The Second Golden Age of Identity
We are now in the second golden age of identity and access management (IAM). Mobile devices, cloud computing, social networks, Big Data, and the Internet of Things (IoT) require radically improved capabilities. They are driving rapid innovation in IAM standards, technology, and architecture. In the face of cybercrime and cyber-conflict, post-modern IAM must also address acute privacy, data protection, and data nationalism issues.
IAM is the means through which individuals and organizations manage access rights and access control for the “subjects” – persons, services, and devices – of their IT environments. IAM capabilities also operate on personal data to manage relationships between individuals as consumers or employees, organizations, and their IT artifacts.
IAM sits at the junction of our logical and physical worlds. Progress or stagnation in business and technology are bound to its evolution. However, capabilities develop unevenly over time, driven by the ebb and flow of business trends and technology breakthroughs.
The First Golden Age
Sea changes in identity management accompany progress or crisis in the larger world of IT. For example, rapid expansion of the commercial Internet in the 1990s spawned the First Golden Age of Identity – a wave of innovation and investment that brought us Lightweight Directory Access Protocol (LDAP) directories, Active Directory, advanced enterprise identity provisioning products, and early federated identity protocols by the early 2000s.
In the Security Architects Partners (SAPartners) corner of the world, the current principal consultants Dan Blum, Doug Simmons, Dan Beckett, and Doug Moench came together at different times at Burton Group (an IT advisory service) to help clients develop their IAM infrastructures. Burton Group’s consulting division grew from a team of 2 to a team of 15 over just two years largely on the strength of IAM. Although our consulting team shrank considerably with the end of the dot com boom, the fact that Burton Group didn’t go bankrupt evidenced industry needs for IAM improvement were real and ongoing.
The first golden age lasted for a few more years, until approximately 2005. The result – “Enterprise Identity” – was good enough for business. Afterwards, businesses invested relatively less in IAM technology, and the pace of innovation cruised into slow motion. “Internet identity” and the “identity of things” remained unsolved and unscaled. Burton Group broadened its focus to create a Security and Risk Management Strategies service. With all relatively quiet on the IAM front, the SAPartners consultants began performing full-scale security assessments as well as developing security architectures, roadmaps, and strategies for clients.
The Second Golden Age
After 2005, the need for IAM improvement wasn’t dead, just hibernating. Privacy issues simmered. In the late 2000s, mobile devices grew increasingly popular. Users required a better user experience than passwords could offer. Organizations using cloud computing services needed scalable federation more than ever. By 2010, Facebook, Google, Flickr, and other consumer-facing sites and social networks were well into experimenting with new token-passing authorization schemes that evolved to become the OAuth 1.0 authorization standard.
Gartner acquired Burton Group in 2009, and a few years later Gartner described social, mobile, cloud, and information megatrends as a “Nexus of Forces” shaping the next generation of IT. The second Golden Age of Identity arose out of the nexus of forces as well as three more megatrends: cybercrime, the Internet of Things (IOT), and privacy.
The Perfect Storm
The first age identity trifecta of LDAP, identity provisioning tools, and Security Assertion Markup Language (SAML) federation became increasingly inadequate (along with underlying password and shared secrets security models). IAM efforts began to accelerate once again as the industry awoke to the need to innovate its way out of the nexus.
The Second Golden Age of Identity may have started after 2010, but the level of interest, excitement, and investment is only now starting to build.
- OAuth 2.0 has provided broader scopes of authorization interoperability across diverse services, but the security and privacy of social networks and consumer-facing services remain, in general, mediocre.
- In the information analytics space, personal data has been called “the new oil.” Like its volatile petrochemical counterpart, personal data is fought over fiercely (in the digital arena).
- The movement for privacy found its cause celebre’ when Edward Snowden disclosed the extent of the NSA’s anti-terrorist surveillance activities. Soon Safe Harbor was dead, and privacy regulations grew teeth in the European General Data Protection Regulation (GDPR). The GDPR threatens 4% fines on corporate revenues for privacy infractions. With these fines due to begin in less than 18 months, multinational organizations are scrambling to develop policies, technologies, and processes for compliance. User Managed Access (UMA) provides an interesting Private-by-Design option.
- In the mobile world, identity has given birth to new innovations, notably the FIDO Alliance UAF and U2F mobile device protocol stacks for passwordless and second factor authentication user experiences. However, many enterprise and service providers still don’t provide a choice of seamless, high-assurance mobile user authentication options in their bring your own device (BYOD) environments.
- In the realm of cloud computing, REST-based APIs and JSON-based cryptographic syntaxes for IAM are enabling applications, scalability, and interoperability. Identity is called “the new perimeter” – battling to keep the bad guys out as well as let the good guys in. Microsoft, Okta, OneLogin, Ping Identity and others are enabling single sign on (SSO) in the cloud through their offerings in the identity as a service (IDaaS) market category.
- No vendor or standards committee has the answer – yet – for identity in the IoT.
Slowly, the industry is getting better at delivering multi-factor authentication. Technologies such as virtual directory services (VDS) and attribute based access control (ABAC) are driving innovation for the authorization layer at the enterprise level. Open ID Connect and OAuth 2.0 improve significantly on SAML; SCIM makes federated provisioning easier. Proponents of Blockchain-based technology promise that decentralized identity will be the panacea. All these developments may be necessary, but still seem insufficient for preserving business IAM capabilities and user convenience in the face of increasing assurance and compliance demands.
A massive battle is brewing between IAM’s Internet-enabling capabilities and disjointed global compliance regulations. Will the age of GDPR fines and other cyber-conflicts bring only Balkanization, lawsuits, and crypto wars? Or, will identity become the new ambassador for Privacy by Design (PbD) that preserves business prosperity and individual choice in an open, but better protected Internet?
At SAPartners, we want to chart these future developments and point the way to positive sum outcomes. Contact us to join the conversation.