Identity Management Trends and Predictions
My Sun Microsystems colleague Dave Edstrom asked me recently to prepare a webinar entitled “Identity Management in 2010: Trends and Predictions†and present it on the weekly “Software Technical Roundtable†he co-hosts for Sun Microsystems employees and partners. Preparing for this specific event gave me just the right impetus to crystalize my thoughts on this subject, so I thank Dave for giving me the challenge. I prepared the presentation deck (in OpenOffice, of course) earlier this week and presented the webinar to about 90 people this morning via Webex/teleconference.
I can’t share everything I discussed with our restricted audience this morning, but in this blog post, I’ll briefly describe eleven major trends that I see in the industry. This is a precursor to more detailed posts I’ll author on each trend over the next several days.
First, a few caveats:
- Predictions rarely happen as quickly as we would like. For example, in 2007 I gave an Identity Trends presentation at the JavaOne conference. While some of my predictions evolved as expected, several trends have taken longer to develop. I suppose it will be the same with the trends I describe in this post.
- This presentation focuses more on business issues than technology. I did not attempt to address the trends in specific protocols or products, but chose to focus on the impact of these trends on business.
- This list of trends reflects my own opinions, which are not necessarily reflective of Sun Microsystems official positions or product road maps.
- This presentation does not represent Oracle in any way. I have not discussed this list of trends with any Oracle people, nor could I comment on those conversations if I had.
With those caveats, here is my list of the top eleven Identity Management trends for the year ahead. I really tried to make a nice round list of ten, but I felt it made more sense to separate Authentication and Authorization into separate subjects.
- Market Maturity. The Identity Management market is maturing. Much focus is being given to best practices of how to maximize enterprises’ investment in these systems. Rather than focusing on green field Identity implementations, enterprises are concentrating on system expansion or replacement. The industry continues to consolidate, as we at Sun are well aware.
- Authentication. Demand for strong authentication is growing as enterprises and government agencies seek to deter cybercrime. While some have predicted “death of the passwordâ€, the widespread use of UserID/Password as the predominate method for authentication will most likely not go away until we see wide adoption of alternate authentication methods that are both secure and easy to use.
- Authorization. Fine grained authorization is increasingly desirable but difficult to implement. Policy management standards (e.g. XACML) are also desirable, but not in broad production. Complexity in adapting applications to take advantage of standard authorization methods will continue to delay adoption.
- Identity Assurance. Answering the question “are you really whom you claim to be?†prior the issuance of Identity credentials continues to be a thorny problem, but is increasingly important in the ongoing battle against fraud. The Liberty Alliance Identity Assurance Framework provides a valuable industry model that defines four levels of assurance, based on confidence in the validity asserted identities and the potential impact of errors.
- Roles and Attributes. There is a growing acceptance of role based access control in production systems. Governance of the role definition and maintenance process, linked to governance of the Identity Provisioning governance process, is essential. Enterprises are discovering that the use of roles is potentially broader than RBAC, including use of data analytics to evaluate the effectiveness of organizations. The use of attribute-based authentication is being hailed in some markets, particularly the public sector, as an alternative to RBAC. However, a blended approach may be the best solution.
- Identity Federation. In some ways, Identity Federation is a given. SAML is broadly used a standard protocol and successful business models have been implemented. However, broader adoption is often difficult because business challenges are larger than technology challenges. Burning questions swirl around the challenges of using federation in cloud computing.
- Regulation. Government regulations (e.g. SOX, HIPAA/HITECH), which primarily address governance, security and privacy issues, will continue to expand, both on national and state/province levels. For example, the HITECH Act which became law earlier this year expanded HIPAA security and privacy regulations to address business partners, and added security breach notification to the national statute. At the same time, industry-driven regulations such as PCI DSS also impose stringent requirements on online merchants. In all these areas, Identity is a critical enabler for compliance.
- Personalization and Context. Personalization can enhance the value of online user experience. Both identity and context are essential for personalization. Concepts such as “persona selection†and the “purpose-driven web†focus on enriching user experience by blending identity and context.
- Identity Analytics. Advanced data analytics will bring value to many identity-based activities such as Authentication (historical “fingerprints†based on your patterns of accessing online resources), Context/Purpose (predicting preferences from your historical activity) and Auditing (who really did what when?).
- Internet Identity. Identity systems for the Internet must efficiently accommodate billions of individual Identities. User-centric or user-managed Identity technologies such as Infocard/Cardspace and OpenID are trying to address the inherent tension between security and ease-of-use requirements. Commercial Identity providers are emerging, including the likes of Facebook, Google, Yahoo, PayPal, Equifax and others, both in public and private sectors.
- Identity in the Cloud. Identity as a Service (IDaaS) is a critical foundation for Cloud Computing. A number of IDaaS companies are emerging to address this specific need. One of the main barriers to effectively implementing Identity in the cloud is the increased complexity of having to establish effective trust relationships between enterprises and service providers, while protecting the security and privacy requirements imposed by customers and regulations.
So, there is my list of eleven major trends. Your list or focus on specific topics might different. Please let me know what you think. Please also stay tuned to my discussion of these eleven trends in future blog posts.