I was on a webinar last week by the highly articulate Eve Maler from Forrester, where the discussion was around the future of identity and access management. Everyone has an opinion on the future of everything, and IAM is certainly no different. The view of IAM 1.0 (enterprise provisioning) and IAM 2.0 (federated identity, 'cloud' services and so) is continually evolving and it's pretty clear that identity management now has a greater role to play for many organisations, as they look to embrace things like increased mobility and out sourced service driven applications.
Enterprise Evolution - Mobility
Everything evolves. OK, so apparently alligators haven't changed that much in 37 million years, but most things, especially in business, evolve to the point of least resistance, or more importantly to the point of greater return on investment. From a simple technology perspective, many organisations have grown to embrace the use of things like increased mobility. What does that mean? Well, I'm referring to things like remote working, 'tele-working' (unless of course you work for Yahoo), always-on smartphone access and an increased use of personal devices (BYOD). Mobility can help reduce the standard fixed costs of running an organisation (at both the start-up and enterprise level), by not having to worry about physical office locations for example. By getting employees to cut out the daily commute, organisations are also squeezing out extra output, either physically by getting more hours, or through greater innovation due to more relaxed and less-restricted employee working patterns.
Enterprise Evolution - Services over Applications
Another major area in the enterprise evolution process, is the increased sign up to services or outsourced applications. Applications historically have either been developed in house, or licensed from 3rd party software vendors (either large or small). These applications had their data stored locally (by local, I just mean within the confines of the corporate LAN) and were delivered either via web interfaces or thick clients. Authentication and authorisation was managed, if not internally to the application, certainly internal to organisations, via corporate LDAP directories and relational databases.
We're now seeing nearly every possible combination of applications, made available as subscription based services. Freemium business models. One month trials. Pay as you go. Multi-tenant delivery and even just the same application you previously licensed, but hosted by someone else. From a business perspective everyone's a winner: faster implementation; cheaper costs; risk free payments; zero development or installation costs. Barriers to entry for new businesses also fade away, as you can be up and running with CRM, accountancy, collaboration, document storage and communications services within minutes. Either free, or costing peanuts with simple credit-card signup. But has this go to do with identity?
How Identity Can Play a Part
Identity has a huge part to play in this evolutionary process. All of these new methods of working, still require the basic principles of authentication, authorisation and accountability. Regardless of whether you access the CRM system from your iPhone via 3G or public wi-fi, or via a desktop PC on the corporate LAN, an identity holds together the context of who should access what and why. Technological solutions will obviously fill the void for the basic connectivity and integration tasks. I'm thinking of things like web SSO, mobile application provisioning and sign in and 3rd party sign up. This increased level of complexity from both a user and application perspective, requires an increased level of complexity on the management of identities too. Complexity doesn't necessarily mean difficult however, it just requires a greater understanding of the challenges and pit falls that lie ahead for organisations looking to embrace greater flexibility and returns on investment.
Instead of identity becoming the bolt on, or audit after thought, it becomes central to enabling organisations to leverage things like service driven applications, 3rd party identity providers and mobile working.
Cross posted from Infosec Professional