IAM in the Year 2030 - An Action Packed Sci-Fi Thriller

As anybody who has worked with me over the years will confirm, I’m an incorrigible hoarder of digital content. I have a superstitious fear that once I delete a file, I'll need to look it up as soon as it's gone to that big recycle bin in the sky, even if I haven't opened it in years. So, instead of cleaning up all my old content, I use a dedicated cloud storage account as an archive for the 2.5 terabytes of data I’ve amassed over the past thirty-odd years. Every few months, I’ll spend a quiet weekend afternoon diligently organizing it.

It’s always interesting to stumble across old content that I’d completely forgotten about. But I still can't bring myself to delete it. It doesn’t matter whether the file is a useless C++ and Java code library that I wrote back in my engineering days, a blurry photo of a random person climbing a random tree in Albania from my backpacking days, or a low-resolution cap of a white board session that took place so long ago, the term “Y2K… something, something… ACF2… something, something… Netscape” is scrawled in red marker. The word “Delete” simply fills me with anxiety because who knows when I’ll suddenly need to look up the height of that Albanian tree?

On one recent rainy Sunday afternoon, I had a nostalgic urge to casually browse some old articles I'd written (yes, yes, I know... get a life. I've heard it all before). One of them was a long forgotten thought leadership piece that I'd written for a previous employer in 2011, in which I made some earnest predictions about what IAM would look like by 2021. Thankfully, these prognostications disappeared from the web a long time ago, because reading them provided a humbling reminder of why I didn’t pursue a career as a fortune teller. In fact, if I had a time machine that would enable me to speak to my 2011 self, I would tell him three things. One, don’t drink the lime green shot at that Venice Beach bar in 2012. Two,?definitely?don’t drink the blue-colored one either. And three, don’t predict that SCIM and XACML will revolutionize the IAM landscape by 2020. Because, yeah, that was exactly what my younger self predicted would happen.

Admittedly, that article was written more than a hundred IAM projects ago. But it reminded me how those of us on either the services or product side of this industry have an occasional tendency to become so enamored of cool new products and standards that we lose sight of the real-world investment drivers for IAM adoption. When you spend your entire career in a technology niche like IAM, it's easy to forget that identity is just one of many technology domains competing for budget and resources in an IT landscape that has become ferociously transformative in recent years.

But even though my 2011 predictions missed the mark, revisiting some of the comments I made about the immaturity of IAM product offerings back then reinforced just how far we've come in the past decade. In terms of maturity, reliability and sophistication of today's leading identity tools, the improvements we've seen in recent years have been staggering. Much of this is the result of competition and innovation, fueled by dozens of identity start-ups who have emerged in recent years. Not all were successful; some flared brightly and briefly but disappeared before they were able to make an impact, while others are clinging on by their fingertips and will probably be gone by the time I write another predictive article like this. But overall,?the increasingly competitive nature of the IAM landscape has weeded out most of the weaker players. As I wrote last week, IAM tools have reached a maturation point where it has become difficult to cite any solution as the sole reason for a failed identity program. That certainly was not the case ten years ago, because there were numerous identity tools that simply did not work.

Nevertheless, there is still an intriguing gulf between the rapid pace at which the IAM product landscape has matured and the comparatively sluggish rate of enterprise adoption. Any vendor on the cutting edge of the IAM?solution space may dispute this assertion by pointing out how many new customers they've landed in the past few years, but this is indicative of a disconnect between product vendors and buyers in how success is measured. It isn't uncommon for multiple product vendors with competing identity solutions to cite the same customer as a successful case study, even when adoption of each tool has been constrained to a small pocket of the enterprise. In fact, I recently worked with a global investment bank that owned a total of 28 identity tools, most of which had never been rolled out to a single department, even though I'm sure nearly every one of those product vendors would list that bank as a customer.

As for the predictions I made in 2011, not all of them fell short. In fact, some were pretty much on the mark—for example, widespread support for authentication standards such as SAML, a new wave of IAM vendors adopting a “cloud first” product strategy, a need to support persona-based identities in verticals such as healthcare and higher education, and the emerging use of device identities to represent all the connected “things” that would need to transact independently of human intervention. To be fair, however, most of these trends were all relatively safe bets considering they were based on use cases that were?already prevalent even back then.

But what I and many other IAM "experts" certainly didn’t foresee is that from the perspective of most large organizations, IAM looks much the same today as it did ten years ago. While the identity ecosystem is vibrant with innovative new product offerings, many companies are still struggling with the same elemental use cases as they were ten or fifteen years ago—user provisioning, attestations, birthright access, identity lifecycle management, single sign-on and so on. Relatively antiquated identity tools—Courion, Oracle, IBM, CA and deprecated versions of Microsoft MIM/FIM/ILM in particular—are still widely used and will likely still be around for years to come. I’ve even encountered a couple of legacy Sun/Waveset deployments in the past couple of years, and that product has been deprecated since about 2010 but still works for the companies using it.

