Earl Perkins

This November, Gartner will meet many of its clients and others at the annual N. American Identity & Access Management Summit, this time in San Diego, California. As usual, there are discussions on a number of different IAM topics, and this time is no different. I’d like to talk briefly about one or two of the topics that will be discussed at length there.

The keynote at the summit is titled “The Death of IAM and the Loss of Identity Innocence:   A  Review of Program Maturity, Services-Driven Change, and New Era Threats”. That’s a whopper of a title (sorry about that) that tries to be a little more provocative about what many have considered infrastructure “plumbing”. Why? It is an attempt to garner the attention the issues deserve.

By death, we mean the passing of the “early childhood” of IAM and the move into adolescence, with all of the drama and volatility that comes with it, whether human, animal, or market. Looking at the general slate of basic offerings in IAM (web access management, user provisioning, single sign-on, etc.) we see a level of maturity being reached in terms of technology that requires a matching set of best practices (I still like calling them “success practices” when my peers stop laughing at me) processes, and organizational requirements to be considered truly mature. We’re learning, but it is a painful process, involving ROI calculations, skills inventories, benchmarking and contract restructuring, among other things. We’re attempting to structure what was a complex planning and implementation activity into an operational activity with lifecycle characteristics, while introducing yet another layer of technologies and processes to prepare for the next phase of IAM that addresses true business requirements in a direct fashion.

In this respect, I keeping thinking of the concepts of formal program maturity and of  ‘access accountability’. For program maturity to be truly successful, it takes more than a product or a good set of workflows in provisioning– you actually need a structured approach involving an IAM program maturity model. This model can work with some quantitative or at least rational qualitative measures to know where you are in the progression to maturity. I believe that the primary driver in compliance is actually going to become part of a broader approach to making access accountable, whether coarse-grained, “net-grained”, or fine-grained. This accountability achievement can be done in part by a more robust identity intelligence and reporting framework that overlays basic IAM. Such a framework could provide analytics, forensics, and historical aspects of the act of access, and use that information to hold the proper stakeholders accountable for that access.

That’s but one of the topics of our discussions this November, basically good, old-fashion meat-and-potatoes production IAM. I can’t wait to understand what customers think and what they know about these topics.