Earlier this month, I attended the Gartner Identity & Access Management Summit in London and got the chance to hear the Gartner Identity team lay out their roadmap for the industry.
The Future of Identity Management
The opening keynote, Embrace Change or Be Disrupted -- IAM's Future Role, was lead by analysts Mark Diodati, David Anthony Mahdi and Earl Perkins. They discussed the organisational changes that are impacting our peers in workforce IAM. As managing the identity of people and things becomes more of an imperative, legacy IAM providers start to lose influence with executives in broader lines of business and become more deeply relegated to operational IT.
David Anthony Mahdi and Earl Perkins challenged legacy vendors to embrace the cloud, decentralised identity (blockchain), IoT and machine learning and made the following predictions:
By 2022, blockchain will be in 35% of CIAM
By 2022, one-third of IAM processes will be done by AI
FinTech is driving the CIAM and decentralised identity, authentication and authorization (via blockchain inspired technologies) agenda as ways to not overexpose shared data.
David Mahdi gave a very accessible example of data overexposure with the scenario of showing your ID to buy beer. All the storekeeper needs is an authoritative and validated source to confirm you are over 18 (or 21 in US) showing your ID exposes your name, gender, address and date of birth.
Here, blockchain becomes a promising technology to give back trust and a distributed method to provide a signed assertion. Of course, blockchain is not the only way to deliver a signed assertion. I expect to see more mainstream solutions being developed and delivered through central identity offerings. Meanwhile, blockchain remains super early stage -- an Innovation Trigger in Gartner's most recent Hype Cycle.
"Be More Than a Directory!"
Mary Ruddy, CIAM analyst, led a session titled Evolve Your Identity Architecture to Be Smart, Modern and Agile. Mary suggests that the traditional models are in conflict and that today's attempts by the enterprise to streamline operations, protect itself from threats and promote digital innovation are not aligned. She called for vendors to become more dynamic and to align to an emerging category of Identity Analytics built on a more agile architecture.
This dynamic approach is being driven by end user and business demands, as well as the need to support any user or thing (person or device), any endpoint, anywhere and any type of application (PPaaS) at Cloud Scale and Agilely (iDaas, PaaS, IaaS).
Taking a broader look at the feature set of Identity Analytics, we should see the emergence of:
Peer grouping -- Look-a-likes, a typical interaction or access for the types of cohort you belong to
Dynamic risk -- Reaction to changes across the network or context
User entity behavior -- Bringing behavioural data into the risk profile (e.g., a user who typically authenticates from London now authenticates from Singapore)
Adaptive Access Control (AAC) that leverages all of these signals
Mary concluded with a call to action: "Be more than a directory!" She admonished the industry to remember that the customer is not always directory layer and to use context from services, leverage multiple circles of trust and build out smart multistage policies.
Different Views of Customer IAM and Traditional IAM
Gregg Kreizman, who leads Access Management and IDaaS at Gartner, talked the delegates through Strategies for Making the Right Access Management and Single Sign-On Choices. Gregg predicts that by 2021 iDaaS will be 80% of the IAM delivery model, up from 20% today.
In the CIAM space -- which has been a historic pure play of consumer management and SSO -- the level of sophistication begins to align. Gregg's ideas nicely dovetailed with Mary's vision and drive for dynamic and independent access management. Gregg reviewed point solutions in this space, as well as classic workforce IGA. What caught my attention was the deep dive into Externalised Access Management (EAM) and its alignment with Security Token Services (STS). This developed into an interesting discussion on the need to couple API gateways with EAMs.
Gregg presented a convergence between the traditional API gateways and the niche but emerging EAM players (Symphonic, Axiomatics, NextLabs, Jericho) and the emerging use cases that require this level of convergence, such as insurance.
What was certainly interesting was that Gregg didn't mention PSD2. There is clear overlap and movement from traditional Front Door access to coarse grain, securing APIs and the ultimate move to context. EAMs are poor API gateways, and API gateways are poor EAMs!
Where I differ from Gregg: he has long advocated that we do not need point solutions, such as IAM and CIAM; instead IDaaS (Identity as a Service) is the single solution with consumer, workforce and things as use cases. He suggests that these use cases could be housed in different silos, but addressed by one solution. This is tricky proposition for me. Cloud-first vendors will excel in IoT and consumer use cases -- with dynamic registration, high degrees of scalability, real-time analytics and Internet-based authentication standards. In contrast, on-prem/hybrid/MSP delivered vendors will excel in workforce use cases: legacy authentication (LDAP, SAML), small scale, non-transactional, internal integrations. Trying to blend the two will lead to compromise. An acceptable trade-off would be reduced workforce functionality for CIAM pricing, but I can't see the trade-offs working the other way round.
Open Standards and Future Identity Platform Development
How do identity vendors align? The answer has to be open standards. As we start to model device, person, relationship, mandates and access, the standards bodies are leading the charge. OIDC, UMA, XMACL and BPPC all create points of interoperability for stack alignment.
For us at Akamai, the recent Gartner conference was certainly a moment for reflection. It's very exciting to be so closely aligned with Gartner's vision. Over the last 12 months we have released a series of features, with a thesis on how the market will leverage them:
Advanced Policy Manager
Consent Lifecycle Management
Our recent Customer Insights upgrade is focused on real-time behavioral analytics. This becomes the precursor to our Identity Analytics. The team is diligently working to integrate our Fraud Score and Advanced Policy Manager (or EAM), allowing centralised creation, management and decisioning of policies. Our Identity Groups solution houses our Security Token Services (STS) (for delegation). This, in short order, will provide Akamai the framework for dynamic and Adaptive Access Control (AAC).
We have all the building blocks to get ahead of Mary's and Gregg's market vision.
How quickly can the rest of the industry get there? That remains an open question -- even for Gartner.