The Identity Explosion – one reason to re-engineer not only our IAM

25.04.2012 by Martin Kuppinger

During my Opening Keynote at this year’s EIC (European Identity & Cloud Conference,, when talking about the Top Trends in IAM, Mobile Security, GRC, and Cloud Computing I used the term “Identity Explosion” to describe the trend that organizations will continue (or start) to re-define their IAM infrastructures in order to make them future-proof. I talked more about that in my presentation on “Re-engineering IAM to better serve your business’ needs” later during the conference. Interestingly, I heard the term “Identity Explosion” being used several times in other sessions after that, referring to my keynote.

So today I want to look at that buzzword, at what’s behind the buzzword, and the impact of this “Identity Explosion”. When looking at IAM (Identity and Access Management), it’s  about managing users and their access. However, most of the IAM infrastructures in place today were mainly built with the employee in mind. Even today I frequently observe in advisories that projects begin by starting with a focus on some (relatively) small groups of users, like the employees, some temporary workers, or maybe some of the business partners. However, the reality of many organizations is that they have – to use a real-world number – perhaps 28,000 employees and 4.5 million customers to deal with.

Thus one of the initial discussions in such advisories is always about ensuring that the scope is set wide enough: It is about looking at all potential types of users, at least during the conceptual phase. Organizations might start implementing for the internals, followed by business partners, and then the customers (and leads and prospects and suspects). But the design has to have the “Identity Explosion” in mind: This massive growth in the number of of identities to deal with. That starts with simple things like the structure of identifiers and ends with scalability issues and the integration of different technical approaches, for example versatile, risk- and context-aware authentication and authorization. I’ve seen companies struggling with the identifiers they have chosen only with employees in mind spending a lot of money to fix that.

But it is not only – and not even mainly – about the costs. It is about agility. If IT is not prepared to deal with all types of users and provide identity and security services for them, then IT will fail in supporting the business demands. These are about integration with partners and a tight interaction with the customers (and leads and so on). IT has to be prepared for that. It has to understand that there will be this “Identity Explosion” anyway, with a massively growing number of identities to deal with.

An interesting aspect which isn’t yet discussed much in this context is business policies, including segregation of duties. How do you deal with the situation in which the same person (e.g. you or me) could have at the same point in time the identity of a customer, freelance broker, and employee of the same insurance company? Three identities which have to be understood and managed: The same person might sell an insurance contract to himself and approve it, using three different identities.

And what I’ve discussed so far is just a small bang. The big bang is about the “Internet of Things”, at least for many organizations. An automotive vendor has to deal not only with his customers, dealers, employees, and suppliers. He also has to deal with the cars themselves, which again split up into many devices with their own “identity”. This again will increase the number of identities to deal with.

Having the “Identity Explosion” in mind when working on strategies, concepts, and implementation of IAM and all the related technologies helps avoid solutions which can’t scale with the changing business requirements. Thus looking at your current IAM and thinking about how to get ready for that is one of the things you should start doing now.

EIC 2012 – some take-aways

23.04.2012 by Martin Kuppinger

EIC 2012, the European Identity and Cloud Conference, is history now. We had a week fully packed with a lot of great keynotes, sessions, panels, and workshops. For me, it definitely was the year in which the EIC was most influential to my own thinking. The reason for that was simply that we had a lot of very good panels and other types of sessions related to some research we published around EIC or are currently working on. The three key topics were:

  • The KuppingerCole IT Paradigm which we have described as a model for developing IT infrastructures and organization in a way that it is fit for the large changes we are facing, like Cloud Computing, the impact of Mobile Computing, and others.
  • The Open API Economy, a concept which Craig Burton had started writing about quite a while ago and which is fundamentally changing the way service providers, organizations, app providers, and even individuals will work together.
  • Life Management Platforms, a concept which goes well beyond the limited reach of most of today’s Personal Data Stores and Personal Clouds. It will fundamentally affect the way individuals share personal data and thus will greatly influence social networks, CRM (Customer Relationship Management), eGovernment, and many other areas.

These topics all are tightly related. Doing IT with focus on services and information security allows consuming services much more efficiently. The Open API Economy provides these services and is increasingly successful, with massive growth of available APIs and their use. Life Management Platforms will require organizations to deal differently with services that affect individuals – and individuals will be able to expose their personal data in a privacy-aware and secure way that they never have been able to before.

