Neil believes we are nearing a revolutionary change in identity management.
"Too many IAM vendors, too much complexity, too many products and you are paying too much." -- here here!!!
Put identity and security administration in the business units - not in the high priced security professionals hands. If we can't achieve that then we have failed.
Key trends according to Neil: (Neil in italics - my comments not)
- Security-service oriented applications will require security-as-a-service, including identity services. Clearly what Cisco is thinking isn't it?
- Identity Becomes Application Infrastructure (aka authorization or entitlement application). As I have stated before, this is the next "battleground".
- Business Process Management Services as a new starting point for application development.
- ERP as a new center for identity-centric application serices. Clearly what SAP was thinking with their MaxWare acquisition. ERP is the starting point isn't it?
- Context delivery architecture. What you need is what you get services - and it needs to be federated.
- Grid computing and virtualization. Traditional security approaches tied to physical characteristics will fail and externalized policy management (security, identity) are absolute requirements.
- The Rise of identity-aware applications and sites. As I mentioned in a previous post it is these type of applications (e.g., SharePoint) that will drive federation and federated identity. Have you looked at OpenSocial yet? You need to (so do I)!
- The impending collision of consumer and enterprise identities. Who hasn't seen this one coming?
- Convergence in multiple dimensions: Of IAM point products, into platforms, into services, of mature security infrastructure into operations.
- Thinking of IAM as a collection of products or projects. It's not, it's a set of inter-related processes. We're moving from IAM suites of products to suites of IAM services.
- Overlooking the synergy between middleware and IAM. Neil pointed out how Microsoft has moved to one workflow platform and set of connectors based on BizTalk in order to reduce cost and complexity. Now if MIIS/ILM was also using those same connectors and vice-versa wouldn't that be nice? I loved this point on this slide: "Don't assume legacy IAM vendors are best positioned for the future application- and process-centric requirements of identity infrastructure." I agree - some of those legacy guys are going to die off.
- "I've implemented RBAC...I'm done" - Neil says the root cause of this problem isn't too many roles, it's a lack of governance and automation (creation and destruction). Role management needs to be a part of provisioning solutions.
- Requiring application programmers to code to LDAP. - Externalizing authentication and authorization is a pre-requisite for applications. Neil believes there are viable commercial solutions (e.g., Layer7, BitKoo) available today to make this happen.
- Thinking HR is the trigger for all things user provisioning-related. Yes, HR for hires and fires but what about role changes? Does that have to to HR in order to make something happen?
- Information security administers all security, including user/role assignments. Business units must assume the risk, not IT. How true!
- Limiting the scope of identity projects to just people. Any resource may require identity services. How do we do this in a virtualized environment?
- Treating user provisioning as a strategic technology. Indeed. We need identity-aware applications: Kerberos, SAML, WS-* etc.
- Paying too much. No kidding! Why are identity vendors charging 3-4X the software cost to install and deploy?! Use Microsoft to pressure the other vendors!
- I've deployed UP, WAM, SSO...I'm done. Again, no kidding! It all starts again my friends, it all starts again. Interesting how Neil has modified Gartner's operational efficiency grid: Basic, Centralized, Standardized, Rationalized, Virtualized, Service-Based, Policy-Based (fyi - moving left to right is better and Gartner's grid stopped at Rationalized before)
To reduce cost and complexity you should: leverage convergence and not be afraid to change vendors; look for "proxy" capabilities and set a long term goal that developers don't write security code.