Friday, February 16

The End of IdM

I've been telling people over the last 2-3 years that in 5-6 years (circa 2010), there will no longer be stand-alone identity management companies. IdM will be rolled into the platforms. We've seen this Nostradamus-like prediction coming true as Oracle has moved in that direction for a few years now - Peoplesoft, Oblix, Thor, OctetString. And Sun too, of course. Microsoft has integrated many security features (anti-malware, firewall, encryption, etc.) into Windows. And now, I'm hearing more people saying the same. Especially at EMC. Art Coviello made this point clearly at the RSA conference. It's one of the reasons I joined RSA as they were becoming part of EMC. The future is wildly uncertain for smaller independent security providers. EMC really gets it. The focus is on information-centric security. The systems that control your information need built-in security -- not bolt-on security. Bill Gates' RSA address had much of the same focus.

Gates urged companies to think beyond traditional "glass-house" and perimeter-centric security strategies focused largely on keeping intruders and malicious activity out of corporate networks. What is needed, he said, is a "far more powerful paradigm" that uses security as a way to secure information access, not as an impediment to access.

"People want more access" to information, and they want that access at any time, from wherever they happen to be, and via whatever device they happen to have, Gates said. "Traditional network perimeters are fading away," mandating new approaches to security, he added.
This year and 2008 may be the last years for the independents. So, it's time to nail down the technology and get it into your favorite platform - the end is near and the paradigm is shifting.

2 comments:

Ron said...

Matt:

I have also believed that some of the functionality of IdM should be provided by the platform.

More specifically, I was thinking that this functionality should be built on top of the organizational directory. As such, I thought Microsoft is in top position among all the others that you mentioned. However contrary to my assumption, I have not seen Microsoft moving fast enough in this direction.

Another reservation I have is that I expect the infrastructural functionality to be replaced, but not the business-oriented functionality such as role model management.

I believe that the role-based access control (RBAC) itself may be in the infrastructure. In fact, I expect Microsoft's Authorization Manager to play a key role in this. But the management of the role MODEL will likely remain an independent platform on top. In Eurekify, we strongly believe that the role model management will remain a business application.

What do you think?

-Ron

Dr. Ron Rymon
Founder, Eurekify
The Enterprise Role Management Company
http://www.eurekify.com

Matt Flynn said...

Thanks for the comment Ron. It's an interesting point. I'm not entirely convinced, but I'm willing to listen. What is going to compel an enterprise to manage user roles in an external app rather than in the sources of record (e.g. SAP, AD, Peoplesoft)? Granted, the sources of record haven't had the right set of functionality and companies like Eurikify have been successful because of the tremendous amount of functionality that is not currently provided in the source systems -- yet is required by organizations with unorganized and unruly role infrastructures. Improved functionality is an obvious competitive advantage and companies like Oracle and SAP will eventually build in improvements in their role management capabilities. Enterprises have realized what a mess they've created. All the work they've been doing in role discovery and management will hopefully yield improved policies which will allow them to leverage a simpler set of functionality to acheive the desired results. In other words, once you fix the problem, it becomes much easier to manage. Regardless of my comment re: Nostradamus, I don't claim to know the future, but this seems like a logical progression based on my limited experience.

One last thing re: Microsoft - I don't know much about Authorization Manager but I like the idea of the XACML-like policy server in which to store policies that aren't easily captured in the network directory. Microsoft's solution seems to be analagous to that, but tightly coupled with their own technology set. But these technologies only address storage and access of roles and policies -- not how they're managed. So, even if they become a widely adopted technology, there's still a business opportunity for people-management systems to build role and policy management into their core offering.

...my 2 cents.