With the Gartner Identity and Access Management Summit happening on Wednesday, I've been thinking about the many discussions I've had with customers regarding Cloud Security in the last year.
There are some people who believe that the Cloud Security debate is vendor and analyst hype and that for them, it is business as usual with regard to how security and IAM inparticular are dealt with for their organisation. Is this a fair point? Well in my opinion yes..and no.
In defence of that view point, one thing certainly remains the same as we embrace the cloud, and that is the principals of good security and IAM. Those of us who remember the heady days of the .COM era, remember how sane, well educated business people lost their heads and believed that sound financial principals no longer applied to the brave new world of eCommerce. We all know how that ended. I believe that we could use this example as a parable for how common sense, well proven principals and good business practice should be maintained. In this case for security when leveraging the cloud.
Where I believe this view point is somewhat disingenuous and dare I say dangerous is, firstly from a technological point of view. Commercial IAM platforms were designed and architected with a large Enterprise in mind. The IAM solution would traditionally be installed and managed on the Enterprise's premises and managed exclusively by the customer. Now I concede that sometimes the platform resided at a managed service provider's site and was run by them on behalf of the customer, but it was essentially the same scenario - centric to that one company and in their full control. See my rather crude Diagram below:
.png)
There has been an evolution in agile business models that require organisations to build trust models with other companies quickly and without requiring each partner to be part of your IAM environment. We have always had federation capabilities in IAM solutions, but the cloud requires us to evolve IAM to keep pace with how the business wants to innovate.
I see three different stages in the evolution of IAM.
Stage 1: Traditional IAM model as described above. This is yesterday's approach and is not flexible enough for today's business needs.
Stage 2: companies will have their own IAM environment and will agree a trust relationship with other companies, who will leverage their own IAM platforms. We are in this phase at the moment, so technology and standards allow this approach to work and some companies are successfully doing it, but I would argue not the majority.
Stage 3: IAM Services may be provided by a trusted 3rd party, and will not require much if any on-premise IAM solutions or Identity Stores.
Stage 3 is in early adoption, but the pace at which it is being adopted means it will become the common model for the new cloud enabled world. Putting aside the technical considerations, the other difference that Cloud brings (or intensifies), is the regulatory considerations. How do we manage data storage and access in the cloud. How will Nations find a consistent way of doing business in the cloud. These issues have to some extent been there since the internet was established, but cloud adoption is adding to the urgency to address such concerns. Business is happening with or without a common agreement on how privacy and cloud trading should be managed. It is a little like the wild west right now and far from "business as usual". We all need to be part of the debate and lobbying to get good business and regulatory frameworks in place. This is a big topic and one for a separate blog.
So back to the original debate, I made the contentious statement that, "business as usual" for IAM was a dangerous mind set. This is because Cloud is happening, with or without strong IAM. Do it right though, and it will actually be a major enabler for the business to exploit, personal devices, mobile workers, cloud based applications, collaboration and social networks in its innovation.
I don't know about you, but I'm quite excited by the possibilities
Join Tim Dunn at a panel discussion at Gartner IAM on Wednesday March 9, 10.15am.