Blog post

Killing IAM in Order to Save It

By Ian Glazer | February 08, 2013 | 19 Comments

I gave this talk a few months ago. I had just finished writing our 2013 Identity and Privacy Planning Guide and was trying to think of a different way to express what I had written. What I came up with was this very very different way to express what I had written. I’d love your feedback. Also, no commas were harmed in the filming of this presentation.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Nick Gall says:

    Ian, Fantastic! I wish all Gartner presentations were like this. I love seeing Web-Oriented Architecture (WOA) winning in the IAM space.

  • Ian Glazer says:

    @Nick – I too wish that we had a bit more freedom when it comes to presentation styles. I just decided that instead of waiting for freedom to be granted, I’ll do what’s best for the audience.

  • As the poet said – “Life’s a batch”

  • Ian, this makes total sense to me as a vision for the future. How do you see this affecting the IAM programs of the enterprise? Also, what can be the catalyst for such an explosion…for example, does the emergence of an adoptable NSTIC framework and solutions pave the way for enterprises to tear down their internal identity systems and instead establish access for an new worker via their ‘relationship’ to a credential provided by the worker?

  • Ian Glazer says:

    @Lyle – hugely awesome questions. I don’t believe there is a single catalyst. Today’s federation technology facilitate limited forms of BYOI and I expect this to mature. If there is a single thing I can point to that is needed, is a better semantic representation of identities and their relationship to the enterprise – thus my point about graphs. There are nearly zero identity tools that can take advantage of graph representations of identity and without them the process of building authorization rules is the brittle, difficult mess we find ourselves with. Now I agree, NSTIC and its ilk will help people have be able to more easily bring higher assurance (or more accurately, assurable) identities to the enterprise’s boundaries but without richer representations of relationship we will have only progressed slightly.

  • Mark Dixon says:


    Thought provoking presentation. Here’s a few observations:

    1. I agree that .csv is clumsy and unwieildy. However, the reason it is so often used is not necessarily because of IAM system deficiencies. It is because the other systems with which IAM systems must communicate, refuse to adapt to easier methods of integration already supported by IAM systems. The unbearable inertia of enterprise systems is often a huge impediment to implementing more enlightened integrations.

    2. Thanks for recognizing that Oracle is actively moving to include IAM with business functionality. Not only Oracle cloud, but Oracle Fusion Apps have close integration between business functionality and IAM. It is fundamental strategic shift in the direction you espouse.

    3. Are you proposing an entirely new data structure to manage the relationship graph? Neither LDAP directories or relational databases really model the graph well, but I am not familiar with robust and proven alternate data structures that do a better job.

    Thanks for the insight.


  • Jackson Shaw says:

    Ian – If a picture is worth a thousand words then a video like this is worth a thousand PowerPoint slides. Well done!

    You have managed to capture what eats at me on dark nights when I think about our industry, when I think about our customers and their failed projects, when I think about the need for a revolutionary IAM breakthrough yet I can’t come up with that magical seed that leads me to it. That’s when I have to wrap myself in the memories of successful projects – usually including the comma – and return to the glass half full.

    But to steal a line from Robert Frost: I have promises to keep, and miles to go before I sleep. We do have a long way to go down the IAM road still.

  • Ian Glazer says:

    @Jackson – Thanks! I’ve talked to customers about getting from here to there. There steps in-between but I truly feel we need something almost deus ex machina here.

  • Ian Glazer says:

    @Mark – Point 1 – yes target systems are to blame for continual reliance on csv. And cloud services who won’t support SCIM are the new flavor of the same rotten problem. Point 3 – we can separate representation from storage (just as we do in LDAP). A richer semantic representation is needed. I envision our EAM policy tools will serve as a broker to such stores. Later, I can see a query language a la LDAP’s for such structures.

  • Ian Glazer says:

    @leif – and the you abend

  • Matt Flynn says:

    Great stuff Ian! As entertaining as it is informative. The shift seems to already be happening though. Microsoft Azure AD. Oracle Service-Oriented-Security. I wrote a paper in 2006 at MaXware about service-oriented Identity platforms leveraging virtual directory protocol translation. I think we agree on the end point but to Mark’s point, there are so may interconnected systems at play here. I don’t see a kill off. I see a transformation. First, enable service-oriented communication. Then maybe swap the identity store for something more conducive than LDAP or RDBMS. App vendors will need to support a service-based approach to meet customer feature expectations and in 10 years, the comma will be obsolete.

  • Marc PHAM says:

    This presentation is fantastic and I trully agree with its conclusions. IAM as we know it must be killed, and a new, better paradigm must be defined.

    Now I don’t totally agree with some of your premises, even if I understand you have to be dramatic to prove your points

    The comma – From my experience the problem is not so much the comma than Excel. People want to be able to alter data, and there is sadly no real option outside of Excel, despite its obvious flaws (multivaled attributes, disappearing zeros, …). When we suggest more modern formats like JSON, people are often reluctant because they say they won’t be able to read and modify data.

    LDAP and hierarchy – LDAP is hierarchical in theory, but in practice it’s even worse. Moving an entry between branches means changing the DN, and you just don’t want to do that. Most LDAP servers forbid by default changing the RDN. So all entries are pourred into a unique branch (ou=people…).

    Since – as you pointed out – LDAP can’t deal with relationships, serious IAM implementations never use LDAP as the primany directory. They prefer to model data in a respectable relational database. And because LDAP is a required standard, they publish (and denormalize) data into LDAP entries to present them to applications.

    So yes, LDAP is to be gotten rid of and yes, IAM needs to be rebooted for the better! (and move from a technical infrastructure, what is still largely, to a service turned toward business and operations).

  • Chris Olive says:

    Ian, excellent and really enjoyed. There are a number of tangent points in your presentation that could be spoken to IMO.

    One thing that I ponder a lot is the pace and paradigm shift in the overall technology space which hasn’t yet permeated the enterprise in the areas of Identity Management. Due to past lack of initiative, Identity Management seems to be in a backwards time warp, just now catching on (driven by compliance requirements).

    There are forces moving now that are amazingly disruptive to the enterprise landscape, characterized by things like BYOD, carry-with and so-called social identities, Xaas offerings (which business lines are enacting as a LOB expense, apart from internal IT or a centralize enterprise strategy!), etc. that aren’t compatible with either most Identity Management systems nor with the legacy systems IdM system are supposed to connect to. (As someone who leads and rolls out these solutions and has to solve the comma-to-graph problem all the time in the form of business use cases, I can relate to other comments here.)

    What is very quickly developing in enterprise IT is a divide between legacy and emerging with no bridge for crossing; enterprises are ferrying their way over to the other side. Great thoughts and prezi!

    Thanks Matt Flynn for your tickler via Twitter this week!

  • Ian Glazer says:

    @chris – I agree there is some really useful disruptions occurring that have yet to make their way to IAM. In some regards, IAM is like the US telephone (landline) infrastructure – huge investments over years that finds itself at a disadvantage when cellphones arrived. Some countries just simply skipped over deploying landlines and went straight to cell. The problem is that the IAM market hasn’t offered up the equivalent of cellphones yet. We keep peddling landlines hoping people will think they are retro-cool.

  • Ian Glazer says:

    @marc – you are so right about Excel. It was never meant to be an ETL and yet it is.

  • Ian Glazer says:

    BTW – for those of you reading the comments – check out Michel’s blog on this – he raises some good points