Finding out what IAM
Identity access management is coming to the fore but diverse challenges must be solved, says Colin Miles
Ironically, the Identity and Access Management (IAM) category has often lacked a sense of identity.
Is IAM trying to solve a security problem? A compliance issue? Is it primarily about realising cost savings and enabling business efficiency? Or all the above and more? And which products are we talking about?
Do customers still need enterprise-grade suites for full user lifecycle management or are point controls or cheaper, quick-to-deploy services sufficient?
The demand for IAM remains strong. The IAM market has quantity and quality in the offerings that are available. Strong-authentication providers, privileged identity management, governance, risk and compliance tools, major IAM suite vendors and others have all found messages and offerings that they believe address business pain points.
To plot the right course through this maze, however, potential customers need help to integrate the right technology stack into their delivery models, be they cloud or on-premise.
Often at the heart of this challenge is deciding whether to go for a best-of-breed approach. In a combined offering, the choice of elements may be based more on loyalty or an existing enterprise agreement.
As the IAM market continues to develop, it will be best to avoid customer lock-in, and support a swap-out of components as improved offerings enter the market. IAM can be done in phases.
More effort is needed to convince prospects.
For some time, IAM specialists have been able to send out the message that with the right IAM offerings, security can move nearer to becoming a business enabler - rather than remaining a drag on efficiency.
Every year, we see an increase in customer projects that use IAM to deliver new portals and services to customers and employees. A degree of realism is still needed here, however. IAM is still a significant business investment, and IAM projects must be mapped carefully to business requirements to ensure that value will be delivered.
There should be a focus on marketing the IAM story to stakeholders at all levels to increase adoption and support a continued spend.
Help is also needed to make the standards stick. IAM isn't the only corner of the IT industry where a battle between open standards and proprietary products and services has been fought. It has been a battle of attrition at times, with hype gradually giving way to reality.
How close are we really to a point of standards maturity and convergence in IAM? Most real-world IAM implementations are not there yet. Legacy offerings and "interesting" workarounds may lurk around any corner, of course, but readily exploitable interfaces cannot be guaranteed in all SaaS offerings. Future IAM challenges will continue to be more about the "what" than the "how".
Keeping out the bad guys should not affect the good guys. Turn around the traditional notion of granting as little privilege as possible, and encourage the idea that everything that isn't forbidden can be allowed.
This may strike fear into the heart of any security administrator or product owner, but can work well if pragmatically applied - not least because it is an opportunity to cut bureaucracy and cost while increasing staff morale and agility.
The key is to balance cost against value and security. Apply people-centric principles in the right areas, against the right assets.
IAM is an opportunity to enhance your customer's brand as well. If every user is a consumer, his or her first interaction with the service will typically be through the IAM layer. This may be for registration, logon, or perhaps for account management. This means that a good experience with IAM may give a good perception of the service.
Focus on delivering a first-class user experience, making its operations clear, simple and quick. Furthermore, organisational branding should not be left behind the front door.
New challenges need new delivery models: in an Internet of Things we will need to know the identity of those things. Big data, SIEM and IAM should lead us to identity and access intelligence - but the offerings have yet to be developed.
IAM needs to keep up with the demands for new delivery and pricing models that are shaping IT in general. Bringing IAM to SaaS leads us to identity-and-access-management-as-a-service (IDaaS), a model that needs to deal with all the opportunities and challenges so far presented.
Colin Miles is chief technology officer at Pirean