’re ALL drawing upon valid, credible, scientific sources of information from which to make decisions. Relegate questionable media reports by agencies that don’t have knowledge or awareness of the specific industries affected to their proper place in the decision process;
3- For all involved: we continue needing refinement to the common language we use about operational technology security and to agree upon the major issues we must address. We need to agree upon what obvious priorities are, i.e. what are the basics that can be done TODAY to take incremental steps to improve security for our critical infrastructure (such as ensure that basic security policy is in place and APPLIED, and that organizational requirements be identified and established early so training can commence, for example). Most importantly, we need to understand WHO IS IN CHARGE for the particular priorities identified, and what being in charge means from a governance and program perspective.
As my wife often says, it’s time to put your big boy pants on and act your age. It’s possible to sort out major issues related to critical infrastructure protection if the grown-up willingness to admit something must be done and someone must be able to lead and coordinate the effort. The rest should follow. I know it sounds easier than it really is, but it isn’t going to solve itself by wringing our hands or whining about who’s in charge.
Category: Uncategorized Tags:
by Earl Perkins | June 27, 2012 | 1 Comment
I REALLY shouldn’t have to write this piece. There are some things in life that you just learn to do that is built upon the ruin of those who came before you. George Santanya once said “those who do not learn from history are condemned to repeat it”. Out of all of the wisdom passed down to us– from history– you would think this would resonate in 2012, particularly in enterprises where information technology plays such a vital role in success.
And yet we continue to read about major companies– even IT companies for heaven’s sake– that make fundamental freshman security mistakes considered standard practice 20 years ago. Is it because these standard, common-sense security steps just aren’t sexy, and therefore aren’t pursued with the same vigor as an exciting CSI-like forensics investigation? Is it because you really don’t have to BUY technology to perform many of the standard practices that have been patientily codified, process by process, industry by industry? Is it because you lack the drive to deliver security awareness, training, and education into the culture of your organization? Or is it because you’ve grown complacent and lack the energy– in other words, have you grown lazy?
IT security as a priority for executives seems to have slipped in surveys taken in enterprises over the last two years, supplanted by issues that focus on data or applications, sometimes infrastructure. It is hard to know how to interpret that slippage, but one would hope it isn’t because of a perception that the problem has been ‘solved’ or that ‘adequate’ measures have been taken to address most risks. I’m sure that many enterprises have made enough progress to feel that way, and remain vigilant without necessarily consuming a major part of the IT budget to do so. But the news from the industry keeps coming, time and time again, of enterprises that have suffered major breaches or system failures due to simple, preventable occurrences. If we combine these simple issues with (a) a growing level of sophistication and persistence of threats; (b) the growing dimensions of security planning and management that are converging with our current IT security (e.g. physical security, industrial control security); (c) the complexity of ensuring privacy in an increasing consumerized infrastructure; (d) the growth in the number and type of IT service delivery; and (e) the expanding set of regulations that enterprises must comply with in their respective industries– you can see that IT security remains a non-trivial concern.
So what is the lesson here? Let’s apply a radical concept known as common sense to ensure that EVERYTHING that can be done from a process and organizational perspective is done to ensure an effective IT security program is in place and operating at peak efficiency. Do not skimp on security awareness and education– not training, but REAL education that draws upon the lessons we appear to keep relearning as we keep making the same simple errors of procedure and process. Optimizing the environment before you spend anything on technology is a priceless investment, and can show that you can indeed learn from an excess of teachable moments still occurring daily.
Category: Uncategorized Tags:
by Earl Perkins | May 7, 2012 | 5 Comments
Do you find yourself sometimes looking at a problem in hindsight and saying to yourself “well, the answer to THAT was obvious”? When you are able to examine trends or history looking back, you can spot patterns where they may not have been obvious previously. I find myself doing that in identity and access governance (IAG) when it comes to the problem of governing access to data, whether unstructured, semi-structured, or structured.
If you look at IAG products today, a rather clear characteristic emerges about them– they are application-centric. The features that address access request administration assume that the requests for access are primarily for applications. The discovery and mining tools are predominantly focused on repositories that serve applications and applications themselves. The analytics tools often deliver reports in terms of applications. This is a good thing, not a bad thing. But it isn’t a complete thing.
Clients also have similar requests for access to data, whether it’s data in Windows file systems, data stored as email or documents, data that has well known formats, but data nevertheless. Sure, there may be an application between the requestor and the data, but it is primarily the data that is the target. That application doesn’t dictate the rules of engagement, the data does. Many of the products today that can or do handle access to data are often not covered or spoken of in IAM in general and IAG in particular.
Fortunately, that is starting to change.
A number of the IAG vendors are beginning to aggressively partner with data loss prevention (DLP) and security information and event management (SIEM) vendors in pursuit of extending their functionality into the data realm. Some are developing such capabilities organically rather than via partnership. Most are leveraging their identity and access intelligence functionality to collect, correlate, and analyze data to produce the intelligence required to broaden the scope of IAG from just applications to applications and data.
It isn’t a moment too soon. Stand-alone IAG vendors are under ‘attack’ by the IAM portfolio or suite vendors. The suite vendors believe that IAG administration and management features should be absorbed into the traditional user provisioning/de-provisioning products they have been selling for years. Or to view it another way, suite vendors believe that they should absorb the user provisioning features of their established products into the versions of IAG products they have acquired or developed. Whatever the direction, they are seeking to marginalize the smaller, more nimble players by showing that IAG features should join the mainstream side of user administration. This means these standalone players must seek new ways to innovate and expand their feature set– preferably in a logical and customer-driven way. In the case of the marriage of data and application access governance, it is a logical union. The question will be whether they can pull it off at a pace that addresses customer demand with competitive differentiation.
