Reflecting on 10 Years of IdM Technology

This week commemorates Dave Kearns’ 10th anniversary writing Network World’s Identity Management newsletter. As a faithful follower over the past decade, I’m sending hearty congratulations to Dave for his feat. Keep those insights coming!

Dave’s column this week led me to reflect on how the IdM market has changed over the last 10 years. In 1999, the term “identity management” was not even in our lexicon – and in fact vendors and analyst firms spent a lot of time and energy debating what to call the emerging market. The birth of provisioning systems (itself a new term for our industry) was driven by the idea that user administration could be centralized, automated, and made more cost-effective. Designed primarily to relieve the burden on help desk and sys admins, provisioning solutions were primarily marketed and sold as a labor-saving improvement. It was a product designed for IT and sold to IT buyers. Initially, a lot of the focus was on demonstrating ROI.

Of course, the terrorist attacks of September 11, 2001 brought about a heightened focus on IT security, and the value proposition for provisioning shifted in the direction of securing the enterprise as well as providing a strong ROI. Around 2002-2003, another significant shift occurred in our market. Compliance was becoming more and more of a driver, as regulations like SOX, HIPAA and GLBA were introduced into law and took effect throughout the early 2000s. Businesses in the U.S. – and around the world – were trying to sort out how to manage these new mandates. It seemed like a natural fit for provisioning; after all, it was a means to centralize and automate how user access was granted and removed.

Ironically, the very nature of provisioning limited its ability to meet compliance requirements: the typical provisioning deployment manages around 10 resources, and most often these are not even the targets for compliance initiatives but rather the high-population, high churn systems that consume the most manpower to manage onboarding and offboarding. In addition, most provisioning systems are deployed to manage account-level access only and provide little visibility into the fine-grained application entitlements that define what actions a user can actually perform within an application – a key compliance requirement. Lastly, provisioning systems were designed for technical users, so their UI’s are too complex for business managers, auditors, and compliance staff.

With compliance demands increasing and security threats becoming ever-more sophisticated, I believe the IdM industry is now witnessing another inflection point. Ten years from where we started, provisioning technology still can’t provide end-to-end visibility and control across all high-risk systems and applications. In response to the need for stronger auditing and sustainable controls in the identity realm, centralized identity governance tools are proving themselves to be a better technology for governance, risk management and compliance. I believe 10 years from now, we’ll be reflecting on how significantly identity governance has shaped the IdM space.

I also believe the next decade will be defined by discriminating customers who want results immediately and who don’t believe throwing more money at legacy tools and processes is a viable solution. It will be marked by impressive innovation in the identity realm, led by identity governance vendors who are willing to rethink how identity data affects business decisions. Those same companies – SailPoint included – will enable companies to successfully manage compliance and security from a risk perspective – applying appropriate levels of oversight and audit where they matter the most. We may see a few dinosaurs try to evolve, but I doubt their products can live up to their multi-million dollar marketing claims.

How do you think the IdM market will change in the next 10 years?