Wednesday, November 14, 2007

Everything You Know About Identity Management Is Wrong

Gartner's Neil MacDonald spoke on this topic. I have to say the title absolutely intrigued me so I had to be here. How could you not like a presentation where the speaker mentions Banyan VINES during his intro?!

Neil believes we are nearing a revolutionary change in identity management.

"Too many IAM vendors, too much complexity, too many products and you are paying too much." -- here here!!!

Put identity and security administration in the business units - not in the high priced security professionals hands. If we can't achieve that then we have failed.

Key trends according to Neil: (Neil in italics - my comments not)

  1. Security-service oriented applications will require security-as-a-service, including identity services. Clearly what Cisco is thinking isn't it?
  2. Identity Becomes Application Infrastructure (aka authorization or entitlement application). As I have stated before, this is the next "battleground".
  3. Business Process Management Services as a new starting point for application development.
  4. ERP as a new center for identity-centric application serices. Clearly what SAP was thinking with their MaxWare acquisition. ERP is the starting point isn't it?
  5. Context delivery architecture. What you need is what you get services - and it needs to be federated.
  6. Grid computing and virtualization. Traditional security approaches tied to physical characteristics will fail and externalized policy management (security, identity) are absolute requirements.
  7. The Rise of identity-aware applications and sites. As I mentioned in a previous post it is these type of applications (e.g., SharePoint) that will drive federation and federated identity. Have you looked at OpenSocial yet? You need to (so do I)!
  8. The impending collision of consumer and enterprise identities. Who hasn't seen this one coming?
  9. Convergence in multiple dimensions: Of IAM point products, into platforms, into services, of mature security infrastructure into operations.
What mistakes are organizations doing wrong and how should they be done differently?
  • Thinking of IAM as a collection of products or projects. It's not, it's a set of inter-related processes. We're moving from IAM suites of products to suites of IAM services.
  • Overlooking the synergy between middleware and IAM. Neil pointed out how Microsoft has moved to one workflow platform and set of connectors based on BizTalk in order to reduce cost and complexity. Now if MIIS/ILM was also using those same connectors and vice-versa wouldn't that be nice? I loved this point on this slide: "Don't assume legacy IAM vendors are best positioned for the future application- and process-centric requirements of identity infrastructure." I agree - some of those legacy guys are going to die off.
  • "I've implemented RBAC...I'm done" - Neil says the root cause of this problem isn't too many roles, it's a lack of governance and automation (creation and destruction). Role management needs to be a part of provisioning solutions.
  • Requiring application programmers to code to LDAP. - Externalizing authentication and authorization is a pre-requisite for applications. Neil believes there are viable commercial solutions (e.g., Layer7, BitKoo) available today to make this happen.
  • Thinking HR is the trigger for all things user provisioning-related. Yes, HR for hires and fires but what about role changes? Does that have to to HR in order to make something happen?
  • Information security administers all security, including user/role assignments. Business units must assume the risk, not IT. How true!
  • Limiting the scope of identity projects to just people. Any resource may require identity services. How do we do this in a virtualized environment?
  • Treating user provisioning as a strategic technology. Indeed. We need identity-aware applications: Kerberos, SAML, WS-* etc.
  • Paying too much. No kidding! Why are identity vendors charging 3-4X the software cost to install and deploy?! Use Microsoft to pressure the other vendors!
  • I've deployed UP, WAM, SSO...I'm done. Again, no kidding! It all starts again my friends, it all starts again. Interesting how Neil has modified Gartner's operational efficiency grid: Basic, Centralized, Standardized, Rationalized, Virtualized, Service-Based, Policy-Based (fyi - moving left to right is better and Gartner's grid stopped at Rationalized before)

To reduce cost and complexity you should: leverage convergence and not be afraid to change vendors; look for "proxy" capabilities and set a long term goal that developers don't write security code.

All in all this was a great presentation. Lots of clapping whenever Neil mentioned how costly something was!

Technorati Tags:
,

2 comments:

Dave Nesbitt said...

Security-service oriented applications will require security-as-a-service, including identity services.

This was a hot topic at Burton Catalyst Europe and I think it's inevitable. Application developers shouldn't have to code identity into their apps, they should just consume it from a central ID service. It already happens when Kerberos-enabled apps consume tokens from AD, why not extend this model across the whole enterprise? What we need is an identity black box that spits out tokens in return for credentials. The tokens get passed to the apps, the apps can read the tokens and everyone is happy.

Overlooking the synergy between middleware and IAM

For sure. Right now I'm looking at a situation where I want to plug MIIS into IBM Websphere MQ. MQ is being used to tie together many legacy applications that MIIS won't talk to easily, so getting it to create MQ messages seems a logical step.

Tom said...

Overall good insights, though I'd be cautious about delegating security administration or policy-making to the "business units". Their concerns are often at odds with security concerns. I think the desire to do this is driven from sheer frustration with the over-complexity of current products.

Oh, and a nit -- the phrase is "Hear, hear!"