Gartner Blog Network


Looking at the big picture about IAM

by Earl Perkins  |  May 10, 2010  |  3 Comments

Hello everyone. It has been a long time since my last entry. There is no valid excuse– as Bambi’s mom said, if you don’t have anything good to say, don’t say anything at all. But maybe I do have something valid to discuss with you.

Seriously, this has been an interesting period for identity and access management systems over the past few months. I get the sense that we’re at one of those inflection points regarding a market, a method, a discipline– however you as a customer care to define IAM. I just am beginning to get the sense (a perception, Earl– are you talking about a perception here?  See my last blog on Novell) that unless we rethink this entire business of IAM, we’re going to make some fundamentally serious mistakes in servicing the enterprise.

The current ‘model’ for IAM just doesn’t appear to work. I put the word model in single quotation marks because it is such an overused term, I didn’t want you to take it literally– I wanted you to think of method, or process, of organization, of approach. For one thing, I’m concerned that we are trying to institutionalize a technology approach to this issue, when technology is not the ‘model’ we should be leading us at all.

IAM really isn’t a technology issue. The roots of IAM problems may be in technology, and some technology implementations have actually caused IAM to be talked about as a separate discipline (e.g. the way we use and handle passwords for access), but many of us miss a fundamental issue with IAM– we tend to seek an external answer to what is essentially an internal issue.

What in the world do I mean? IAM has been part of our technology solutions all along. The problem is we have too many of them, clever and kludgy, diverse and standard, existing at all layers of IT infrastructure and software. Everywhere we look, some application is making an authorization decision, or some operating system is making an authentication decision, some non-IAM software is printing an IAM report or monitoring an IAM event. IAM is everywhere– and nowhere, particularly if you’re wearing your technology glasses.

Well, take them off for a minute, and put some other types of glasses on. Your resource planning lens may look at this as an issue of knowing who is using a resource, proving that you know, and making sure it’s the right resource for the right person to do their job– and no more. Your organizational lens may reveal how much time, money, and effort it takes to find out who is accountable and responsible for handing out access entitlements, for reporting, for enforcing. Your compliance lens may want to align what you know about  all types of people (employees, contractors, partners, customers) and their access based on what laws and regulations say they can and cannot access.

Just like in architecture there are different slices and views of the same issue, there are many roads to a decision about what IAM should look like for an enterprise. IAM isn’t that much about delivering the technology to achieve that look– it’s the journey to get to the look itself. Formalize that journey, make it a consistent, measurable, quality journey, and you got yourself IAM. Incorporate it into mature processes, organizational structure, and operations, and you have yourself effective IAM.

So what– I’m not really saying anything new here. It has been written about over and over. What I am trying to expand on is that the current technology-driven approach the market takes to ‘delivering’ IAM is flawed, and needs a rethink and a fresh approach. Some companies and institutions have already done this, with promising results. I’m also a believer in the minimalist approach to solving issues like this, mainly because that approach allows a multi-staged journey to complexity— if it’s needed. Starting out with complex, heavily-featured products and endless discussions about integration are a sure sign that you better hide your wallet.

This has just been some rambling observations (perceptions) about the state of IAM. I’d like to hear your own ramblings as well.

Additional Resources

Category: 

Earl Perkins
Research VP
5 years at Gartner
32 years IT industry

Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio


Thoughts on Looking at the big picture about IAM


  1. Chris says:

    Yes, Yes, Yes, I can only agree 100% or even more. But how difficult it is to have the “Business” and the “Management” interested in IAM. The Main reason why it is still technically driven, it’s because IT people are driving it. How difficult, it is to have IAM as proper model, with proper process, organisation, responsibilities in the enterprise, with the right governance model. This is sometimes a bit easier for the major Business Applications, but for the rest of the IT, what a pain to get traction and support from the rest of the organisation.

  2. Earl Perkins says:

    Hello Chris. i’ve thought about this, and i’m thinking about all the major efforts that IT goes through to legitimize their existence with the business, or to take an equal role in providing the technical foundations for business to be effective. CRM, ERP, Supply Chain, Finance, HR– all of these have suffered in one way or the other with “getting the business to buy in” or “getting the business to lead”. It has given rise to books like “IT Doesn’t Matter” by having this Rodney-Dangerfield-like role in the enterprise.

    I’ve finally decided after living on this side of the issue for so long that we have to take care of ourselves (in IT) and optimize our role as liaison and arbiter to the business. We never expect an automobile driver to want to be interested in how one works, what’s going on in the engine, those kinds of things. Why should we expect the same with the relationship we have with the business being the driver and IT being the automobile. The best we can hope for is to learn enough about how to talk to the driver to give them the best advice on driving the car, warning them about a car’s defects, fixing it when it’s broken, and otherwise being available.

    We still have a way to go in IT, even after ALL THESE YEARS, to be that automobile and the mechanic, and having a great relationship with the driver. moving closer, but not there yet.

    Substitute “IAM” for “IT”, and this conversation is still germane.

  3. Richard says:

    After many years since the early ’90’s working on Directory Services projects for some of the world’s biggest businesses, trying to tie all the disparate pieces together with many different pieces of string, and later when the terminology changed to IAM (after many iterations of the same thing), what did we achieve? We frightened off the customer with technology. We frightened off the customer with cost and we cooked up all kinds of complicated varieties because the recipes were all so different. They still are. All these vendors pushing more and more ‘best of breed’ solutions at their customers, even in a niche market.
    What we didn’t do is humanize the experience for the customer, we didn’t acknowledge it as a social experience. We baffled them with science.
    None of it will hang together until we have a universal standard for directories and we still haven’t learned to use a universal terminology. Even the journalists have refused to use vendor speak so how convincing have the vendors really been all these years. Its a business so let the business shine through and let’s not let technology continue to drive it away from where IAM is at its most useful.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.