Open sourcing is the future of identity and access management (IAM), writes Lasse Andresen – CTO of ForgeRock.
Every CIO needs a reliable identity relationship management (IRM) system, the evolution of identity and access management (IAM), for protecting not merely employee and partner data, but now millions of customers’ data.
For many years, businesses have relied on traditional, proprietary IAM vendors to secure user identities and data behind the company firewall. For a long time, IAM was good enough. Good enough to manage, from the inside, and good enough to protect the business from the threats outside.
However, Identity needs have changed dramatically in the past few years in the wake of digital transformation. Today’s employees expect access to company systems anytime, anywhere; partners require access to various apps that provide limited access to company data; and most importantly, customers expect immediate and constant access to user-friendly, consumer-facing data—a need traditional IAM cannot even begin to address.
This change is amply demonstrated by a recent Forrester survey, undertaken on behalf of ForgeRock. This survey found that 85 percent of companies were planning customer-facing identity projects where customers rather than employees were the users, and 81 percent were planning IAM projects where partners were the users. To adequately serve these new populations, companies need to account for the specific needs of these implementations, Forrester noted.
In her blog on IAM, Fran Howarth at Bloor noted that “in the past four to five years, identity and access management technologies and services have seen considerable evolution and innovation. Today, they are used to broker access not just to internally provisioned applications, but also to the multitude of services and applications provided by external parties as web-based applications, software-as-a-service (SaaS) subscriptions in the cloud and via mobile devices. Such services place the emphasis on ease of use and implementation and can scale from the smallest micro-firm to multinational enterprises and agencies, making them suitable for use by any organisation, no matter its size or line of business.”
So, as you’d expect, Howarth goes on to observe that the vendor landscape for IAM has “changed considerably over the past three years, prior to which there were just a handful of specialists offering online IAM services.” In contrast, there are now many specialist IAM vendors operating in the market. Traditional IAM Cannot Protect the Modern Web Traditional IAM solutions were designed exclusively for the on-premises enterprise; they are not equipped to handle or adapt to the immediate demands of the modern web. This is hardly surprising when the common use cases that influenced the initial development of traditional IAM were based on a very different set of business needs compared with today’s. Early IAM was developed to secure employee identities and protect enterprise applications and data maintained behind the company firewall.
The access devices the company provided to the users (employees) were usually desktops or laptops. The scaling requirements were limited to the company’s employees, so a deployment that exceeded 10,000 users was rare. While use cases such as onboarding and offboarding users were common, these processes happened at a much slower pace than today, necessitated by predictable and intermittent events, such as hiring new employees. In his presentation “Killing IAM in Order to Save It,” former Gartner analyst and current Senior Director of Identity at Salesforce, Ian Glazer, addressed the problem head on. “Current enterprise identity and access management cannot adapt and cannot evolve to the contemporary web. At the moment, identity management is ensconced in a reasonably static world. Identities are created, owned, and managed by the enterprise. The problem is that the world around identity management is growing both larger in terms of the constituents that have to be served and moving faster than this static model can keep up with.” Glazer notes that “the current style is slow, requiring changes when an individual is added, moved, or leaves an organisation; and while this works fine, this isn’t the current pace or style of the modern enterprise, partners, or the customers that are working in the modern web. Legacy IAM systems are apart from, instead of a part of, other crucial business services of an enterprise, which ultimately is inconvenient and requires additional work. Modern systems need integrated systems.”
IAM faces challenges
Today’s needs are very different. Users are not confined to employees and partners, but also include customers. Managing customer identities and access isn’t the same as employee IAM. Many organisations should be concerned that systems focusing on classic system-of-record goals, such as automating IAM for compliance, IT administration efficiency, and security may not provide sufficient strategic opportunities to shape customer engagement.
Forrester reported, “evolving from managing employee and partner identities to managing customer identities requires drastically increasing the scale and complexity of the operation.” Respondents to the survey reported, “a median of only 101 to 1,000 partner identities and 1,001 to 10,000 employee identities — but 500,001 to 5,000,000 consumer identities.” Not only are customer populations four orders of magnitude greater than employee populations, Forrester noted, but they also “represent an audience that is not captive to the enterprise’s internal-facing needs for security and operational efficiency and can go elsewhere to get their needs met.”
