Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Thursday, September 30, 2010

Identity and Access Management: The Next Big Thing …

One of the drivers and motivations of this blog is to debate and explore the evolution of Security and Identity and Access Management (IAM) – beyond the current solutions and approaches – and identify new trends and opportunities.

Let’s focus on the IAM area – at least in this blog post.

I must say that in the last 5 years there has been a strong consolidation of the IAM offerings and suites available on the market. They are pretty much equivalent as they offer similar functionalities in a well defined set of areas.

A promising area (perceive as the next big thing, 3-5 years ago), Identity Federation Management, has not really (yet) taken off, as far as I know, outside enterprise environments and for low-risk transactions on the web. New challenges posed by access control and identity management in the Cloud might indeed revamp this area, but it has to be fully proven …

Is “classic” IAM rapidly commoditising? I really think so … Are there major margins of growth for traditional IAM solution providers? I am not convinced (but I’ll like to hear about rigorous and substantiated market forecasts …).

So, what is the next big thing in this space? What is really going to change the IAM landscape and differentiate from what is currently out there?

This is a question open to all readers. Feel free to send your views and opinions.

Here are my initial thoughts.

First of all, it would be more correct to think about what “the next big thing” is going to be for specific verticals (e.g. consumers, enterprises, etc.) …

In the context of enterprises, I am currently reflecting on various inputs and experience that I am maturing by interacting with customers and consultants.

Organisations are increasingly questioning the large and expensive investments in the IAM space. The classic message that “you should buy this IAM suite and related service as it will help you reduce costs & risks and increase productivity (trust us)” is not going down so well anymore. From what I understand, customers increasingly want a clear assessment and evidence underpinning these statements.

This is more and more reflected by an approach to IAM driven by rigorous Risk Assessment – driven by business awareness, knowledge of suitable trade-offs and an understanding of the risk appetite of the organisation as well as the threat landscape. Decision makers in this space are moving up the management ladder, from the lower-level IT/CISO office to Risk Managers and/or CIOs.

Today risk assessment and investment decisions are achieved with ad-hoc approaches by using (effective but) general purpose Risk Assessment frameworks, such as ISO 2700x and equivalent. How to simplify this process? How to provide fine-grained risk assessment that takes into account the analysis of various options and scenarios as well as providing what-if analysis? How to evaluate the actual appropriateness and impact in investing on specific IAM controls? How to package all this as a service to be offered (among others) for making informed decisions in the IAM space?

I am more and more convinced that one of the next big things in IAM will be in addressing this gap, i.e. providing a simplified, rigorous and scientific approach to evaluate risks in organisations and pinning down (among other security aspects) to the suitable IAM investments and solutions, tailored to the specific organisational realities.

This is what we are exploring at HP Labs, in the broader space of security, with Security Analytics and, for IAM, in the specific context of HP Labs Identity Analytics.

I am very interested in your opinion and the (inevitable) different views of what the next big thing in IAM is going to be …


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

No comments: