Is your identity and access management fit for purpose?

In the old days, identity and access management (IAM) was a mainly internal affair; employees accessing applications, all safely behind a firewall. OK, perhaps the odd remote user, but they tunnelled in using a VPN and, to all intents and purposes, they were brought inside the firewall. Those days are long gone.


Today the applications can be anywhere and the users can come from anywhere. Quocirca research (Masters of Machines II, June 2015) shows almost 75% of organisations are now using cloud-based software-as-a-service (SaaS) applications with a similar number using infrastructure or platform-as-a-service (IaaS/PaaS) to deploy applications that run in 3rd party data centres. As for the users, as another recent Quocirca research report shows (Getting to know you, June 2015), they can be anywhere too.


It is not just the rise in the number of employees working remotely, but the fact that applications are opened up to outsiders. Whether it is better managing supply chains through sharing applications with partners and suppliers, managing distribution online or transacting directly with consumers, almost all organisations are interacting with external users beyond their firewall.


Furthermore, this is not a small scale opening up to a discrete set of users; the numbers involved are big. The average European enterprise is dealing with approaching a quarter of a million registered external users. For organisations that are dealing with consumers, such as financial services and transport organisations the numbers are even higher. Dealing with this complete reconfiguration of the way IT applications are managed and accessed has required a re-think of IAM.


The “Getting to know you research shows that only 20% of organisations think their current IAM systems are fit for purpose. IAM covers a range of capabilities including user provisioning, compliance reporting and single-sign-on. There is also an increasing requirement for federated identity management, which is the bringing together of identities from multiple sources and apply a common policy. For the majority, the primary source of identity for employees remains Microsoft Active Directory but this is now supplemented by a range of other sources for external users. These include partner directories, government databases, lists from telco service providers, member lists of professional bodies and, especially when it comes to consumers, social media.


The trouble is that many IAM systems were designed to deal with the old way of doing things. They were often purchased as part of software stack from a vendor like Oracle, CA or IBM. Many organisations are now struggling to adapt these legacy IAM systems for the new use cases. As with any legacy system, wholesale replacement is often impractical if not impossible. The result is that new IAM suppliers are being introduced and integrated with the old.


The average organisation has at least 2 IAM suppliers; the number is higher when stack-based IAM is being adapted to deal with external users. The second IAM system is likely to be a SaaS system, designed for provisioning users from a wide range of identity sources to other cloud applications. IAM systems are becoming hybridised, legacy IAM for internal users and some older relationships (such as those with contractors) integrated with cloud-based management for remote workers and users from partners, business customers and consumers. 39% of the respondents to the “Getting to know you research are taking a hybrid approach to federating identities and 53% are doing so for single sign on, a particularly effective way of handling access to cloud-based resources for internal and external users. Both numbers rise for consumer-facing organisations.


A small number of organisations, around 10%, have moved entirely over to a SaaS-based IAM system such as Ping Identity’s PingOne, Intermedia’s AppID (from its SaaS ID acquisition), Okta, OneLogin or Symplified. Traditional stack-IAM vendors are updating their products; for example, CA SiteMinder, Symantec’s SAM and IBM via its 2014 acquisition of Lighthouse Security. Other cloud service providers, such as Salesforce, have entered the IAM market, in its case by working with the open source provider ForgeRock.


The last decade has seen a revolution in the IAM market. The old guard will attempt to keep up with the up-starts. However, it seems that simply being an incumbent IAM supplier is not enough, so in order to keep up there is likely to more acquisition and consolidation.