Earl PerkinsFirst of all, let me apologize for the strange entry earlier today. I was attempting to do the infamous “claim blog” with a popular technical web site.
On to more important things– recurring themes for the identity and access management roadmap going forward. Some of these themes are good marketing by some IAM vendors– other themes are truly customer-driven. A recent IAM summit also discussed similar themes. That’s the funny thing about this business, core issues look the same no matter who is peeking.
1- IAM as a service: Interest remains in the concept that some IAM capabilities can be delivered as a service. We have written about this before, but it’s important to note how early this is in execution. Sure, there’s consulting and system integration for IAM, and there’s managed IAM services, where someone hosts your IAM system for you. But the true, pure-play SaaS-delivered kind of IAM of which we speak is in an early stage of development. Economic conditions have helped it along, but it still struggles for the right kind of model to gain relevance;
2- IAM and governance, risk and compliance management (GRCM): we see a maturing of identity intelligence activities (audit, analytics, reporting) in its pursuit of contributing positively to compliance concerns. Further, this area of identity intelligence is resulting in one of the fastest growing segments of IAM. As the “plumbing” for IAM matures, the focus swings to that overlapping area where IAM can contribute positively to the GRCM experience, ranging from more extensive log analysis, data loss prevention, role lifecycle management and IAM-specific decision support activities;
3- Entitlement enforcement (or what many call authorization management): I remain reluctant to identify entitlement enforcement as entitlement “management” because I think of management in more passive terms, usually (e.g. creation, changes, deletions, monitoring, reporting) rather than control. Entitlement enforcement is pure old-fashioned access control itself. It has been cropping up increasingly in discussions about IAM among our clients, but it’s a tough one to resolve, as many companies can tell you. It won’t go away, however, and clever vendors are working on clever ways to make it relevant and real;
4- IAM and organization: this is a personal favorite of mine. Who in IT and business is responsible for using IAM effectively and what are their roles, skillsets and best practice methods of doing so. I sometimes refer to this as exploiting your IAM purchase to its fullest, but perhaps there’s a negative connotation to ‘exploit’, so we’ll just use the highly-abused ‘best practices’ term. We are at a state with IAM where there should be a body of knowledge to tell us the most efficient ways to plan IAM, to build IAM, and to run or operate IAM, and it is peoples’ role in this process that we should focus on rather than the technology. People will make or break the IAM effort.
I’m sure there are other themes of IAM occurring now, from cloud computing (in the ‘IAM as a service’ area) to refinements in authentication, but I believe these themes have captured the attention of a lot of customers as of late. If you have other themes, please don’t hesitate to write and let the readers know what you think.
Category: Uncategorized Tags: GRC, IAM roadmap
4 responses so far ↓
1 Keith Grayson August 12, 2009 at 7:50 am
These points are broadly what I observe too.
But I do have a couple of comments.
In terms of IAM and GRCM, my experience is that IAM adds agility to GRCM in that it provides the good old-fashioned ability to detect and react to changes in identity data and policy in heterogeneous IT environments. It’s not just about new topics like role lifecycle management, but also about data quality through synchronisation.
The other point is about IAM and the organisation. Let’s take an example. The business process is hire-to-retire. The system is the HR system. But the HR system is job position-centric and the IAM system is identity-centric. How does the IAM system support the HR organisational model? The same is true about customer-contact or sales management business processes. As the technology addresses the business processes, I believe the stakeholders will change positively.
2 Earl Perkins August 12, 2009 at 8:01 am
Well said Keith re: first part. What I try to do is put IAM in the right context to GRC– clients perhaps give IAM too much credit and a few I’ve met actually talk as if GRC is or will be a subset of IAM– definitely not the case. The view of areas like role management I expressed were meant to view GRC impact from the perspective of IAM, not to imply those topics are even dominant parts of the broader discussion.
Re: organization– IAM supports the HR system in that it uses HR as a source for information to ensure IAM is as representative as it can be for an enterprise. Job-centricity is a good thing– it represents a ‘view’ IAM must be able to address. My comments in the blog were oriented more to how an organization can be structured to take advantage of a well-built IAM system— I’m more concerned about who in IAM planning/support/operations/business use gets what skills and where they are in the organizational structure to be most effective.
Thank you for responding, great comments.
3 mike waddingham August 12, 2009 at 12:25 pm
With regards to ‘IAM and organization’ your comments resonate with what I have experienced in enterprise IAM programs. It reminds me of 20 years ago when the average business executive had troubles understanding IT, let alone how IT could strategically support his business.
With IAM in the near term we may well get a body of knowledge and set of best practices for practitioners to follow, but the business engagement — true engagement where they understand the issues and lead the program — seems to be a long ways off.
Mike
4 Earl Perkins August 28, 2009 at 12:39 pm
Mike, sadly i have to agree with you. it seems that organizational change and the evolution of best practices are the slowest to reach a point of practical contribution.