Blog post

Representation over Storage: Responding to “Killing IAM”

By Ian Glazer | March 21, 2013 | 2 Comments

I put my 18 minute ramble/rant on Killing IAM out on the blog a few weeks back, and I have to say, I have been blown away by the response. Besides all the comments on the blog itself, I’ve had multiple people take me aside to discuss some of the implications of killing IAM off so that it can be reborn. And I have to give Michel Prompt at Radiant Logic a special call-out for not one, but two, blog posts in response to what I said.

Before I respond to Michel, it is interesting to note what people did not take issue with. Stateless identity, apparently, isn’t too controversial. I think we can agree that identity needs to be where the developers are and increasingly, especially in the mobile setting, this means in a RESTful world – one in which stateless identity is well suited. Furthermore, people didn’t take too much issue with my assertion that OAuth, SCIM, and OpenID Connect, although by no means perfect, are going to be a major part of the future of IAM.

Another thing people didn’t disagree with was my assertion that identity has to be interwoven into services the business craves. Baking identity into the platform is simply just how all major services providers will proceed. To be fair, there was plenty of comment and disagreement over what the impact will be to smaller identity technology providers. But I think we all agree that the way identity is procured and consumed is still evolving.

So, coming back to Michel’s well written rebuttals, the thing I mentioned that seemed to strike a nerve and cause discord was the point that in order to model and manage relationship hierarchies graphs are needed. Caught up in the response was the implication that graphs (and network databases) are superior to LDAP and SQL.

Let me be crystal clear – I didn’t come to throw stones at SQL or rehash the “should I use a directory or a database” conversation. (I agree with most of Michel’s post regarding the storage of information.) My concerns are over the representation of relationships and identities, not the storage mechanism for those relationships and identities. Given the world of complex relationships we live in, the tools we have today for managing “who can get access to what” are poor. The tools are low fidelity. They rely too heavily on artificial hierarchies.

We need richer semantic representations of relationships and identities accompanied by policy management tools that use that richness. Writing authorization policies requires high fidelity; it requires a means for business analysts to express in their own business terms the rules of the road. I believe that a graph representation of relationships and identities can empower such tools. How that data is stored – I leave to data management professionals.

In closing… To Michel – you’ve got identity virtualization capabilities. How hard is it to build an OpenGraph API on your technology? To Microsoft (and Kim specifically) – we’ve been hearing about the power of graphs and Azure AD has such an API. What are people doing with it? To Oracle, IBM, Axiomatics, Dell, Next Labs, ObjectSecurity, and anyone else I left out – show the industry what your authorization policy management tools can do. Let’s see real relationship modeling and management. Let’s see high fidelity policy tools. Catalyst. July 29th to August 1. Come show the world what you can do.

Comments are closed


  • Hi Ian. It was a great video, but I think anything of the title ‘Killing IAM..’ will be known to get a good reaction 🙂 I think the focus on hierarchical-less identity is the powerful take away. Facebook’s launch of a more graph related approach to human interaction (at the F8 conference 2011 I think) really hammered home, that interactions are fluid, direct and interchangeable. Identity management, to provide value at that level, needs to follow too. I also think the closer identity (and security services for that matter) are made ‘accessible’ to developers (either via standards adoption, abstracted externalised services and so on) the better.

  • Lyle Steinberg says:

    I see both sides of the debate. There’s no doubt that there is so much information readily available to help make smarter and smarter identity decisions. I like the visual concept of the social network. There are many node types, not just people, but organizations and other objects and they each have their own attributes. There are links between the nodes and these links also have their own contextual attributes. In the Healthcare world I can definitely see use cases where the attributes of a ‘weak tie’ (a link 1+ nodes away from you) would have an influence on the access you are given to patient data).

    I also understand the need to transition smoothly. There may be no ideal way to store this information today and have it actionable in an acceptable time frame for real-time transactions. So, it will take time to kill IAM, we will have to do it slowly, perhaps with leeches. In the enterprise, it will be a long time before business applications are really poised to leverage this information, anyways. While Healthcare might be the biggest winner in the future, per my example above, they will probably also be the last to get there…

    So, what to do in the meantime? In the enterprise, I see things we can do to move towards this vision while making use of existing investments. Use your SIEM or event management systems to collect activity data that complements your attribute data. Apply models to make sense of that data and make it actionable. Leverage something like XACML (another performance dog) to plug this information into an access decision engine. Instead of plugging apps in for real-time decision making, leverage your IDM investment to provision access out of band, without making users request permissions that you can already tell they will need. If they don’t use them, leverage that same activity information to trigger revocation.

    By the time the technology has evolved to make Ian’s vision a reality, we can all be ready to take advantage. As an existing customer of Michel, I’ll be glad to see him forge the way.