Kuppinger Cole just released an insightful Advisory Note: “Information Security Predictions and Recommendations 2014.”  The introduction stated:

Information Security is in constant flux. With the changing threat landscape, as well as a steary stream of new innovations, demand for Information Security solutions is both growing and re-focusing.

I like both the predictions and recommendations in this report.  Here are a few excerpts from my favorite recommendations:

Cloud IAM (Identity and Access Management)

Define an IAM strategy for dealing with all types of users, devices, and deployment models that integrates new Cloud IAM solutions and existing on-premise IAM seamlessly.

API Economy

Before entering this brave, new world of the API “Economy”, define your security concept first and invest in API Security solutions. Security can’t be an afterthought in this critical area.

IoEE (Internet of Everything and Everyone)

Before starting with IoEE, start with IoEE security. IoEE requires new security concepts, beyond traditional and limited approaches.

Ubiquitous Encryption

Encryption only helps when it is done consistently, without leaving severe gaps.

The whole paper is well worth reading.  Hopefully, this post whetted your appetite a little bit.

In a recent twitter conversation with Andre Koot, he suggested that we needed innovation in both Identity Management and Access Management.  He referred me to his blog, entitled “Let’s Kill the IAM Acroynm.”  Andre suggested:

Identity Management is a process for managing the lifecycle of identities … Access Control is a whole different ballgame …

After reading his blog, it occurred to me that he and I defined those two terms a bit differently.  I promised Andre that I would blog about it.

The diagram below shows how we at Oracle talk about the broad area of Identity and Access Management – encompassing three general areas:

1. Identity Governance is about making sure the right people are granted the right access rights and making sure the wrong ones aren’t
2. Access Management is about enforcing those access rights, within specified policy, when users attempt to access a desire application or system
3. Directory Services provides ways to control where identity information about users and accessed rights are stored.

Does this provide the right demarcation between the various functional areas?  It seems to resonate well with our customers, and provides a valuable model to aid communications.  I’d be happy to hear any feedback you have.

By the way, this diagram is more effective as a PowerPoint build slide.  Let me know and I’d be happy to send you a copy.

Please join me and other interested identerati on a live Tweet Chat  about Mobile Identity Management trends and security challenges.

Amit Jasuja, Senior Vice President, Development - Identity Management and Security Products, will host the chat via @OracleIDM.

When?  Tomorrow, March 7th, at 9:00am PST

Please use hashtag #mobileidm in your tweets.

Our last Tweet Chat  (or was it Tweet Jam?) was a great success.  Let’s make this one even better.

During the past three weeks, I have interacted with three major customers, in industries as diverse as transportation, apparel and entertainment, that had one thing clearly in common – each saw Identity and Access Management as a fundamental, critical enabler for new business models each company is pursuing.  It is all about knowing who your customers are individually, and interacting with them in a highly personalized, tailored way, in the context of their choosing.

Today I sat through a presentation that depicted IAM in the traditional context, as something that would improve compliance, increase operational efficiency and enhance security.  While these drivers are still valid, I couldn’t help but contrast those two views.

On one hand, IAM is considered to be very defensive in nature, necessary but burdensome.  On the other hand is an innovative vision that IAM is first and foremost a proactive, offensive weapon and business enabler, secondarily a protective shield.

Can you tell where I’d rather play?

One of the big questions in modern Identity and Access Management continues to be: “Is it better to choose individual point solutions and integrate them in my enterprise, or should I choose a complete IAM platform?

I recently learned of an intriguing Research Brief published by the Aberdeen Group, entitled, “IAM Integrated: Analyzing the ‘Platform’ versus ‘Point Solution’ Approach.” Aberdeen’s conclusion:

Based on more than 160 respondents from its Managing Identities and Access study (February 2011), Aberdeen’s analysis of 32 enterprises which have adopted the vendor-integrated (Platform) approach to identity and access management, and 39 organizations which have adopted the enterprise- integrated (Point Solution) approach, showed that the vendor-integrated approach correlates with the realization of significant advantages.

The most significant advantages realized by organizations adopting the Platform approach to Identity and Access Management, as compared to those adopting the Point Solution approach, include:

• Increased end-user productivity
• Reduced risk
• Increased agility
• Enhanced security and compliance
• Reduced total cost

Aberdeen’s research also confirmed the merits of a pragmatic “Crawl, Walk, Run” approach as the basic template for successful enterprise-wide initiatives involving Identity and Access Management, similar to what I have been recommending for years.

• Adopt a primary strategic focus.
• Put someone in charge.
• Prioritize security control objectives as a function of requirements for risk, audit and compliance.
• Establish consistent policies for end-user identities and end-user access to enterprise resources.
• Standardize the workflow for the IAM lifecycle, including workflow-based approval for exceptions.
• Standardize audit, analysis and reporting for IAM projects.
• Evaluate and select IAM solutions.

I have been concerned for some time that Information Technology systems in general and Identity Management systems in general have become so complex that it takes rocket scientists to understand them, implement them, and take care of them.  Because of the relative scarcity of rocket scientists, many companies become overwhelmed by the complexity of the their IAM systems and either don’t implement them correctly or reap the benefit that could be realized.

Today I stumbled across an intriguing article, Simplicity: A New Model, by Jurgen Appelo, that explored the issues of simplicity and complexity. I liked the definition of simplicity Jurgen used:

Simplicity usually relates to the burden which a thing puts on someone trying to explain or understand it. Something which is easy to understand or explain is simple, in contrast to something complicated. (Wikipedia)

But he went further, explaining simplicity and complexity with the aid of a visual model:

I encourage you to read Jurgen’s article to understand the significance of each visual image.

This made me this made think, “Is there a way to map IAM systems onto a model like this?”

I don’t know the answer, but it is an issue worth exploring.  I’ll let you know if I come up with some brilliant ideas.

Way back in September 2009 (it seems like an eternity in Identity years), I made a prediction that data analytics would begin to play a larger role in the Identity and Access Management market:

Advanced data analytics will bring value to many identity-based activities such as Authentication (historical “fingerprints” based on your patterns of accessing online resources), Context/Purpose (predicting preferences from your historical activity) and Auditing (who really did what when?).

Following my blog post this morning, Alan Norquist, CEO and founder of Veriphyr, dropped me an email which at least partially confirmed that prediction.  Alan referred me to an article by Earl Perkins of Gartner entitled, Time for Intelligence and Clarity in IAM.

A few excerpts:

Something interesting is developing in the identity and access management arena. It isn’t new– if you look closely, you’ll recognize it from countless other technologies and processes that progress to maturity. IAM is no different. What I’m seeing is the maturing of intelligence. …

One could even say that once that knowledge gets into the hands of the right people and they make actionable decisions with it, it’s no longer knowledge– it’s intelligence. …

IAM should be (among other things) about clarity. How do we make clear to the business that there is intelligence on those [IAM] logs, waiting to be mined, and that intelligence may make all the difference in their decisions? The best way is to deliver it, to provide that IAM intelligence is more knowledge for IT users to make IT users’ lives easier. IAM intelligence can be part of the business intelligence realm if properly analyzed and presented to the right audiences.

Gartner calls this “Identity and Access Intelligence.”  I am trying to get a copy of the full Gartner report on this topic.  I’ll comment more when I do.