There are several KuppingerCole reports available around these topics – and we are working on new ones which will be published soon. Some of them will go into more detail. One of the documents will cover the consumer view on the Open API Economy. There will be more scenarios, looking at the impact of the KuppingerCole IT Paradigm for other areas of IT, like Access Governance, Enterprise GRC, or IT Service Management.

There will be research which looks on the changing economics for CRM and the impact Life Management Platforms will have there. There will be other research looking at the very interesting and promising economics of Life Management Platforms. And there will be research looking at how concepts like the Open API Economy and Life Management Platforms are essential to the “real world”, such as making the Connected Car/Vehicle really work.

However, EIC was for certainly not only about these new hot topics. An important topic at EIC, more down to earth, was modern architectures for IAM (Identity and Access Management). We’ve had interesting sessions around this topic, including a workshop focusing on whether, when, how and where to migrate legacy identity provisioning systems.

EIC again was a great mix of thought leadership and best practices, with some very interesting and well attended workshops on Friday. Organization for EIC 2013 Europe has begun. The conference will be again in May (instead of April). The details will be announced soon. But you should block mid May 2013 now for the next EIC.

Posted in Uncategorized | Comments Off

EIC 2012 – what I will talk about

11.04.2012 by Martin Kuppinger

Next week, EIC 2012 (European Identity and Cloud Conference) will take place in Munich. The conference will again grow significantly, and we will have a mass of interesting sessions there, ranging from keynote sessions to panels, best practices, and several workshops and roundtables. You definitely shouldn’t miss that conference.

I want to give a sneak peek at what I will talk about this year. The Opening Keynote on Tuesday, April 17th, 2012 will be about trends in IAM, GRC, Cloud Computing, and Mobile Security. I also will provide a quick view of the KuppingerCole IT Paradigm, which is one of the central themes provided by KuppingerCole at EIC 2012. We have defined that paradigm and the underlying model based on our experiences in research and advisory services to provide a consistent guideline for refining IT and to really become ready for the age of Cloud Computing, Mobile Computing, and Social Computing. This model is about how to provide the services business really wants while securing corporate information adequately. I think it helps a lot in adapting IT organizations to the changing requirements of business.

A little later, I will be part of an interview-style keynote session, which is about the privacy and information security challenges we are facing in 2012 and beyond. This definitely will become an interesting discussion, with Roy Adar of Cyber-Ark, Shirief Nosseir of CA Technologies, and Jim Taylor of NetIQ participating and Dr. Nigel Cameron of the Center for Policy and Emerging Technologies (C-PET) moderating the session.

The following day, I’ll start with a session that explains how the KuppingerCole IT Paradigm helps in increasing the value IT provides to the business. Following that presentation, we will have a panel discussion about how IAM can catalyze the secure enterprise. This panel will definitely become a highlight of EIC 2012, with some Ex-Burton analysts participating: Craig Burton, Gerry Gebel, and Mike Neuenschwander.

After that session, I’ll use the KuppingerCole IT Paradigm to describe what the future IT Organizations should look like – an IT Organization which is much closer to the business and which helps in dealing with changes such as Cloud Computing. There will be a new report describing this topic coming out right before EIC (and there are also new and updated reports on the KuppingerCole IT paradigm available).

Another very valuable report will be the one on “Personal Data – Life Management Platforms”. There will be a roundtable on that topic moderated by Doc Searls, of the Berkman Center for Internet and Society at Harvard University, and myself.

Another session will be about “One IT, One IAM” – this is a session going beyond IAM and linking Cloud, IAM, and the way we structure IT. This is about how to end up with one IT that serves all your needs instead of separate solutions for different types of Clouds and your on-premise IT.

Also pretty interesting is the “Re-engineering IAM” session. I have just written two reports, an update on my view of Access Governance Architectures and another one looking at whether, when, how, and where to migrate existing legacy Provisioning systems you might have.

In a joint session with Craig Burton we will link the KuppingerCole IT Model and the API Economy, a paradigm focusing on the increasing number of available APIs and their use.

Besides these sessions, I’m also involved in some others around virtualization and the security of Big Data. And there will be some other new reports out for EIC, written by several of the KuppingerCole analysts like Craig Burton, Fulup ar Foll, Prof. Dr. Sachar Paulus, Mike Small, Dave Kearns, and me.

So there’ll be a lot of interesting topics at EIC 2012. There will be for sure many more sessions on other topics and there will be virtually all relevant players in the exhibition area. So don’t miss EIC 2012.

You will find all information about EIC here:

All current and upcoming KuppingerCole research is available here:

Posted in IT strategy | Comments Off
© 2015 Martin Kuppinger, KuppingerCole