Last week I had the privilege of participating in a panel session at Ping Identity’s London conference, Identify 2015. It was great to be able to share experiences with some key movers in the IAM industry, including Eric Sachs, Product Management Director for Identity and Google, Justin Slaten from Netflix who has led their recent deployment of PingFederate, Bob Tarzey, an industry analyst from Quocirca specialising in Identity, and Peter Groeneveld who heads up ABN AMRO’s identity management deployment.
We started the discussion by reflecting on how the key driver for Identity and Access Management deployment is the digital transformation taking place in most organizations. At ProofID, we certainly recognizerecognise this within our customer base; the modern reality is that most business initiatives involve many different user constituencies – staff, partners, contractors, customers, citizens – and managing these identities is a fundamental part of doing business. Identity management has moved from being a backroom ‘plumbing’ technology to being a key business driver, and that is certainly driving adoption.
The conversation then turned to IAM as a part of the overall security picture. The general consensus was that while all agreed that should be a fundamental part of security, many organizations have something of a ‘blind spot’ in this area; examples were shared where core identity governance was not in place (e.g. users not being ‘off-boarded’ when access is no longer required) which can undermine the overall security framework. There is work to do here – whilst identity management has moved on, many organizations still perceive security in an outmoded way, i.e. inside is good, outside is bad. One of the key themes from the event was that in the modern world, everyone is an ‘insider’, and the security model needs to change to reflect that.
Justin from Netflix gave a fascinating insight into the work they’ve done with Google and Ping to deploy a cloud-centric identity and access management solution; the standout for me was when Justin said that Netflix had concluded that Google provided the safest environment for them to store their identities – this maybe seems contrary to received wisdom but makes a lot of sense if you’ve ever experienced Google’s intruder detection systems in action (I got an email the other day from Google saying that someone from China tried to access my account, so they changed my password – does your IAM system do that for you?). Whilst this approach may not be right for everyone, it was a really interesting glimpse into a possible future and a great demonstration of what can be done with current technology.
We finished by predicting how IAM will look in three years. My take – widespread adoption of social login outside of the common retail use case (for example, universities will be using social login to acquire students and communicate with Alumni). Also, most organizations will have a hybrid IAM environment – partly on-premise and partly in the cloud. Check back in three years for my blog where I’ll reveal what actually happened!