Do we need to kill IAM to save it?

28.02.2013 by Martin Kuppinger

Last week I received a newsletter from Radiant Logic, a vendor of Virtual Directory Services and some other IAM stuff like Federation Services. This newsletter pointed to a video of a presentation of Gartner analyst Ian Glazer titled “Killing Identity Management in Order to Save it,” which had been published on February 7th, 2013.

In this video he spends a lot of time talking about some topics like

  • IAM is too static and typically HR driven
  • IAM is not focused on providing services and integrating with business applications
  • IAM is based on LDAP (and CSV) and other hierarchical approaches
  • 2013 will be the year of Identity Standards, especially OAuth, OpenID connect, and SCIM
  • Identity Service like those provided by Salesforce.com

When I read the newsletter of Radiant Logic – which take a fairly different view than Ian Glazer – and listened to the webinar, I started looking for some of the stuff my colleagues and me have written about this.

There is for example an article at our website talking about the fact that HR should not be the only leading system for IAM – the article dates back to 2007 (and is available in German only). And there are more, which are about things like the Identity Explosion and the need to deal with far more users.

I found several articles for example from back in 2008 looking at Identity Services and there were webinars and reports around that topic years ago. Some vendors have been doing integration of Identity Services into business applications, Oracle for example, for years now.

The end of LDAP in its current state was the topic of a blog post back in 2010 and I started discussing this with advisory customers at the same time.

Oh yes, clearly the standards mentioned will become more important this year. My colleague Craig Burton has described this on several occasions, including the KuppingerCole Scenario “The Future of Authentication”. And last year’s EIC hosted a workshop talking about the relevance of all these upcoming standards.

All the topics around identity services hosted by Salesforce.com or Microsoft’s upcoming Windows Azure Active Directory have also been a frequent topic in Craig’s blog posts and in some of our research notes.

There is nothing wrong with these theses. However, there is also not that much new in them.

Below the link to the video of the Ian Glazer presentation, there is the following claim:

The way the industry does identity management cannot incrementally improve to me [sic] future (and current) needs. I believe IAM must be killed off and reborn.

Given the fact I do a lot of advisory work besides research, like all the KuppingerCole analysts, I really struggle with this claim. There is no doubt about the fact that we need to “extend and embrace” what we are doing traditionally in IAM. It is about more than Identity Provisioning. Topics like versatile and context-/risk-based authentication and authorization, together with Identity Federation, are moving towards the center of attention – not only for core IAM challenges. We need to understand that there are new challenges imposed by the Computing Troika and that traditional approaches will not solve these.

However, I do not believe in disruptiveness. I believe in approaches that build on existing investments. IAM has to change, no doubt about that. But there will still be a lot of “old school” IAM together with the “new school” parts. Time and time again it has been proven that change without a migration path is an invitation to disaster. Embrace and extend is the classical migration methodology for classical technical transformative strategies.

I plan to do a session on this topic at EIC 2013 – don’t miss it if you want to save your investments and spend your budgets targeted to meet today’s and tomorrow’s challenges in IAM.


  • Pingback: IAM Disruption vs. Innovative Migration « Discovering Identity()

  • Jim Willeke

    I agree.

    I also thought that some of his premises were not valid.

    Yes LDAP can be hierarchal, but anyone who has done IAM successfully for any length of time, certainly in Large Organizations would keep the user store flat.

    Displaying relationships in a graph has nothing to do with the underlying datastore and utilizing LDAP as a datastore for Graph is not an issue.
    Relationships can certainly be done within LDAP via many different approaches. (DN relations, Groups, Roles or attributes off the top of my head.)

    And I agree any IAM system still using CSVs has, well already missed to boat.

    • Martin Kuppinger

      Hi,
      my point is not that much about LDAP and CSVs but the questions whether we can and shall "kill" these approaches. LDAP is not perfectly suited for several of today's requirements. There is a good reason for new models for user stores and for Graph APIs etc. On the other hand, there is the need for further supporting LDAP – and it will remain for the foreseeable time, given the important role LDAP directories are playing today. On the other hand, customers should consider new alternatives for new implementations and new business cases once they are here and mature enough. The same is true for CSVs: Not elegant, but sometimes without alternative. Just think about all the acces information Access Governance tools must collect from various sources – many of these sources just lack other interfaces, and in many cases it would be far too complex and costly to implement other ways of interaction. Think about the (low) number of systems which are typically connected to Identity Provisioning systems.
      My point is: There is a value in the new concepts (some of them being not that new…). But it is not about rip and replace, it is about embrace and extend.
      -Martin

Services
© 2014 Martin Kuppinger, KuppingerCole