So why are these older identity solutions still in such widespread use? Whenever I've posed this question to an enterprise customer, the response has been similar. More than ever before, IAM is having to compete for budget and resources with huge digital transformation programs such as remote workforce enablement, cloud migration and application modernization. This is forcing IT leaders to become more selective in how they allocate their financial and political capital.

Identity programs, as we all know, are expensive, labor intensive and frequently disruptive to the business. Absent a compelling business need or a demonstrable ROI, it is difficult to justify the kind of investment required of an identity transformation program simply to replace?a perfectly functional IAM solution stack, no matter how outdated it is. Many companies have spent millions of dollars and thousands of person hours to adopt these solutions, and millions more on customizing them over the years to keep pace with evolving business requirements. As long as these tools remain viable, the cost and disruption involved with replacing them requires a stronger justification than technology modernization.

As I noted earlier, this doesn't necessarily mean that companies are reducing spend on identity. But there is a difference between tactical and strategic spend. Innovative and competitively priced identity tools are often purchased to address a specific tactical need and adoption is frequently limited to a particular department / line of business. Strategic identity transformation programs, on the other hand, are becoming larger and more sophisticated in nature but are increasingly driven by macro trends with board level visibility.

Much of the identity-related investment we’ve seen over the past decade has been driven by a surge of regulatory mandates that has required organizations to provide greater visibility into user access. In particular, this has fueled adoption of IGA tools such as SailPoint and Savyint. But if the past decade has been about improving visibility into user access, the next decade will be about improving visibility into what users are doing with that access, and using this data to mitigate risk with policy-based access intelligence capabilities.

And yet... what the past decade has taught us is that the future is never quite as futuristic as we expect, and what goes around usually comes around, and… okay, I’m going to stop with the cliches now before this gets out of hand.

Last week, I wrote about how the convergence of identity, risk and data governance will shape the IAM landscape in the years to come. With convergence providing the backdrop, and the past decade providing a frame of reference for how the market is trending, here are my biggest predictions for the fun and games we're going to have between now and 2030. Based on my past track record of prognostications, I'm hoping that by then, you'll have forgotten everything I'm about to say.

Industry Consolidation

Shortly after the first wave of identity tools hit the market in the early 2000s, there was a frenzy of acquisitions once the major platform vendors of that era sensed the revenue potential of this new technology domain. For a brief period, it seemed like a new identity start-up was launching every week. During that momentary identity gold rush, many of these start-ups were guzzled up by Silicon Valley giants before they had a single customer to their name, never mind a production ready offering.

Most of these start-ups are now long forgotten, but as the smoke cleared from that chapter, Sun Microsystems and Oracle emerged as clear leaders in the emerging IAM space having made shrewder acquisition moves than their fellow titans. Although there were countless acquisitions during that period, only a handful would have any competitive impact. These included Sun's acquisition of Waveset and Vaau; Waveset was rebranded as Sun Identity Manager, which was to become easily the most successful and versatile identity platform of that era, and provided the technical foundation upon which SailPoint IdentityIQ was built several years later. Amongst Oracle's countless identity acquisitions was a small company called Thor Technologies, whose flagship product was to become Oracle Identity Manager and remains active to this day. CA acquired Netegrity, which for many years was considered the gold standard for enterprise Single Sign-On. And IBM acquired Access360, which was to be rebranded several times over the years and is also actively deployed in many organizations to this day.?A few years later, Oracle swallowed up the brilliant but financially inept Sun Microsystems, although Sun's IAM legacy lives on in the form of companies such as SailPoint and ForgeRock.

Anyway, if you found that brief history lesson remotely interesting then please let me know because it would be good to know that I'm not the only super-nerdy identity nerd in existence. The point I was about to make before that brief diversion down memory lane is that the IAM space is even more ripe for consolidation today than it was back then, particularly considering the flurry of start-ups that have emerged in the past few years and the enormous deploy base of today's leading identity vendors.?Okta’s recent $6.5B acquisition of Auth0, the largest ever acquisition in the identity space, is likely to trigger a frenzy of M&A activity amongst other IAM product vendors seeking competitive insulation as the seemingly unstoppable Okta juggernaut rolls on.

