The Road Ahead for IAM According to Gartner’s Lori Robinson

The future of IAM involves adapting to mobile, cloud, social and information challenges, according to Lori Robinson, VP of Research, Identity and Privacy Strategies, for Gartner. Robinson spoke at SailPoint’s Navigate ’14 conference and challenged the audience to be more proactive about IAM.

Today, IAM is in a state of flux. The digital economy is changing so quickly that many companies and even their IAM vendors are falling behind. Risks are proliferating, but the tools we have at our disposal to mitigate those risks are evolving much more slowly. However, before we can get ahead of those risks, we need to gain a deeper understanding of the forces sparking change.

Robinson referred to these as the “Nexus of Forces.” Those forces are social, mobile, cloud and information. Together, they combine to challenge the status quo of identity management. How do you account for a ballooning user base, which may now include partners and customers, all of the devices those users rely on, and the numerous ways they connect through social media?

Moreover, what do you do to protect all of the critical data that those people, devices, and even apps create? Yes, that’s right. Devices and apps are automatically churning out data (location data, user behaviors, usage patterns, etc.) that has important privacy implications.

“The result is that we now live in a world where users expect anytime, anywhere, any device access to a range of applications and services,” Robinson said. IAM will be the key ingredient that makes this all work in a secure and managed way.

Robinson noted that IT has been slow to catch up to one of those “Forces” in particular: social. “Social permeates business,” Robinson said. “IT may regard social as something you do at home, but that’s no longer true. IT could learn a lot from spending more time with their digital marketing colleagues, who are starting to figure social out.”

Marketing departments often go around IT today, since IT tends to put the brakes on social deployments. As a result, many marketing departments deploy their own services and even set up their own secret IAM that IT doesn’t know about. This is a short-term fix that could lead to serious problems down the road, especially as sensitive data proliferates at an increasingly accelerated rate. Marketers are just not trained to handle privacy concerns and other data-risk issues like IP theft.

Physical and Virtual Worlds Merging 

Robinson predicted that by 2020 all businesses will be IT organizations. As the physical and virtual worlds collide and merge, user provisioning and ID management becomes an ever-bigger challenge, since much of what will be managed and provisioned will be devices.

“When my fork tells me to slow down and chew my food, or my toothbrush alerts me to the fact that I missed a back tooth, or my shoes inform me that I’ve walked 5,000 steps, the identity equation fundamentally changes,” Robinson said.

All of that information is useful, but it all must be protected. Consumer privacy will encompass so much more than it has in the past that organizations must be proactive about figuring out the risks associated with all of the data that comes pouring in as the Internet of Things becomes a reality.

Risk management and security will become more and more important, representing the only way to make sense of this chaos.

“Without risk management and security, organizations won’t be able to navigate the Nexus of Forces. Risks must be mitigated. Data must be secured, and consumer privacy must be protected. Otherwise, the Nexus of Forces will overwhelm business,” Robinson said.

In order to take back control, Robinson recommends that organizations:

  • Understand the role of IAM in the Nexus of Forces
  • Prepare to be digital businesses
  • Build an agile IAM system (and consider IdaaS when appropriate)
  • Document use cases to guide you — documenting them all the way down to the transaction level
  • Apply sound access governance principles to users, entitlements, and identity roles
  • Embrace federation
  • Incorporate risk decisions into IAM deployments
  • Push for standards

Finally, Robinson also recommended that businesses in general and IAM vendors in particular begin to build an “Identity Economy.” IT knows that there is untold value in Identity, but IT really doesn’t know how to quantify or even explain that value. Robinson believes that this untapped Identity value could add up to an entire Identity Economy. After all, if I’m monitoring many of my health attributes through wearable technologies, I will want to share that information with various apps and services that will help me monitor and maintain my health. However, that data must be protected. If hackers can use a social media profile to break into your bank account, imagine what they can do with much more personal information.

The value in that data can’t be underestimated, but we need to start consciously building an Identity Economy, so we can value, use and manage that data properly. Identity will be the foundation that makes the Internet of Things, Big Data and the Nexus of Forces work for users, rather than against them. Without a solid identity foundation, the risks eclipse the benefits.

But businesses are so drawn to those potential benefits that they won’t let risks slow them down. Thus, there’s only one way forward, and that way features identity in a starring role.