The emerging modern identity and access management reality will be defined as cross-domain, federated, dependent on attributes and augmented with ID as a service.
There are five key issues in motion that are forcing changes on identity and access management (IAM) deployments, according to Ian Glazer, research vice president at Gartner, who presented his views at this week's Gartner Catalyst Conference.
Glazer outlined how current IAM infrastructures must adapt to the modern computing era and the convergence of IT, with its cloud services, devices, and dispersed user populations.
"IAM in the modern era has all this movement that surrounds it," Glazer said. "The apps are moving to other domains, the users, the devices, the IAM infrastructure and even some of the domains themselves."
Glazer's five forces are: applications are moving from the core IT domain and into domains of their own, i.e. cloud services. User populations are being divided in different ways (i.e. retirees) and managed from both internal and external domains. Devices are no longer assumed to be part of the core IT domain. Companies are taking IAM infrastructure and moving it out of the core and into its own infrastructure; and single-domain IT structures are being partitioned for legal reasons, mergers and acquisitions or for operational reasons.
"This is the modern era that IAM professionals have to work in," Glazer said.
He said defining modern-era IAM characteristics will include federation that is everywhere and mandatory, access control that takes on a risk-based focus, provisioning that is "craftier" in order to keep up with the cross-domain environment, identity and access governance tools that assume an expanded role, directories that take on new tasks as the underpinning of the API Economy.
Glazer said differentiation between IAM products will begin to blur, and that IAM services will be re-combined in ways that were not originally intended. He said signaling across domains for IAM events, such as setting policy, will become a key problem to solve.
"I think the answer will come to us from another discipline," said Glazer. "Something like PubSubHubbub or another federated protocol that can signal across domains."
Glazer also said the industry will need to build federation-aware applications that known nothing about identity. "They will be wholly dependent on external identity services." He also said those applications will need to consume the freshest [identity] attributes when they are needed."
And given these needs, a focus on these event transactions will be key for the success of identity in the modern computing era. "We will have to get comfortable deploying multiple identity services not as a standard package but as an ala carte menu." he said.
Another need in this modern era will be looping developers into the identity equation, with ready baked code, SDKs, and usage patterns they can drop into code to make their work identity-ready.
In addition, there will be changes in the "Join, Move, Leave" lifecycle of a user's stay within a company or organization.
Glazer said one logical place to start might be identity as a service. He did not say everything would move to the cloud, but in some use cases, such as the need to signal events across domain, the cloud might make sense. "I do believe you will get advantages by deploying IDaaS in some situations from now on," he said.
Another change focuses on attribute access control because attributes will need to be distributed in any and every way possible. "Dust off your virtual directories, dust off your meta-directories, they are back and they are back in a big way," said Glazer. "We will have to build RESTful-based attribute services. We have to."
Glazer said attributes are so important because they will be the "grist for the so-called API Economy."
Glazer closed with seven recommendations for IAM architects. Address identity quality issues; extend governance capabilities to attributes; embrace federation; deploy flexible federation services such as SAML, OAuth 2, and OpenID Connect; mind the gap between federation and identity and access governance; incorporate risk management into IAM deployments; and push for standards.
"2013 is the year of the identity standards," Glazer said. "We have to push service providers and do it hard. There is a lot of richness in the existing standards. There are an amazing amount of things I can do in SAML."
"It is against all this backdrop that we have to deploy IAM services, and service the life cycle and service all the constituents," said Glazer ."This is a challenge, but it is an achievable one."