Current enterprise identity management deployments are too static for the emerging services world, and next year will mark a transition point as corporate IT contemplates ID in an environment without borders, according to a new report.
“There is a fork in the road coming,” says Ian Glazer, research vice president on the identity and privacy team at Gartner. “Identity management can’t continue on this path of incremental gains and changes because that path ends in a place that is fundamentally different than where things have to go.”
Where things are going includes social identities, cloud services, mobile devices and new application development protocols – namely REST – that are eroding corporate boundaries and eliminating differences between internal and external user populations.
Glazer’s observations are contained in a just-released report “2013 Planning Guide: Identity and Privacy.” (available to subscribers only).
The report lays out four trends IT needs to understand in 2013: ID standards, the rise of stateless identity, dissolving internal/external boundaries and identity assurance. The report also details what identity issues IT cannot ignore and what things IT should do in 2013.
“Identity being built into business services rather than a separate entity is the natural maturation of identity,” said Glazer. “The enterprise can’t own and can’t dictate all the ways identity is coming into and going out of its network.” For example, cloud services may be making API calls into enterprise systems using an externally issued ID to validate access permissions.
“It happens subtly at first, but enterprise people I am talking to are now recognizing pieces of it,” he said. “They say things like ‘I have this new API layer that our mobile apps will use, maybe client apps we build or apps our employees may use, but the access path looks identical.’ What does this mean for identity management? It’s no longer cut and dried, internal and external.”
Corporate IT will have to re-think current internal processes that trigger ID creation, provisioning, and application authorization, and think about external IDs triggering internal processes and how ID is managed in that context.
“That is a tough transition,” says Glazer. “It’s tough to pull your head up from the static world of on-premises user management to the more dynamic world.” He says old school stateful identity has its place in legacy environments, but “that is not the contemporary Web. That is not what the Web and developers are using.”
Some bleeding edge companies will make the transition in 2013, but for most 2013 will be a set-up year. In 2014, the transition will be mainstream.
Standards will play a major role and the report highlights OAuth 2.0 and it’s derivatives, namely OpenID Connect (authentication) and System for Cross-Domain Identity Management (SCIM; simple provisioning).
“Getting OAuth ratified [by the IETF] this year was the momentum for 2013 ID standards,” said Glazer.
The report also says authentication, namely the task of entering and re-entering usernames and passwords, will evolve to “recognition.” Where after initial authentication, systems begin to recognize users by their characteristics, such as location, behavior, time-of-day.
“You won’t be constantly pestered for ID,” said Glazer. “And in most cases you will have a higher assurance who the user is.”
Unfortunately, it won’t come without some work, most notably IT getting its head around a new definition for “federation,” which will encompass coordination of internal, external, mobile, SaaS, APIs and clouds. IT will have to think of ID as baked into services and not as add-on, and learn new architectural pieces such as identity bridges that offer services to ease boundary crossings.
“Identity will be considered successful when it fades into the background and is part of other services, “ says Glazer. “It won’t happen in one step, but we have to start making the journey. “