Ian Glazer

A member of the Gartner Blog Network

Ian Glazer
Research Vice President and Agenda Manager
4 years at Gartner
16 years IT industry

Ian Glazer is a research vice president and agenda manager on the Identity and Privacy Strategies team. He leads IdPS' coverage for authorization and privacy. Topics within these two main areas include externalized authorization management, XACML, federated authorization, privacy by design, and privacy programs. Read Full Bio

Coverage Areas:

Killing IAM in Order to Save It

by Ian Glazer  |  February 8, 2013  |  23 Comments

I gave this talk a few months ago. I had just finished writing our 2013 Identity and Privacy Planning Guide and was trying to think of a different way to express what I had written. What I came up with was this very very different way to express what I had written. I’d love your feedback. Also, no commas were harmed in the filming of this presentation.

23 Comments »

Category: Identity Management Market     Tags: , , , ,

23 responses so far ↓

  • 1 Anil John   February 8, 2013 at 7:06 pm

    Love it!

  • 2 Nick Gall   February 8, 2013 at 7:30 pm

    Ian, Fantastic! I wish all Gartner presentations were like this. I love seeing Web-Oriented Architecture (WOA) winning in the IAM space.

  • 3 Ian Glazer   February 8, 2013 at 7:41 pm

    @Nick – I too wish that we had a bit more freedom when it comes to presentation styles. I just decided that instead of waiting for freedom to be granted, I’ll do what’s best for the audience.

  • 4 Ian Glazer   February 8, 2013 at 7:42 pm

    Thanks @Anil!

  • 5 Chris Haddad   February 8, 2013 at 9:03 pm

    powerful message!

  • 6 Leif Johansson   February 9, 2013 at 7:37 am

    As the poet said – “Life’s a batch”

  • 7 Lyle Steinberg   February 13, 2013 at 3:00 pm

    Ian, this makes total sense to me as a vision for the future. How do you see this affecting the IAM programs of the enterprise? Also, what can be the catalyst for such an explosion…for example, does the emergence of an adoptable NSTIC framework and solutions pave the way for enterprises to tear down their internal identity systems and instead establish access for an new worker via their ‘relationship’ to a credential provided by the worker?

  • 8 Ian Glazer   February 13, 2013 at 3:35 pm

    @Lyle – hugely awesome questions. I don’t believe there is a single catalyst. Today’s federation technology facilitate limited forms of BYOI and I expect this to mature. If there is a single thing I can point to that is needed, is a better semantic representation of identities and their relationship to the enterprise – thus my point about graphs. There are nearly zero identity tools that can take advantage of graph representations of identity and without them the process of building authorization rules is the brittle, difficult mess we find ourselves with. Now I agree, NSTIC and its ilk will help people have be able to more easily bring higher assurance (or more accurately, assurable) identities to the enterprise’s boundaries but without richer representations of relationship we will have only progressed slightly.

  • 9 Mark Dixon   February 15, 2013 at 6:22 pm

    Ian:

    Thought provoking presentation. Here’s a few observations:

    1. I agree that .csv is clumsy and unwieildy. However, the reason it is so often used is not necessarily because of IAM system deficiencies. It is because the other systems with which IAM systems must communicate, refuse to adapt to easier methods of integration already supported by IAM systems. The unbearable inertia of enterprise systems is often a huge impediment to implementing more enlightened integrations.

    2. Thanks for recognizing that Oracle is actively moving to include IAM with business functionality. Not only Oracle cloud, but Oracle Fusion Apps have close integration between business functionality and IAM. It is fundamental strategic shift in the direction you espouse.

    3. Are you proposing an entirely new data structure to manage the relationship graph? Neither LDAP directories or relational databases really model the graph well, but I am not familiar with robust and proven alternate data structures that do a better job.

    Thanks for the insight.

    Mark

  • 10 Graph Databases « Discovering Identity   February 15, 2013 at 7:05 pm

    [...] Databases. ¬†One of the questions I posed in response to Ian Glazer’s recent post, “Killing IAM in Order to Save It,” [...]

  • 11 Jackson Shaw   February 16, 2013 at 2:10 pm

    Ian – If a picture is worth a thousand words then a video like this is worth a thousand PowerPoint slides. Well done!

    You have managed to capture what eats at me on dark nights when I think about our industry, when I think about our customers and their failed projects, when I think about the need for a revolutionary IAM breakthrough yet I can’t come up with that magical seed that leads me to it. That’s when I have to wrap myself in the memories of successful projects – usually including the comma – and return to the glass half full.

    But to steal a line from Robert Frost: I have promises to keep, and miles to go before I sleep. We do have a long way to go down the IAM road still.

  • 12 Ian Glazer   February 17, 2013 at 11:02 am

    @Jackson – Thanks! I’ve talked to customers about getting from here to there. There steps in-between but I truly feel we need something almost deus ex machina here.

  • 13 Ian Glazer   February 17, 2013 at 11:06 am

    @Mark – Point 1 – yes target systems are to blame for continual reliance on csv. And cloud services who won’t support SCIM are the new flavor of the same rotten problem. Point 3 – we can separate representation from storage (just as we do in LDAP). A richer semantic representation is needed. I envision our EAM policy tools will serve as a broker to such stores. Later, I can see a query language a la LDAP’s for such structures.

