Monday, January 04, 2010

Identity & Access Management Predictions For 2010

I should point out that I am not psychic. I haven't found a way to see into the future just yet. (If I had managed to do that, I'm quite sure I wouldn't be writing this article!)

Identity and Access Management has promised much in recent years and in the case of Identity Management, the promise has yet to be realised in a lot of deployments. I hear potential customers making claims that there has never been a successful identity management project and any organisation intent on attempting to realise the benefits of such a project are doomed.

Thankfully, I have been involved in many successful deployments that have realised some, if not all, of the anticipated benefits. The problems I've seen have typically been political issues rather than technical issues. Does that sound familiar?

It would seem to me that there is a disconnect between what technology can offer, what businesses can afford and the political will-power to ensure that an IAM programme will succeed. Which brings me on to my predictions...

1. Ding-Ding - Round 2
The early adopters of IDM technology went through the pain and heartache of spending big on new technology in an effort to leverage their legacy technology in the "always connected" world. Their 18 month programmes a number of years ago are probably starting to provide some benefit around about now and the political collateral required to leverage their infrastructure will be in place because it has become too darn expensive to rip out all that kit that was deployed all those years ago. In other words, the initial hype surrounding the technology that was followed by disillusionment is now starting to pay for itself.

The rotation of staff around the various enterprises that exist will ensure that every enterprise now has "someone" in their team who has been involved in a successful IDM deployment. These people will become crucial in pushing their new employers down the path of embracing IDM as a workable solution.

2. Risk
I'm on thin ice with this one but the days of locking down everything because a manual said it could be locked down are disappearing. We used to live in a world which had adopted the 80/20 rule. An 80% delivery rate on a project was usually enough to get businesses working effectively and the remaining 20% was usually too expensive and made a mockery of the original business case. I see those days returning. For example, a two-factor authentication system for high-net worth banking users or treasury departments may be a great idea bearing in mind the risk of a security breach for either user but such a system may not be necessary for the thousands of people who only have a few coppers in their deposit account.

The same rule can be applied within the enterprise as well. Do we want to lock-down our enterprise systems to the point where they become difficult to use? Do we want our users fed-up with the tedium of trying to do their job with a system that seems hell-bent on preventing them to do so?

IT Security professionals will finally find the word pragmatism in their dictionary and understand that they are there to help rather than hinder.

3. Personal Ownership
For many, the notion of an Identity Management System may seem crazy. Surely it is up to the individual to manage their identity properly rather than delegate such responsibility to a "system". 2010 will see IT users taking ownership of their identities (and not just those binary-speaking geeks we all like to poke fun at). Real people performing real duties in the real world will start to take more care of their online persona. Facebook and Twitter have become vital tools  - they are no longer being used to merely jabber on about what was on television the previous night!

Most people are sensitive about how others perceive them. Now is the time to protect our online personae. It is time to manage our own identities.

4. Compliance
Enterprises need to demonstrate that they have control over their processes. In a nutshell, that seems to be what Sarbanes Oxley is all about. How an enterprise demonstrates their control, however, is up to the enterprise. Quill and Parchment record keeping may actually suffice.

There are tools available which can help an enterprise keep control over its systems. Identity Management systems typically look after the provisioning aspect of a system and can certainly be beneficial in achieving compliance. But what about those systems that aren't managed by such a clever tool? Log file scraping and database dumps can provide an auditor with the necessary data to determine how an application is being managed but unless she is super-human, she will need an analysis tool to help her make sense of the information.

Compliance has always been a tricky topic because there are legacy bespoke systems which contain data that nobody else on Earth could possibly understand. How do you build a tool capable of analysing information from every possible application without major customisation and significant up-front consultancy fee hell. How can "SOX IN A BOX" be achieved?

This year should see the major vendors of IDM solutions attempt to address this area.

5. The Cloud
I've written about "The Cloud" before and 2009 has already seen a quickening in pace of Cloud Services and IDM solutions specifically for The Cloud. I can see one or two niche players operating in the "IDM proxy" world being gobbled up by the big boys.

Until now, enterprises have attempted to manage access to The Cloud from within their perimeter. 2010 will see the start of a mirror-imaging of this approach, ie The Cloud will start to manage access within the enterprise.

The above five predictions are safe bets, to be honest. All of these things are already happening so I guess my predictions aren't really predictions. Maybe they are "realisations"? This year will be the year that the IT user base will become more aware of the above.


Unknown said...

As you are aware I know little or nothing of the technology of IDM however to a layman there are a couple of interesting points. On the subject of risk your suggestion that professionals should embrace pragmatism is sound. It is a basic tenet of all security situations that one carries out an in depth cost-benefit analysis. It is pointless having an immensely expensive Chubb Armoury door if you have it hung in a PVC frame. The art is identifying the main threat to a particular target area and then providing the minimum amount of security necessary to negate that threat. Wee buns?
The second point is personae management. I agree with your summation, however, the question I would ask is; "As a layman, how do I decide the level of security I need?". I do not publish my address, email, telephone numbers, etc. on Facebook or even on my website. Does this give me any security? I note that you have a contacts page on what I assume to be a globally accessible site. From this I deduce that hiding ones personal contact details is pointless, or is it? Perhaps I am missing the point and you are looking at a far more sophisticated personal protection programme. Either way I would be interested to know your interpretation of Identity Management at a personal level.

Stephen Swann said...

Comes down to usability I guess. I need people to be able to contact me - even people I haven't been introduced to already. Plus, a lot of "contact" information is already publicly available. Phone numbers and addresses are fairly accessibly.

The trick, I guess, isn't trying to keep these things a secret but protecting yourself against identity theft and loss of reputation. Being careful who you "connect" with online and ensuring your publicly available opinions aren't globally offensive are good ways to protect your reputation.

Identity theft can be prevented (somewhat) by limiting the information that you reveal online. National Insurance Number, Passport details and Drivers Licence details would be good examples of details that shouldn't be divulged to ANYONE.

Again, it comes down to risk. Laypeople should take care about divulging information but categorising their personal info into the following categories might be useful:

Very Sensitive - for my eyes only (passport details)
Sensitive - close friends and relatives can view (who I'm connected with, political views) ***
Not Sensitive - friends of friends and selected others can view (date of birth, CV maybe)
Not Sensitive At All - anyone can view (opinions in blogs - as long as the opinions adhere to the principle of maintaining your reputation)

*** Take care with this one. This information is typically used as part of backup security mechanisms (ie. what is your mother's name). People should already be wary about these types of questions in a security context and be taking precaution to "encrypt" answers or not revealing the answers at all!