At the other end of the IAM solution stack, SailPoint has acquired Intello, ERP Maestro, Orkus and OverwatchID in recent years. It remains to be seen how these acquisitions will enhance SailPoint's competitive positioning, but their dominance of the IGA segment doesn't appear to be in any immediate danger even with Savyint nipping at their heels and Okta flexing their muscles. Even though the IGA landscape has become much more competitive in recent years, this is a space that SailPoint essentially invented.?During the several years in which they enjoyed relatively uncontested dominance of the IGA market, SailPoint established such a formidable deploy base in large enterprises, it is hard to imagine anybody displacing them for many years to come. IGA adoption follows a much longer and pricier cycle than the Access Management space in which Okta plays. That said, SailPoint will face stiffer competition from the likes of Savyint, Omada and OneIdentity in areas such as mid-market, less highly regulated industry verticals, and in competitive scenarios involving cloud-only customers.?

Microsoft is rumored to be investing billions of dollars in enhancing their own identity stack as part of their E3/E5 suite, and despite their uneven track record in the identity space, this is not your father's Microsoft. In recent years, they have demonstrated an impressive ability to innovate, execute and quickly bring new enterprise offerings to market. I've always suspected that if Microsoft ever decided to get serious about enterprise identity, they would be formidable, and based on everything we're hearing out of Redmond, they are quietly preparing to adopt a full-stack strategy.

Speaking of ability to execute, I would also keep a very close eye on ServiceNow, whose execution culture is simply breathtaking, as demonstrated by their astounding success in the GRC/IRM space over the past couple of years. Their ability to quickly and flawlessly bring new offerings to market, and to do so with such consistency is why it has taken them little over a decade to establish such a ubiquitous presence in the enterprise. There are obvious areas of functional overlap between SN's flagship ITSM solution and several IGA use cases such as self-service access request/approval processes. One of the more interesting identity start-ups in recent years has been Clear Skye, who have demonstrated the feasibility of building other key IGA capabilities on the ServiceNow platform. Intentionally or not, Clear Skye has effectively carved a path for ServiceNow to make a serious IGA play. With their growing footprint in the GRC/IRM space, they are perfectly positioned to capitalize upon the convergence of identity and risk that will become a key aspect of zero trust adoption, since the relationships they have already established with enterprise risk executives will give them a key advantage over most other identity vendors.?

This convergence will also drive closer alignment of identity and data governance, with risk providing the connective tissue between these traditionally siloed domains. This bodes well for any vendor who can weave a coherent story around their ability to tie access risk to data risk classification and sensitivity.

Which brings us full circle to Microsoft.?

If all of these trends play out as expected, there will be far fewer pure-play identity start-ups in 2030 than there are today, and the industry will return to an era of full-stack dominance as IAM capabilities become increasingly commoditized and intertwined. The big question is what this will mean for buyers. There will certainly be fewer choices than there are today, but the optimist in me is hopeful that the return of full stack solutions will result in simpler and more seamless product integrations that will in turn reduce the cost and complexity of adoption.

No-Code IAM Solutions

This has been a pet obsession of mine for more than a decade now, and I’m stubbornly doubling down on it given the trend towards broader adoption of no-code solutions in the enterprise.

One of the biggest impediments to the adoption of enterprise identity solutions has always been the need for highly specialized skillsets and the prohibitive cost of those skillsets due to the complexity of many identity solutions and the use cases they are required to address. Depending on the product and the customer requirements, it’s not uncommon for a Phase One implementation to cost up to five times as much in specialized consulting services as it does in licensing.

Now don’t get me wrong. I’ve made a good living from leading and performing large implementations for clients over the years, but the non-technical aspects of identity transformation are challenging enough without having to account for the formidable complexity of the enabling solutions themselves. Frankly, I would rather my clients be successful than exhausted. In this day and age, there is no valid reason for having to create a heap of integration code and business logic simply to deploy an identity solution.

We are already seeing a trend towards a no-code model in the identity solutions space. SecZetta, Clear Skye and Okta are just a few examples of vendors who are making no-code a core aspect of their value proposition today. Given the prohibitive cost of implementation services for identity transformation programs, no-code adoption will become a key competitive differentiator for IAM vendors over the next several years. Or at least for the vendors who actually manage to pull it off.

Skynet-Driven Identity

I’m sorry, but it’s impossible for me to talk about bots without managing to squeeze in a nerdy sci-fi reference. And if the day ever comes when I launch my own identity offering, there’s a better than even chance that it will be called Skynet or WOPR (and if you’re too young to know what WOPR is, check it out—I promise you won’t be sorry).

The first time I heard somebody suggest RPA (Robotic Process Automation) as a viable alternative to the provisioning connectors we know and love for user access management, I was admittedly skeptical. What could a bot do that a good old-fashioned provisioning connector could not?