Further complicating this massive increase in users, generated by customer engagement, is the fact that at first the user might also be anonymous. In addition, users are accessing applications from locations far beyond the company firewall and via a multitude of devices. And the applications themselves are often hosted in the cloud and provided by a SaaS provider. As a result, the volume of users has exploded and the rate at which they change as well as the number of identities they require has expanded. This is not to say that there is no longer a need for traditional IAM. Rather, it means that what is needed now is a new, open, agile, scalable IAM platform—a platform that can integrate with the installed legacy systems, but also provide for the needs of modern web environments.
The Forrester survey found that many companies were dubious that their existing IAM infrastructure was ready to support the scale, responsiveness, and business enablement that the new digital consumer requires. As many as 45 percent of companies revealed that they were planning to either build or buy partially or completely new infrastructure for their next project. Two-thirds of respondents said their existing IAM technology solutions were less than “very” prepared for external deployment, with 30 percent admitting their internal-facing solutions are “not very” or “not at all” prepared. But faced with such obvious shortcomings in their existing IAM solutions, how can CIOs extend, integrate, and modernise their companies’ identity infrastructure to provide for these common new use cases? Forrester found that many were looking to new technologies to try and meet their future requirements, with 88 percent of respondents indicating their budget for building out IAM projects requiring external-facing, customer, and partner identity and access management, included investment in new IAM software, aka IRM.
The alternative to traditional proprietary IAM vendors exists in open, standards-based identity solutions. Built from the ground up and tailored to the unique needs of the modern web, identity relationship management (IRM) solutions are equipped to handle customer-facing Identity requirements across devices and across cloud, social, mobile, and enterprise systems, as the digital transformation takes hold within the enterprise and across the customer base.
Identity Relationship Management
There are several key reasons why open source IRM is able to adapt to the modern web where legacy IAM vendors cannot. Unlike IAM, IRM is built to help businesses manage the identities of customers and things and the relationships between them—not just employees. It’s designed in response to the massive influx of new users and devices to be modular, scalable, borderless, and context-driven. IRM is redefining the category, and agile businesses are already making the swift shift to IRM to grab market-share before their heavy-weight competitors can make the transition.
An IRM platform needs to be modular, and preferably designed as an integrated, cohesive stack that is purpose-built to handle the complexity of multiple users, devices, access points, and privileges. At the same time, it needs to be able to encompass legacy applications and services. Modular, open platform solutions are well-suited to connect with virtually any device or service – and have no trouble supporting older and newer versions of each device or application because the various platform pieces can be broken out and used alone or in tandem as needed.
Transformation
Digital businesses work at internet scale, which means that the number of users can expand exponentially from thousands to millions worldwide. The identity system needs to be scalable and dynamic enough to deal with these immediate fluctuations and serve content regardless of location – while being aware of the difference location might make in the type of services available and the way they’re delivered.
IoT is connected everywhere, all the time. IRM needs to provide secure access to applications wherever they are stored—on premises, in the cloud, or both—from any Internet-connected device, from anywhere.
And finally, context. Context was barely even a consideration for traditional IAM, but it’s a critical differentiator for companies delivering digital services. IRM can help businesses better engage with stakeholders based on context and behavior. It needs to be intelligent enough to evaluate a variety of circumstances in real time and make the best judgment – take using adaptive and multi-factor authentication when a user logs in from an atypical device or region, for example.
An IRM model presents a highly attractive alternative for enterprises seeking out lightweight, flexible identity solutions that can accommodate the standard needs of the traditional, on-premises enterprise, and the dynamic requirements of the modern web.
Biography: Lasse Andresen – Co-founder and Chief Technology Officer, ForgeRock
He has 20-plus years of experience in the software industry including leadership roles at both Sun Microsystems (he served as CTO for Sun Central and Northern Europe) and Texas Instruments. Lasse was also the co-founder and CTO of Gravityrock.