  • 14 Ian Glazer   February 17, 2013 at 11:07 am

    @leif – and the you abend

  • 15 Matt Flynn   February 19, 2013 at 2:10 pm

    Great stuff Ian! As entertaining as it is informative. The shift seems to already be happening though. Microsoft Azure AD. Oracle Service-Oriented-Security. I wrote a paper in 2006 at MaXware about service-oriented Identity platforms leveraging virtual directory protocol translation. I think we agree on the end point but to Mark’s point, there are so may interconnected systems at play here. I don’t see a kill off. I see a transformation. First, enable service-oriented communication. Then maybe swap the identity store for something more conducive than LDAP or RDBMS. App vendors will need to support a service-based approach to meet customer feature expectations and in 10 years, the comma will be obsolete.

  • 16 Marc PHAM   February 20, 2013 at 8:54 am

    This presentation is fantastic and I trully agree with its conclusions. IAM as we know it must be killed, and a new, better paradigm must be defined.

    Now I don’t totally agree with some of your premises, even if I understand you have to be dramatic to prove your points

    The comma – From my experience the problem is not so much the comma than Excel. People want to be able to alter data, and there is sadly no real option outside of Excel, despite its obvious flaws (multivaled attributes, disappearing zeros, …). When we suggest more modern formats like JSON, people are often reluctant because they say they won’t be able to read and modify data.

    LDAP and hierarchy – LDAP is hierarchical in theory, but in practice it’s even worse. Moving an entry between branches means changing the DN, and you just don’t want to do that. Most LDAP servers forbid by default changing the RDN. So all entries are pourred into a unique branch (ou=people…).

    Since – as you pointed out – LDAP can’t deal with relationships, serious IAM implementations never use LDAP as the primany directory. They prefer to model data in a respectable relational database. And because LDAP is a required standard, they publish (and denormalize) data into LDAP entries to present them to applications.

    So yes, LDAP is to be gotten rid of and yes, IAM needs to be rebooted for the better! (and move from a technical infrastructure, what is still largely, to a service turned toward business and operations).

  • 17 Chris Olive   February 22, 2013 at 3:37 pm

    Ian, excellent and really enjoyed. There are a number of tangent points in your presentation that could be spoken to IMO.

    One thing that I ponder a lot is the pace and paradigm shift in the overall technology space which hasn’t yet permeated the enterprise in the areas of Identity Management. Due to past lack of initiative, Identity Management seems to be in a backwards time warp, just now catching on (driven by compliance requirements).

    There are forces moving now that are amazingly disruptive to the enterprise landscape, characterized by things like BYOD, carry-with and so-called social identities, Xaas offerings (which business lines are enacting as a LOB expense, apart from internal IT or a centralize enterprise strategy!), etc. that aren’t compatible with either most Identity Management systems nor with the legacy systems IdM system are supposed to connect to. (As someone who leads and rolls out these solutions and has to solve the comma-to-graph problem all the time in the form of business use cases, I can relate to other comments here.)

    What is very quickly developing in enterprise IT is a divide between legacy and emerging with no bridge for crossing; enterprises are ferrying their way over to the other side. Great thoughts and prezi!

    Thanks Matt Flynn for your tickler via Twitter this week!

  • 18 Ian Glazer   February 22, 2013 at 3:57 pm

    @chris – I agree there is some really useful disruptions occurring that have yet to make their way to IAM. In some regards, IAM is like the US telephone (landline) infrastructure – huge investments over years that finds itself at a disadvantage when cellphones arrived. Some countries just simply skipped over deploying landlines and went straight to cell. The problem is that the IAM market hasn’t offered up the equivalent of cellphones yet. We keep peddling landlines hoping people will think they are retro-cool.

  • 19 Ian Glazer   February 22, 2013 at 3:59 pm

    @marc – you are so right about Excel. It was never meant to be an ETL and yet it is.

  • 20 Ian Glazer   February 22, 2013 at 4:01 pm

    BTW – for those of you reading the comments – check out Michel’s blog on this – he raises some good points

  • 21 Chris Olive » Blog Archive » Ian Glazer: Killing IdM to Save It   February 22, 2013 at 4:06 pm

    [...] recently watched Ian Glazer of :gartner:’s presentation on Killing IAM In Order To Save It and whole heartedly agree with a lot of what he advocates in this quick presentation. Enough to [...]

  • 22 Graphs of Identities « Discovering Identity   February 28, 2013 at 7:48 am

    [...] interesting ideas are swirling in my mind in response to Ian Glazer’s challenge, “Killing IAM in Order to Save It” and Dave Kearn’s article “Pervasive and Ubiquitous [...]

  • 23 Ian Glazer – Killing IAM in Order to Save it | Carsten's thoughts on IAM, IAG and Security   March 3, 2013 at 3:33 pm

    [...] just nothing more to say, it’s just Ian Glazer:¬†Killing IAM in Order to Save it Share this:TwitterLinkedInEmailLike this:Like Loading… Categories: IAM, Identity, Strategy [...]