Well, quite a lot as it turns out.

In an ideal world, every enterprise system would have a standard API for both ingesting and provisioning user accounts and entitlements. But realistically, this is an absurd fantasy. Even a medium enterprise typically has dozens of legacy applications that do not provide a simple means of automating account and entitlement provisioning, and in many cases those applications are not going anywhere anytime soon. Of course, it’s usually possible to create custom connectors for most homegrown and proprietary applications, but this brings us back to the need for expensive consultants who have highly specialized expertise in each identity product’s connector architecture.

Because most manual provisioning processes are highly repeatable in nature, they are natural candidates for RPA, which provides a relatively cheap and efficient middle ground between ticket-driven provisioning and connector-based automation. Bots are less likely than humans to make mistakes when provisioning access, are less intrusive than native provisioning connectors that need to be integrated directly with business applications, and do not require highly-priced and resources with specialized training that are typically required to build custom provisioning connectors. For those organizations who are already adopting RPA for commoditized workloads, bot configuration is a skillset that already exists in-house.

?

Convergence of Identity, Risk, Data Governance and a bunch of other stuff

Okay, this is the part where I get on my high horse, ride it to the biggest soapbox I can find, grab a bullhorn and shriek like a crazy person (even more than I usually do). Without revisiting the ground that I covered in last week’s blog, let me just sum it up this way—the next generation of identity architectures need to do a better job of supporting risk-based policy enforcement and demonstrate a more sophisticated awareness of data sensitivity. Or, put more bluntly, identity can no longer exist in a vacuum as it does today.

This is what I broadly describe as the identity “singularity”. Forget about identity becoming the new perimeter (and I promise, this is the last time I will use “that” phrase). Let’s think about the notion of identity in a more holistic sense. Identity is now becoming so elemental to every aspect of the enterprise IT ecosystem, by 2030 it may be as ephemeral as “cloud” is today. The natural evolution of identity is that it will be everywhere and nowhere. It will become an integral aspect of the CI/CD pipeline, of data security and classification, of enterprise risk management, of incident detection and response, of microservice and API-based architectures, and ultimately a means of containing and monitoring the prolific increase in data creation and consumption.

Traditionally, we have only viewed identity as the connective tissue between a user (human or not) and the privileges they have been assigned. But in today’s transformative IT landscape, the next phase in the evolution of workforce identity will play out on a much bigger stage. If a digital identity is truly a digital representation of who we are, it isn’t enough simply to reveal what we can do. It also needs to provide meaningful and actionable insights into user activities, preferences, behavioral patterns, relationships, data generation and consumption, and contextual risk.

Yes, I know that all sounds quite Orwellian, but we are talking specifically about workforce identity, and how it needs to evolve in order to contain the explosion in access-based breaches that have coincided with the rapid growth of cloud adoption and mobile workforce.

This is where it is critical to distinguish the concept of workforce identity from consumer identity. Cybersecurity is the inflection point at which these paths will begin to diverge; workforce identity provides a means of mitigating organizational risk, while consumer identity is typically a vehicle for monetizing personal data.

While workforce identity architectures need to become more holistic and centralized in order to contain enterprise risk, I expect (and hope) that consumer identity will trend in the opposite direction and become more decentralized. The concept of sovereign identity for private citizens will become a key aspect of returning control of identity data to the individual. The devastating breaches involving consumer data that have sadly become such a regular occurrence in recent years are only possible because organizations continue to maintain enormous consumer identity repositories.

The fact is, today’s conventional identity architectures have very little concept of user access risk, of user activity monitoring, or of data sensitivity. This is as much of an organizational limitation as it is a technology constraint. These functions are typically siloed in most large enterprises. As organizations evolve to meet the challenges of the modern risk landscape, I expect at the very least to see a major organizational shift that reflects the convergence of these domains.

Today’s CISO has far more influence and budgetary clout in the modern enterprise than was the case ten years ago, particularly in highly regulated industries. In some companies, the CISO is already a peer role to the CIO rather than a subordinate. As identity, risk and cybersecurity increasingly become topics of board level concern, there will be a growing role for a Chief Identity Officer in large organizations over the years to come.

How Can PushPop Help?

The identity landscape is changing at a faster pace than ever before, and organizations need to be prepared to adopt a completely fresh approach to IAM in today's rapidly evolving technology landscape. PushPop's vendor-agnostic range of service offerings are designed to make sure you have the right strategy, the right partners, the right technology and the right business case for long-term success.

Contact us today to schedule a free, no-obligation two hour IAM consulting workshop to discuss your current identity posture and the emerging trends in IAM that you need to be thinking about.