First generation Identity as a Service (IDaaS) was a fashion statement that’s on its way out. It was cool while it lasted. And it capitalized on some really important business needs. But it attempted to apply a tactical fix to a strategic problem.
We all know by now that the world has changed. The way we secure information assets today barely resembles the approaches of last decade. When I hear security marketers still talking about ‘erosion of the perimeter’, I cringe. The perimeter is long gone. If employees have access to data, it’s already on their mobile devices and it’s being shared via cloud services. Outsiders are in and insiders are out; that debate is long over. But we’re still in the infancy of solving the bigger problem which is addressing the security needs of next generation businesses.
In the early part of the ongoing Digital Transformation, many organizations found themselves scrambling to react to changing business needs. Adoption of SaaS, cloud services, and mobile devices took off so quickly that IT and Security practitioners (who were often left out of buying decisions) faced difficult challenges with regard to maintaining service levels and enforcing security policies.
A new wave of narrowly focused security solutions quickly emerged to address some of the increasing security concerns facing Digital Businesses. Among them, cloud-based Identity and Access Management (IAM) solutions (often referred to as Identity-as-a-Service or IDaaS) emerged to help bridge the gap between increasingly mobile user populations and cloud-based SaaS applications.
In an effort to react quickly, organizations bought into tactical solutions that were designed to serve only one small segment of their target application set. These first generation IDaaS solutions created silos that typically need to be managed separately from the rest of the organization’s enterprise IAM solutions requiring special knowledge and additional ‘care and feeding’. And, making matters worse, these solutions manage access to SaaS applications separately from other enterprise access. This is the situation many organizations find themselves in today.
As these organizations become more digital and incorporate digital thinking into their core business strategies, it’s time to rethink their reactive tactics and to look at longer term requirements and more stable approaches that enable both quick, responsive action and also solid, predictable performance. It’s time to seek out solutions that address the full set of enterprise needs and to tear down the individual silos that have popped up as stop-gap measures. Reactive solutions do well to stop leaks, but they fall short of addressing long-term needs. There are two trends that are currently changing the way organizations approach security for Digital Business and are already impacting IAM buying decisions.
First, convergence is critical. Security functions are coalescing into fewer solutions that cover more ground with less management overhead. Digital Enterprises want more functionality from fewer solutions. The overabundance of attack surfaces and the widespread confusion about how to prioritize and address the variety of threats has left security practitioners wanting more; more simplification, more intelligence, and more visibility.
Second, the basic role of IAM is shifting from one of defense-and-control to one of enablement. Digital businesses can only succeed if they are agile and able to provide the best possible user experience, free of obstacles. In order to manage risk in a more open environment, organizations seek to leverage context and analytics to enable secure interaction between employees, partners, customers, and data. Increased context reduces the reliance on obstacles and enables a more open and fluid user experience. A singular view of a user across legacy, enterprise, mobile, and cloud applications enables greater visibility and an improved ability to respond to compliance mandates.
The next generation of IAM is engineered specifically for Digital Business providing a holistic approach that operates in multiple modes. It adapts to user demands with full awareness of the value of the resources being accessed and the context in which the user is operating. Moving forward, you won’t need different IAM products to address different user populations (like privileged users or partners) and you won’t stand up siloed IDaaS solutions to address subsets of target applications (like SaaS).
The first generation of cloud-based IAM introduced some key enablers for Digital Business that won’t be lost in next-generation IDaaS solutions. The ability to quickly on-board users and applications is critical. The ability to authenticate users wherever they are, understand context, and facilitate access quickly and easily will continue to be a core function of next-gen IAM. But, IAM buyers can no longer think in terms of IAM silos for subsets of users or subsets of target applications. That approach is unable to answer enterprise-wide questions, to enforce enterprise-wide policies, or to enable enterprise-class governance. It will, in short, leave you wanting more.
Next generation IDaaS builds on all the promises of cloud computing but positions itself strategically as a component of a broader, more holistic IAM strategy. Next-gen IDaaS fully supports the most demanding Digital Business requirements. It’s not a stop-gap and it’s not a fashion statement. It’s an approach enabling a new generation of businesses that will take us all further than we could have imagined. I look forward to enjoying the ride.