The next time you talk with IAM vendors about identity and access governance, ask them about their plans for data access governance. Make sure their story and what they can deliver matches your expectations for complete IAG.
Category: IAM IT Governance Tags:
by Earl Perkins | May 3, 2012 | 6 Comments
I had a recent conversation with a client regarding concerns on the impact of supporting an increasingly mobile worker for security and access to enterprise applications. This isn’t a new concern, but trends and events unfolding at an ever-increasing pace have highlighted the problem and potential complexity of solutions for it. Let’s take a look at a few of them.
1- Improving capabilities of different mobile client devices (e.g. smartphones, tablet PCs) are drawing them inevitably into use as entry points to enterprise applications and data. I remember riding on a train in England going 80 miles an hour responding to email on an HP95LX “palm” device in 1998, so as I said, this isn’t a new problem. But the sophistication of the devices, their flexibility, and their ease of use are pressuring IT shops to provide some form of IAM support for these devices, particularly for certain important customers (read executives). The ‘bring your own device’ (BYOD) phenomenon is characteristic also part of this, where more employees and contractors use their own purchased smart client devices (including PCs) to access enterprise applications. All of this just adds more pressure on IAM solutions to broaden their functionality to support such environments;
2- The evolution of applications and services in terms of how they are delivered is also demanding more of IAM in a mobile world. Where the ‘components’ of the application are executed, how they are protected and accessed, and how identity administration changes in such a world as a result are key concerns. A hybrid world of cloud computing applications, enterprise applications, hosted applications with outsourced services– all must be supported with a common look and feel to access, a common system for reporting for compliance, for applying a graduated scale of access based on risk and sensitivity– the list goes on. Classical IAM products are attempting to extend their functionality to include these different client types and scenarios, but it remains a major concern for enterprises with a heavy reliance on mobility;
3- Integrating IAM systems with systems such as mobile data management and mobile applications development are in the early stages and represent a positive (and needed) trend. Within enterprises, the asset management team that ensures the issuance of mobile phones, tablet PCs, and the like must talk to the IAM team that does provisioning and deprovisioning of access to make sure there is a convergence of process for these activities– and vice versa. Mobile application developers that seek to incorporate mobile client services into enterprise application environments must understand that requirements for authentication and authorization requirements may be different than that to which they are accustomed, resulting in changes to their methodology and approach to programming for security and access.
I really don’t like to use the phrase “this is in an early stage of evolution” for trends this volatile and dynamic, but it is what it is. This wave will roll over traditional environments like IAM, applications, and infrastructure and leave its mark– hopefully not like tsunami leaves its mark. Ignoring mobility in IAM, like ignoring tsunamis, is not an option.
Category: IAM Tags:
by Earl Perkins | April 25, 2012 | Comments Off
My colleague Gregg Kreizman and I just completed a market analysis on different facets of the IAM services market. I focused on the IAM consulting and system integration (C&SI) market, Gregg focused on the IAM as a service (or IDaaS) market. During and after our research, we were discussing the next task– a look at the IAM managed and hosted services market, research I intend to deliver in the summer. It was during that discussion that the subject came up: what is the difference between IDaaS and IAM managed/hosted services?
When I first started looking at all of these service types in 2009, I created a simple taxonomy that divided the IAM services market into (1) C&SI; (2) managed/hosted; (3) IDaaS, and (4) another category that was focused on how IAM services were architected. Gregg and I both now see a blurring of the definitions between managed/hosted and IDaaS. Many of the providers that claim IDaaS are actually more like managed/hosted providers in the way the services are delivered, contracted, and maintained. So is there really a difference?
If I look at the Gartner taxonomy for cloud computing applications, it informs me about how I should define IDaaS in contrast to managed/hosted services. There are primarily 3 differences:
(1) There is a high degree of standardization in IDaaS that allows an offering to clearly delineate feature sets, standard practice for implementation and use, and organizational support requirements. An IDaaS will depend upon standard design principles related to multi-tenancy (likely delivered via virtualization architecture and product), scale, and systems support using well-defined metrics and simple SLAs. It will also be targeted at a specific service such as access management or single sign-on– more sophisticated activities around areas such as identity and access governance are not yet mature enough to have established standards and practices applied to achieve the degree of standardization needed;
(2) Speaking of simple, the second key characteristic of IDaaS is in the service ability to deliver very simple contracts, without detail around MIPs or storage or processing, but instead around simple concepts related to metered usage and/or user counts. An IDaaS contract will be much smaller and simpler to understand than a managed/hosted contract;
(3) An IDaaS requires no dedicated network links or sophisticated engineering at the DMZ-level to consume the service, and is based on Internet formats, interfaces, and protocols. There may be an appliance (hardware or software) that links the service via a VPN, but it uses the Internet, not a dedicated network link;
So the key words for IDaaS are simplicity of design and delivery, scalable and metered, with a heavy emphasis on standardization across technology, process, and organization. As I have said, you’re likely to find a blurring between IDaaS and managed/hosted services, and I’m not that sure whether it matters so much as long as the client is happy and satisfied with the result. This does indicate a trend to me, that there will be more players in the market, those players will borrow generously from ALL services types (including consulting and system integration), and that alliances will form around all three in different combinations to deliver IDaaS. Even the traditional IAM product vendors themselves will be active in the mix– they can provide the foundational raw material for some services, and facilitate the inevitable creation of the ‘hybrid’ world of the management of mixed cloud and enterprise applications.
So is there REALLY a difference between managed/hosted services and IDaaS? Whether it is evolution or revolution, there probably isn’t as much difference as you think.
Category: Cloud IAM Tags: