Identity and Access Management (IAM)

There are multiple “tracks” in the Burton Conference, including ones on threat management, application security, and identity management. There was also a conference welcome session, at which Jamie Lewis (President of Burton Group) summarized some of the key security trends that have been occurring over the past year. As he went through them, it was quite noticeable how central IAM was in virtually all of these trends. One could certainly argue that this is due in some respects to Burton’s emphasis and expertise in this area. Even while acknowledging this fact, it seems clear that many of the recent security trends can be associated with a strong movement towards management of user identities and access across large environments.

Let me highlight the major ones listed so we can see how these trends are impacted by IAM technologies.

• De-perimeterization—the boundary between internal and external users continues to blur. As this occurs and larger numbers of users need access to protected IT resources, the relatively static authorization models that have worked in the past may no longer be sufficient. Authorization models need to be able to effectively model the often complex and dynamic attributes that many users have.  In particular, authorization based on a relatively static set of roles or attributes/claims is evolving to a much more flexible model based on a wider set of dynamic attributes. 
• Data center consolidation—as mergers, acquisitions, and business unit consolidations occur, data centers (across different companies or business units) are often merged, creating unique challenges around different identity mechanisms, directories, and other infrastructure components. This represents both a significant challenge but also an opportunity for increased automation and cost reduction as these different IT processes are centralized and merged into a single, more efficient mechanism.
• Islands persist, despite evolving standard—this will probably always be true, insofar as the challenges of widespread IAM deployment remain too daunting for some organizations. Still, one would hope that the pain of existing “silos” will tend to reduce the creation of new ones over time.
• Regulatory compliance and governance—this is very important, but old news.  We’ve all known for a couple of years now that compliance was likely the most important driver of identity management deployments.  In fact, compliance has been a major factor in the maturation of IAM within many organizations.  And, even as some companies view compliance in a wider scope as part of their corporate risk management or governance program, it remains true that IAM can be an important underpinning of these programs.

So, when we look at some of the key security trends over the past year or more, IAM technologies are extremely well-suited to meet the challenges created by these trends. And, conversely, these evolving customer demands have caused changes in the IAM product space also. Simple examples include the rise of GRC solutions and identity auditing as natural outgrowths of the success of the core IAM technologies.

Another insight from this session was how much change had occurred in the IAM market over the past year or so. This is true not only in terms of acquisitions as well as new entrants, but also in the breadth of scope that the identity management market includes. For those of us who have been in the IAM market for a number of years, this constant flux has become very familiar to us. In addition, this is very unlikely to change in the near term at all—identity management has become a constantly evolving market in which a high rate of change is now the norm. Continual change is one of the many reasons why many of us find this area to be so exciting.