It's Time For An IAM Reality Check

Well, here we are. Identity and Access Management as a discipline has been here in various guises for decades now, starting from early and simple administration of passwords to the present day of access management, identity administration, and an assortment of technologies that supposedly help enterprises (and citizens/consumers/partners/fill-in-the-blank) to have a consistent experience with managing and using identities. In all of this time, with the introduction of products, processes, practices, and people into the act, why don’t we take a step back and do a reality check on what has been accomplished?

I’m not here to bash IAM product or service vendors. That isn’t my job. As an analyst, I’m supposed to— well, analyse. I try to look at the historical record and make some conclusions about what has happened and some guesses as to what will happen. If my view of reality isn’t rosy or satisfying, it is because of what we find as researchers during analysis, not because we have something against the IAM market response to customer need. For IAM, the reality is that we have made some progress. It has been in fits and starts, with notable successes and failures, but in general we’ve progressed from a necessary evil to playing an important role in securing an enterprise and its business assets.

The reality is that our vision of IAM as a ‘gatekeeper’ has been somewhat realised. We know how to establish an access architecture and technology set that does a good job at determining whether or not someone has the initial right/privilege/permission/entitlement/claim/fill-in-the-blank to enter our IT/business kingdom and letting them in if they have it. Going further with those entitlements to allow entry into specific, mission-critical areas (e.g. sensitive business information, key applications) remains problematic, and allowing a lot of different players (e.g. partners, suppliers, third-parties, other strangers) into our kingdom is still a work in progress (e.g. federation), but we’re getting there.

The reality of administering the identities themselves and governing that process is still problematic. It’s just plain hard, actually, because we’re trying to define an identity for use in the business lexicon, directly, not through the IT translator. We’re actually inviting and engaging the business in direct participation in the creation, maintenance, retirement, reporting, tracking of identities for which they are personally responsible. In many respects, that scares them. It was better when most of that nasty, administrative stuff was hidden from them (more on that later). But unfortunately, with great power comes great responsibility. As the individual business user becomes more engaged in matters related to sensitive data integrity or customer data privacy or managing different forms of risk throughout their business processes, they keep running into the pesky IAM problem. The reality of IAM is that it is a pain for everyone, equally: whether the business user comes from the human resources group, the supply chain department, the customer relationship management division, all of them have IAM to worry about in some capacity. It is the horizontal commonality in a vertical world.

Work continues on taking IAM to the next stage, where formal, structured methodologies, processes, and organisational requirements are identified and employed where required in maturing enterprises. Identity and Access Governance (IAG), that step closer to structure, methodology, process, and organisation, is heating up now, joining the ‘toolkit’ for IAM. A reality check there reveals that IAG is like Thursday’s child: it has far to go. But it comes closest in the IAM realm to addressing the business user directly, and that’s a good thing. We’ll watch closely to see what transpires.

We could use a reality check about now, I think.

The author is a Research Vice President in the Security and Privacy team at Gartner.