When we first started talking about identity and access management long ago, it was a pretty exciting thing for analysts covering it– the tools to “do” IAM were brand new or just evolving, IAM issues were pressing and important to IT, and even to some areas of business as well. We sometimes got peripheral technologies and tools mixed up in the “official” IAM definition set (e.g. email security, asset provisioning, data classification), but over time we gradually settled on the areas Gartner and other IT research firms were able to define with some degree of clarity– or so we thought.
We’re now entering a new stage of IAM’s development, I believe, one that will require us to distinguish between “commoditizing” components of IAM vs. still-evolving components. Those components may not divide nicely along product feature-set lines either, but along the lines that customer demands say they should. One can already see the basic areas of user experience, workflow, reporting and brokering being repeated among the IAM component technologies, to the point where it drives IAM suite vendors to talk about how their current products are “integrated”. In other words, they use those same components repeatedly to accomplish the specific functions of those technologies. For example, if a suite can have the same user experience no matter which component is used, it’s classified as “integrated”.
But I’m thinking about something bigger. It seems as if we have this IAM “bubble” of capabilities that is expanding– web access management expands with user provisioning additions, user provisioning expands with role management additions, etc. etc. I’m now wondering where we draw an inside “bubble” to take out all of the easy-to-do, service-delivery-potential capabilities and relegate them to appliances or services, and what is left may then be the evolving, customizable, integrator-needful capabilities. Maybe capabilities like basic authentication, maybe some aspects of web access management are candidates. It already appears that some appliance vendors and services providers are experimenting with this.
I’m also thinking about where bubbles run into other bubbles, and whether they can “peacefully” coexist with overlap, or whether sooner or later someone has to be assimilated. For example, I’m now wondering whether what we call “role management” is actually the bigger bubble, with user provisioning comfortably inside it. By this I mean that the business-critical, customizable capabilities customers want are actually part of the entitlement administration (or as various vendors call it, access governance, access assurance, etc.– notice how that pesky word ‘access’ keeps showing up?), and as far as customers are concerned, provisioning is the plumbing of access governance.
I know this may start a fight with the user provisioning providers, but even they are talking more about the business-facing, compliance-delivering, analytics-performing pieces of their solution that sit on top of a user provisioning infrastructure. I’m gratified to see that we are returning full-circle to the access management discussion, as in true administration, reporting and analytics for multi-platform, multi-domain access. I’m not sure we should ever have left it.
I know this bubble discussion may be a bit confusing as I wrote about it, but I hope you get the basic idea from it. We’re entering a maturity phase of IAM where we should and do question where the boundaries of its capabilities end and others begin. Keep your definition pencils handy and your eraser clean.
Category: Uncategorized Tags: