CRN roundtable: identity management today

CRN recently chaired a fascinating and lively discussion with industry experts on the challenges of establishing effective identity management in today’s increasingly mobile and boundless corporate environment.

But, as the panel discovered, IDM means different things to different people and one of the more pressing issues for companies involved in this space to establish meaningful parameters and definitions so as to help organisations better understand their vulnerabilities as well as the opportunities to improve organisational processes and increase efficiency. 

A key theme, of course, is mobility as organisations try to manage the expectations of staff while ensuring that the right polices are in place to strike a balance between freedom and controls. Not only are staff demanding to bring their own devices, they are also now in effect bringing their own identities.

Our panellists also shared some interesting experiences about the relative advantages of deploying identity management solutions at greenfields or legacy sites, while the cloud of course provided an interesting side bar, especially in terms of its potential to help smaller companies develop more cost effective identity management solutions.

Speakers: 

Michael Tuton, executive consultant, CGI

Richard Watson, sales director, Oracle A/NZ

Reno Maglitto, identity channel manager, Oracle A/NZ

Craig Maurel, national sales manager, Directory Concepts

Gabriel Haythornthwaite, joint managing director, Redcore

David Walker, Oracle solutions manager, ASG Group

Mark Sammut, practise director, Redcore

John Jones, director, Qubit Consulting

CRN: So Richard, this matter of IDM meaning so many different things to different people. Paint a picture of the current state of the industry for us and explain how companies should think about proceeding.

Richard: IDM is just getting more and more complex. There are drivers around mobility but also governance is a really big driver, information location, information storage. In terms of location, it’s not only about your own application access, but accessing third parties.

If we look at information and information security and identity management from the inside, we start with storage and location of that data and then access to it, and access to it from anywhere anyhow.  And when you start asking questions about how to do that, the discussion becomes very, very interesting.

CRN: It’s interesting to consider the mobility challenge and the experiences of customers given that mobility has come upon us so quickly. Banks in particular have been quick off the mark, rolling out banking applications for portable devices and facing all the identity and security challenges that accompany something like that.

Richard: Yes, I think banking and finance has been a leader because they’ve been trying to offload costs for the last 15 or 20 years out of branch networking to the online world, and what we’re seeing now is a lot of catch-up where everyone needs to deal with the value via mobile and internet channels.

So the combination of both is really driving the market to actually deliver more valuable content. And there's now a need for high degrees of security associated with ensuring the integrity of not only data content, but of who is accessing it.

Reno: I think what’s interesting is that the ability to be able to push out in the environment through a mobile device is relatively easy. I think line-of-business would see it as something they can now control, without having to incorporate security – their own security divisions – into that effort.  Of course they have to work towards controls and some governance in what they do, but I think most marketing departments, or lines of business, would have their own plans on how they can leverage or how they can plan to leverage mobility.

The question for all of us here is ‘are we seeing this with our customers?’ Are we seeing that we’re changing who we now need to talk to regarding mobility and security and compliance? Is that something that people are seeing? A change in the market in the people that we talk to?

John: We certainly have customers who are doing mobile. To date they’ve used custom solutions, cobbled on top of the older product range, but they’re certainly interested in going to [Oracle] R2 and leveraging all the newer stuff from R2. And we also find this is common with the guys thinking it’s not easy, and getting into the organisation is not quite so straight forward, but yes, there is a huge interest in mobile apps for sure, and social media integration as well.

Reno: So John what are some of the key difficulties that you’ve encountered with deploying mobile solutions?

Jones: One of the key ones from the mobile app itself is tapping into the back-end systems and making sure that they’ve got access to the right sorts of things, you know, through web services or whatever.

Quite often they’re presented through a portal of some sort with this wall of information, but there’s no convenient deployment behind that necessarily. So they need to do that to begin with and then having it secure, so there’s other challenges. There are people at that top end on mobile phones, so there’s that whole persistence thing, ‘remember me’ and on the local asset switch again is app management and ERP management and making sure the device itself is authorised to hold the API. So there’s another level of security there for sure.

CRN: Is it something that’s complex to charge and bill your customers for?

Jones: No, not really. From the organisations that we know are doing it, they don’t necessarily charge for the exercise. There are some things to help paying customers I guess, but it’s just adding some emphasis on top. It’s another way of getting the information of the sorts of things that you might want to. More and more people are using mobile devices for that sort of thing, rather than the web anyway. Unless they do it they can fall behind.

David: I think that we’re getting customers coming from a number of different and sometimes surprising angles with requirements for mobility. We are working with an education body, and they want to simplify everything. We were thinking in terms of giving parents a better way to tell the school that their kids are sick or whatever. 

Currently they can SMS, email or call through the CRM channels, but what we found was that schools and parents don’t want to do that. They want to get on the iPhone app, so you know they’re ahead of us.

CRN: Reno, you recently noted a rather startling statistic from Trend Micro, which states that 40 percent of organisations that have initiated BYOD policies have had some kind of security breach.  That’s quite astounding.

Reno: It is really. I think the IT department is playing catch-up with the actual business leading the charge in terms of how people now wish to consume IT.

This is the opportunity for partners to go in and make the environments more secure. The question for the partners here is ‘are we seeing mobility show up more in risk reviews in areas where people have failed particular audit reviews?’

Gabriel: I think certainly that our clients are aware of it as a risk factor. I haven’t personally seen any breaches due to the inappropriate adoption of mobility solutions, but I think if you look at our clients, the drivers there are simply that it has gone from something that it would be nice to have, to something which is a must-have.

Initially people thought of it as something we just do to appease Gen Y, we’ve got to adopt it, because that’s what some of our younger, trendier customers are doing. But they’re saying out there ‘we actually need this for our business transactions’. It’s a must-have and everyone wants to have a solution. 

Even in federal government we have done some more in that sector and I think that adoption there is primarily about bringing transactions online that were simply not online before. In my experience it’s been a big driver to uptake.

Reno: I think the challenge that we’re going to be faced with is like the access control that we should have had in the 90s where, when people were developing an application, they would invent security controls within the app. I think it’s the same with mobility. As people are working on their mobility strategy, we don’t want them to be building their own security strategy for that particular part of the business, or that particular project.  I think we need to guide them down the path of plugging in to the enterprise strategy.

Richard: The abstracted security outside your standard applications stack, or your network stack, or your active directory stack, is critical.

Mobility will only work if you can leverage the same understanding and same profile and mission base of your individual users, whether they be internal users or external users – being able to manage them in an online world is becoming more and more difficult. Unless you actually can build policy and structure around that, you will never be able to deliver the valuable content that you need.

Unless you’ve got the ability to actually understand the context of the user, or the customer, who they are, where they’re coming from, what their commission structure is, what value they have to you as a customer, you’re on the wrong track.

Talking about David’s example in education, whether they be students, a staff member, or combination of all, that is becoming really important, but also at the same time, really challenging for organisations to be able to deliver high value content.

Reno: John Jones, are you seeing your clients managing identity in that mobility space a little differently to how they’re managing identities for the rest of the corporation? Are we starting to see pockets of unique management types just for the mobility space?

John: Yes. People have different target customer bases depending on financial institutions, or telco or whatever it happens to be. They’ll have apps that are targeting specific subsets of the communities for users. They don’t want to put everything you can possibly do under the one app necessarily, so they are certainly thinking that here is a functionality that they want for convenience and also to take the pressure off their help desk or service reps.

David: So things like how they manage the users in their directory, and for vision and deeper vision, and just for basic identity management principles that we touch every day, are they being incorporated into the mobility parts of the business?

John: I’d say so. I mean most organisations move so slowly anyway. They just latch on to the lowest common denominator.

The security question is an interesting one though. I recently saw a customer do penetration testing for the first time with mobile apps. I think there was a trigger point there where it was a new thing for us to do and so they were told there might be a risk, and I’ve never seen them test their website.

But as soon as they raised the mobile app, the first thing that they wanted to do, because it was new and it was going to hit a big market was to do that. So I do see them driving more security testing. 

Mark: We do quite a few things in the security industry generally, including security services for a couple of big banks. We get involved with their risk assessments and we’re starting to see small signs of mobility coming out, however it’s a pretty unsure market.

A long time ago there was a big move amongst the middle-tier companies whereby their applications were developed and managed according to different policy layers. I think we are seeing security starting to evolve in the same way. You manage it at a layer with policy and you have different policies for mobile and applications. I think we’re starting to see that. It’s slow going but I think that in probably the next two years we’ll be starting to see risk assessments coming out.

Now most major banks do penetration testing with absolutely everything. Now it’s the tiers outside that and below that, outside the financial sectors that don’t do that kind of thing - so I think risk will drive better security around it as well.

BYOD is of course driving this. Look at Qantas. Rather than provisioning people with laptops, they’re actually giving staff an allowance. That’s in line with what I see on Facebook and the social networks.

It’s about the person and people like to do whatever they want to do, and so I think that companies probably prefer to give an allowance anyway.

That’s where it’s going to get a big push in the next few years. We will see more devices with no SOE (standard operating environment) on them at all.

So, how security, and identity especially, is dealt with in that case is really important, and that’s probably going to force a lot more change than just risk itself

Related: Business not taking IDM seriously: Deloitte

Reno: De-perimiterisation is really a huge driver. If there’s no perimeter, what do you do? The key thing is to protect the information, and focus on the controls, the governance around the information itself and then the second part is know who’s accessing it and build your governance around who are they and what can they do.

Mark: It’s a simple concept that’s so complex when you’re dealing outside a greenfields environment. But even in greenfields environments – say for large national infrastructure projects – you’re often still dealing with legacy thinking, legacy concepts and so forth.

But the key tenet is if there’s no perimeter and people can use whatever device, whatever access point they want, it really doesn’t matter. The key thing that you as an organisation need to focus on is the information itself because that’s your IP, whether it be banking transactions or education content, when you are delivering courses and creating courses, and if you’ve got a security structure around that, ‘who are they?’, and ‘who are your constituents?’ and ‘what can they do?’

It really becomes that simple. If you start focusing on who are they and what can they do, you start to appreciate the security necessity of identity, but also the apps that would deliver business value.

Reno: Michael, have you found it easier to bring value to that client around buying a security policy and governance and solutions? Because actually most of the customers we have that have been in business for many years would say that there is a level of complexity in adopting these technologies, because they’ve got a lot of old systems, and a lot of old processors, but where you’ve got a large account that is greenfield, have you found it easier to do a lot of the things that we’ve been talking about?

Michael: Not necessarily. When it comes to the legacy systems, there is a set of well-defined boundaries and systems that are already employed and people within the organisation have a clear understanding of how they use those systems. 

Within the greenfields environment we found that this becomes a lot more complex, because you’re faced with something that’s brand new. People have certain ideas about how they would like to change things outside say brownfields environments, when it comes to greenfield it’s all brand new, and typically you need to create something very fast in a short period of time.

There’s still a legacy thinking that people need those limits to build up with their solutions and all that they operate. The challenge was that we try and break away from that legacy thinking and not just create legacy systems which then we have to fix later, using typical legacy improvement models.  What we have found is that the systems end up going down that legacy path, so we then have something somewhere in the middle.

Reno: We’re seeing some examples of that in the finance sector where an established bank will launch a new banking environment. Are we seeing the bank is leveraging the old processes or security frameworks that they’ve got as a vehicle for that, as an enabler for the launch of the new environment or are they developing new policies and new security systems as a component of that new business that they’re building?

Gabriel: No I think is the short answer. In a lot of instances they do use the existing infrastructure, the existing frameworks, the existing mechanisms to actually prove people are who they are, and give them the entitlement of what they want to do.

Equally I think people are starting to adopt very radically different approaches to proving who people are and there’s a lot of opportunity, particularly I think in the social media, and whether they’re effectively allowing payments through Facebook accounts or email addresses, that kind of thing.

It opens a lot of doors in terms of how you establish who somebody is, who they claim to be and what people should be allowed to do within a given set and range of transactions. And so I think as professionals in this area, we need to move with the times, and effectively be aware that there are far better ways than say asking people for their date of birth.

Richard: That is an interesting point regarding the legacy thinking about identity management, you know the on-boarding, off-boarding, the actual life cycle of an identity. Gabriel one of the things that you raised regarding the next level of interaction is that you need to have a relationship with third party users. How is the old 100-point check? How important does that become to engendering confidence in that identity?

Gabriel: In government it takes a little while for the thinking to shift, but with corporate clients, I think they’re probably adopting faster. We have one client who deals with a lot of members of the general public, and they have risk assessment done around basically their password system, and the passwords came up as ‘not terribly well controlled – need to do something about it’.

We suggested just getting rid of the password, you don’t need it. Now that was a bit too radical for them, and they said ‘how can we actually do that?’

The reality is that you can use things like their Facebook Account – other attributes of their identity – to get a much stronger profile of who they actually are on a recurring basis if you think a little bit out of the conventional square of the 100-point check.

Michael: If we take a look at identity management now, to identity management 15 years ago, it hasn’t really changed as far as computing goes. Identity, in my opinion, underpins everything relating to the computer – absolutely everything you do.

If you are in a discussion nowadays and talking about cloud regardless of the type of software service, security comes up forefront of those discussions, whereas previously it wasn’t brought up until much later in the cycle.

But if you look at the solutions that were put in place five or 10 years ago, they were all very based around the double-directory or single directory or domain within the organisation – so that was primarily where the identity was. 

So you look at the banks 10 years ago, they were putting in identity management solutions because people wanted to do their banking from home, branches weren’t open all that often, and the convenience of working from home is pretty good. So it forced the banks to look beyond their own domain and they needed to start accepting credentials and identities from beyond that domain.

Today if you take that concept and scale it out dramatically, you have the BYO of our own devices. Those devices aren’t configured in any one domain. They’re distributed across multiple domains, so the deperimiterisation that Richard mentioned earlier and the BYOD is what’s driving this dramatically. Organisations just can’t sit back and go ‘we have active directory, everything authenticates to that then we have identity management’.

So the concepts of the multiple domain and the multiple perimeters in identity management are the same.

Richard: Michael spoke earlier about how security was always an afterthought in a project. Customers say ‘yes we want to deliver this outcome, this is great, the business is driving it, we want to generate more revenue, and bring on more clients and then we’ll talk about security’, or then we’ll talk about how they access the information, the identity management.

You spoke earlier about how you’re seeing security now leading the discussion in projects because the discussion’s not about just delivering new services, it’s about how they do it, and do you see much opportunity from your business in how to help your clients in that dialogue?

Michael: Yes, absolutely. One part of it is that there’s a mindset when it comes to security and risk that when you talk to the security risk people they’re only going to tell you what you can’t do. The business doesn’t want to hear about what it can’t do. Security and risk, and it goes largely into the minds of the security and risk people as a generalisation – were there just for the business and to help the business understand what they can do. 

Gabriel: We find there’s radical differences between one organisation and the next. I think a lot of organisations have security groups that are very much stuck in the old world of thinking, but their role is really that of a policeman, and they’re there to say ‘no’ and to issue fines, slap people on the wrist and basically prevent them damaging themselves.

The opposite extreme I guess is we have one client of whose security risk motto is to ‘embrace risk to create value’. I really love that. Your role is to effectively allow them to do things they couldn’t do yesterday, and so if you adopt that mindset you end up with a very different set of conclusions.

Mark: What I’m getting around the table is that awareness is very important for effective ID. It’s not just about looking at old drivers like risk.

We need to be getting out there to organisations and doing some education sessions around the responsibilities of people as corporate citizens in a social landscape. I think that’s going to be more understood over the next five years as people start to access more from their mobiles.

The individuals, all they want to do is get on, do their activities, do their transactions and get off.  It’s as simple as that, and they want control of that. If they move from location A to location B, they want to be able to change it. So usability is going to drive a lot. I think that’s going to be largely dictated by consumers. But making sure the identity is safe is really the responsibility of an organisation I think.

So I think it’s about education and getting in with the respective clients and starting to chat with them about why do you manage identity. This is going to the point where it’s not just about vigilance and assistance. It’s about making sure that customer A can do what they need to do.

Reno: That’s interesting Mark, you’re talking about a single view of the identity and you carry that around. With cloud and now people are touching everything, different environments and different applications, different interpretations, geographies, I see that as bringing a whole lot more complexity to that single view.

Mark: Well it is. You can take it one step higher up. I am the owner of my identity and it’s how I choose to engage with the government, with the vendors of my choice. It’s all going to be based upon the experience that I want to obtain. The customer experience is driving a lot of these challenges to catch up and deliver on the optimum customer experience. It’s all about optimising the engagement and enablement.

And it’s not just engagement, but two-way enablement of our customers. It’s becoming more and more powerful as a tool, you know my Facebook credential, my LinkedIn credential being used to connect to the bank.  Who would have thought of that five years ago or even two years ago? But if that’s the case, as a bank, how am I going to manage that?

Role-based access is something that organisations have been trying to do for a long time and invariably most people have failed at it.

There is a bank we’re trying to help now with theirs. What emerged in 2006/07 when the bank went public in the US and we had to comply with SOX, one of the drivers there was the desire for a control framework to revalidate the users.

The approach they took at the time, which was just an IT legacy approach, was to go from the application and get application owners to revalidate endpoint users. IT has traditionally controlled IDM and always seemed to play a part in it, but I think that’s going to change.

You are going to have people in legal getting control of it and HR and all that sort of thing. This was an example when we walked in they were doing that and we had a disgruntled workforce from people doing the testing to right through to the application owners, because of the sheer work load involved.

So we scrapped everything and we went back to basics. We went back to business processing. We interviewed the business, from tellers to the CEO, and figured out it was like a family tree structure.  That’s how identity is too. So the individual who is the individual, does he understand what they need access to? Now my parents they know what’s best for me, and they know what I need to get by, so they can attest, and that goes right up the tree to here.

We made that business process and they’re now on to their seventh year of doing this access re-evaluation quite successfully.

Understanding what everyone does and their identities and separation of that is important, and I think that’s exactly what identity is going to be. You are going to have to go to your client and interview them for a second touch, which is the internal guys, which is the front guys, which is the sales guys.

Mapping the roles within an organisation and looking at it from an application point of view as well, is probably key.

Michael: So we’re talking about BYOD, bring your own device access to my phone, my tablet, my banking accounts, I can access and provide authentication to my bank. I can do what I like within reason with my accounts.  Are we starting to talk about on the back of that BYOI, bring your own identity?

Mark: I think it’s just common sense.

Michael: If we look at ‘bring your own identity’, what we’re talking about then is the individual owning their own identity, where my identity resides. I may well have multiple identities depending on how I want to be perceived across different organisations – but let’s say I want to do my online banking.

I may want to do that via Facebook or Google or Twitter. That’s my choice and where my identity wants to reside. That is my identity provider, and then the banks will consume that identity. So within the context of that bank, my roles are then attached to it. IDM is just getting more and more complex.   You think identity, identity is owned by me and then I can determine what access the bank has to my entitlements.

Gabriel: I think certainly we need to move towards a world where it’s ‘bring your own proof of identity’ in effect, because increasingly now it’s not just a password you use to authenticate yourself, it’s something that can be stored on your mobile phone. Effectively you have something you know, the phone and the actual password, which gives you much stronger authentication anyway.  But anyway our clients need to be in a position where they can adapt to effectively prove and use those technologies to better establish someone’s identity.

Reno: With government, especially in the health sector, we’re starting to see one identity across government is forming around things like PCEHR and stuff we do and so I think over time we are maybe going to revisit the national identity card concept. I think it’s just naturally evolving in these cross-government things, and assuming identities of service is something else that’s also evolving, things like Facebook, Twitter and LinkedIn, and assuming your authentication authorisation of those things and then using it.

Richard: Picking up what Gabriel was saying, if we don’t coin the term ‘bring your own identity’ – organisations are going to be tasked with developing the frameworks to be able to consume identifiers that sealed a profile of identity integrity. So it’s not actually whether it’s a Facebook ID, or LinkedIn ID or Twitter, there’s actually an organisation’s ability to consume that to build a valid profile of an identity to be able to develop a level of evidence – it’s evidence and integrity if you like, that 100-point check.

Michael: And I believe that’s been the challenge of organisations over the years; the integrity of that identity. Previously large-scale identity management solutions, you know where federated single sign-on was born out of large organisations that internally you would pass that identity around and end up distributed globally. We needed to ensure the integrity of that identity. It’s now on a global scale, where people are under licence. 

So organisations need to consume that identity in a way that maintains its integrity to that organisation, but still deliver on the customer experience. I think the linkage between the integrity and the customer experience is paramount and where all the investment’s going to be.

If you look at PCEHR, for instance, the electronic health records, that has been programmed, the government has been undertaking it for a number of years. It’s only in the last two years they’ve applied the PC, the ‘personally controlled’ side of it, so it’s just bringing those two elements together. The next question is how do you extend that across government or how do you bring that integrity?

John: The shift to bring your own identity is also a shift in the legal framework, because if you’re saying that the level of assurance that you need is your responsibility, today the level of assurance is imposed by the organisation itself. They are saying ‘we’ll own the identity and we’ll have a level of assurance to get access to certain information’. But if you turn that around and say the individuals own the identity and it’s up to them for the level of assurance, then there’s a legal shift there.

Richard: Is the onus on the individual or still a risk management decision for the company?

John: Until the organisation actually relinquishes control on the level of assurance and says ‘it’s your responsibility’ then they still own the identity in their organisation really. If they say ‘okay we are going to turn it inside out and it’s up to you, and if you want to use Facebook, that’s fine, there’s a high risk profile, but if you want to use something that’s more secure that’s up to you’.

But your burden of risk then shifts from the organisation through the medium you took. There are major implications to doing that. Although people go ‘I’ll log in using Facebook’ you usually end up with a level of access that requires a lot of risk profile basically.

Richard: Yes, but you can have something that goes ‘okay I’m a uni student and I can see my timetable’, because it knows who I am. Or it knows that I’m a prepay customer. It can give me things but it doesn’t mean that necessarily I can get access to my billing account or something.

But it knows who I am to the point of being able to have a useful interaction with it. The question is whether those legal implications actually exist or not, because it’s still a business decision to what level of credential integrity they’re willing to accept for what content delivery or transaction value.

John: All they’re going to do is say ‘here’s a list of providers that we can talk to on Facebook and a bunch of other ones really’. But that’s really not releasing the identity. It’s just kind of going ‘okay we know who you are, but we still own the identity’.

Richard: Back again to the 100-point check, instead of turning up to the bank with a photocopy of your bank, passport and driver’s licence and so on, and doing a face-to-face proof, there’s a move into online verification, identity verification, which actually achieves the same result. 

The integrity of the 100-point check is still there. The banks can rely on it; therefore they can transact and deliver value.  If that’s the case, if that capability is available, doesn’t it still apply that the organisation has access to be able to consume that, as well?

John: It depends on the identity. I have a Facebook account. You can look me up as John Jones within the organisation and do a 100-point check. But whether or not I’m actually that person on Facebook is a different thing altogether. So Facebook has addressed this with organisations in the last year or so as more have moved to create their own Facebook pages. It’s only more recently they’ve gone and actually provided visibility of the index file, so now anyone can make anything.

Gabriel: I think we shouldn’t confuse two concepts here. There’s basically the matter of how you establish somebody’s identity in the first place, and I think that’s what Richard is talking about here with the 100-point check. What they’re doing there is accessing things like births and deaths records, to establish that a person of that name does exist and looking at other factors to identify. 

That’s how you establish them upfront, but then it’s how you actually continue to prove their identity on an ongoing basis, and to me that’s where there’s far more opportunity to adopt new and emerging technologies – things like the actual phone and other things they bring along to the party to say ‘here I want you to use this to prove I am who I am in future – I’ve established here now that I am who I am and this is how I want to be identified in future’.

Richard: It’s a good point.  How much of a market is there for consulting organisations like yours to deliver that to customers, deliver that thought leadership to customers?

Gabriel: I find myself in discussions around that all the time. I think it’s very instrumental for the business we’re in.

Mark: Because we’re at the start of that movement, I think we need to move towards a different way of looking at identity and access, because they’re two different things. 

There’s going to be quite a bit of opportunity over the next three years for organisations such as us to go in and hand-hold organisations and guide them through. Where those conversations lie or shift from the traditional technology chat, which is ‘come and play’ for a lot of technology companies, we’ll see more engagement with legal teams and talking with the business front and talking with HR.

CRN: The conversation’s been weighted very heavily around actual security and compliance and all these strategies for risk mitigation, but what about the productivity and efficiency benefits that can flow from an intelligently thought out and deployed IDM strategy. Presumably this is the harder part of the sell?

Mark: Yes, particularly when you’re talking about smaller businesses. So my history is not from technology and info security. It’s from service management, so I set up service desks and IT teams.

One of the biggest drivers for investment in security solutions was the challenge of resetting passwords in call centres. And it still hasn’t changed with all the technology that comes through. There’s an enormous amount of money spent on supporting identities. This is due to a cold-hard fact about business. It’s about retaining customers.

The more time staff are on the phone to a call centre, the less time they are in not generating new business. So getting ‘high-end’ organised and having the 100-point check is an enormous productivity challenge.

Richard: The biggest thing from our experience probably in the last three years, our largest growth in our business, with 50 percent plus year-on-year growth over the last three years, has absolutely been productivity and delivering.

The money is coming from the project; it’s absolutely where the ROI is. The biggest drivers in terms of ROI are customer acquisition and retention, and identity goes to the heart of that through customer experience, meeting customer expectations, exceeding customer expectations and product service delivery. So we’re seeing a huge amount of new money and continued investment. It’s not just a stand-up project to try and resolve this, it’s about continuous investment. 

David: So Richard presumably a large part of customer spend is within the firewall? Or is it outside? Are people spending it in their own domains? 

Richard: Our experience over the last couple of years has been two thirds one third.  One third around governance, provisioning, what I call the plumbing – on-boarding, off-boarding, business process. It’s maturing in terms of governance and gestation onboarding and offboarding, especially around applications.  

That segment has been growing at an industry average of 15 to 20 percent year-on year, but our biggest growth is actually in online. I call it online – both internal and external – because of the de-perimeterisation, the blurring of the lines.

I was sitting with the CTO of a telco last week. His major questions concerned his two key constituents: ex-customers and internal. He said ‘I don’t care anymore. They are the same. They are constituents. They are people and identities that I need to work and deliver products and services to’.

They may have different drivers, but from an internal perspective, the products and services being given by the business and productivity in that employee pool, products and services to deliver a new capability and revenue streams and jump on board, before being wiped out by your competitors in speed to market, it’s the same.

CRN: Are partners around the table here seeing exciting opportunities for small businesses with regard to marketing and deploying IDM solutions? Presumably in the enterprise and mid-tier companies there’s a reasonable understanding about IDM, but what are you experiencing further down the chain?

Mark: We are seeing some opportunities. However, at the moment the cost of an ID is prohibitive. So for SMBs to do that, a key option is ID as a service (IDaaS) where they can release that cost, and make it just an item on their ledger. 

Rene: Do you think there’s an opportunity for all of us here to look at providing Identity as a Service, or doing more of managed services, where the client still owns the infrastructure, but where our task is the responsibility of managing the infrastructure? Do you see that as a vehicle for getting into mid-market and smaller accounts?

Mark: I’d say that the writing’s on the wall, but I don’t think it’s that simple. All you’re doing is shifting the problem.  Someone else has to take on the big cost of getting that infrastructure running. There are a few software providers and the numbers are growing. So the writing’s on the wall. Are they delivering on the services that are required? That is the question.

Richard: I keep getting asked by customers and parties, ‘can we do this as a service?’ And I think the key thing is from a maturity perspective, complexity is still there, and the challenge to overcome is not whether you can do it as a service, but in actually defining and operating identity as a domain internally, let alone trying to outsource it.

It’s like the outsourcing discussion of 20 years ago. Organisations said ‘get this cost of my balance sheet and give it to someone else’, but that still didn’t drive down cost. Complexities still remain and value wasn’t derived.  And now we’re hearing about selective sourcing, which makes a lot more sense.

