The rapid adoption of mobile devices and cloud services together with a multitude of new partnerships and customer-facing applications has extended the identity boundary of today’s enterprise. For the extended enterprise, identity and access management (IAM) is more than just provisioning employees with and enforcing the appropriate access to corporate resources. It’s about the ability to oversee access by a variety of populations, from employees to partners to consumers, and protect a variety of sensitive resources (including data) that may reside on or off the organization’s premises – all while helping to protect the organization from increasingly sophisticated cybercriminals and resourceful fraudsters.
Unfortunately, legacy approaches to IAM are failing us because they can’t manage access from consumer endpoints, they don’t support rapid adoption of cloud services, they can’t provide security data exchange across user populations, and offer no help against emerging threats.
We at Forrester have been promulgating a Zero Trust Model of information security. It eliminates the idea of distinct trusted internal networks versus untrusted external networks, and requires security pros to verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. Zero Trust applies effectively to identity as well. It requires security and identity pros to: 1) center on sensitive applications and data; 2) unify treatment of access channels, populations, and hosting models; and 3) prepare for interactions at Internet scale. Moving toward Zero Trust identity not only helps you improve business agility and achieve compliance – it even helps you enhance customer experience and deliver on your org’s API monetization strategy.
Doing access management with the help of cloud-based services is a pretty comfortable proposition by now. For more than a decade, we've been doing federated single sign-on to and from apps that are themselves in external domains. Looking at the recent Forrester Wave™ on enterprise cloud identity and access management, all three vendors we identified as leaders specialize in various kinds of cloud-app SSO and access control -- the cloud identity 1.0 ur-scenario. (Join us tomorrow, September 20, for a client webinar to review this Wave!)
What about identity management in the cloud? It's been harder to find. Two other vendors we looked at in the Wave provide cloud interfaces to familiar on-premises provisioning solutions such as the IBM and Oracle suites. And all the vendors rely on hooking into an organization's on-premises directory as the single source of truth.
Okay, then, what about putting that single source of truth into a store with a cloud-native interface, as my colleague Andras discussed on our Security & Risk blogs recently? That’s even more rare -- but the writing is on the wall. Microsoft went bold with its Windows Azure Active Directory moves, providing non-LDAP RESTful interfaces. Cool. (I’d like it to support SCIM as well, though, since you ask.)