Does anyone see selective sourcing yet in the identity space yet being really an option?  If so, what sort of capabilities are a priority; what can be delivered to the mid-tier and small tier markets more effectively?

Mark: Well we’re doing select sourcing at the moment and also seeing it in the US. Australia is a little bit behind on that front, as businesses tend to watch and see where it’s going before they jump on-board, although there is a lot of outsourcing going on within corporate Australia.

Reno: In light of the current economic situation, with massive redundancies in the public sector and everybody slashing their budgets, how do we see identity management changing, where people are handing over parts of their infrastructure to a managed service provider, or outsourcing major chunks of their business? How do we see identity management working in that sort of a framework?

John: I think like everything else in IT, over time the service providers will start to provide it as a service to their clients, in the same way that they provide other services today. We’re starting to see that now in every other IT segment, where they have basically said, okay we now understand how to put a wrapper around this and offer this to our clients. So I think it will happen. The question is when.

Reno: It opens up a whole area of separation of duties, privileged account management, now all these newer things, newer areas, that have been around for a while, but I think it’s now ‘who’s responsible?’ But also from a client perspective, still having a level of visibility and being able to report on it, even though you’re no longer in control of it.

John: Going back to the SMBs, a lot of smaller organisations are adopting phone-based services, like Google Apps and all those sorts of things anyway. It has everything you need. I can get to it anywhere. There’s a whole plethora of apps there, and it’s incredibly convenient. All the identity management stuff is managed by them – so I think for organisations starting up today, they’d be mad to go and buy their own stuff and put it together.

But businesses that have been around for a while and are more medium sized? You certainly see them looking at whether they can use the service. You still have the problem where you’re looking at authentication as a service. That’s one thing and that’s fine. There’s quite a lot of these sports of service providers around that have a large customer base, but interestingly I don’t think a lot of them are actually making money yet. 

And then there’s the actual management piece if you like, the actual provisioning of identity and those sorts of things. That’s a much more difficult problem, because even if you put that somewhere else, you still have to plumb it back into the organisation. So there’s certainly an opportunity there for companies like ourselves to take what they currently have, cut it out if you like, have a new piece up in the cloud and then plumb it back in and maintain business continuity while doing that.

But this is not an easy thing to do. It’s not necessarily an identity management kit, but it’s very much ‘how do I get this stuff and cut it out, go through the cloud and then put it back in while maintaining day to day service levels?’

Reno: So there’s certainly opportunities there. David, question for you, ASG has a very large managed services practice and doing a lot of work in governance through partners around the country. How does ASG solve that sort of problem, where a client may be running a particular technology? Do they ask ASG to consume their service or what they have in place as a component of what you offer back to them?

David: Yes, look I think I would echo John’s comments there, we do the provisioning, we do the operational administrative side of the identity management. But when it comes to the rules, the access authorisation rules, what they should be, then that’s predominantly back to the customer. So we’re acting as a proxy. Whether that will change in future, again I agree with John that it’s an opportunity to get out there, be more strategic and be more advisory, in terms of how they should be operating. 

Craig: Another thing is they don’t have a clear understanding of what identity and access management is to the point of being able to pick a piece and then put it in the cloud. It’s just this large amorphous kind of blob of stuff.

CRN: Does the cloud really change the way you all think about IDM or is it a bit overblown? Or are you finding that the traditional policies and strategies for IDM apply equally to the cloud?

John: Customers want to use their internal identities to get access, so they are unlocking things like federation, not in the way that federation was originally intended, but just really to expand their ecosystem through to the partners, and other non-core things really. So it certainly is changing for a lot of people.

Richard: I agree. The interesting thing about cloud and SaaS is that it’s just now another application integration point. Some of the clients you guys service in your day-to-day engagements have 500, 1000, 2000 internal applications.

The difference with cloud based services and SaaS is that they can be consumed in five seconds, and the business bought that off the shelf and said ‘I want that’ and you know the cloud service offerings can have exponential growth of integration requirements for an organisation. So I see exponential growth because SaaS and the cloud provides opportunities for customers to consume faster.

John: I think it’s a big opportunity for us in this industry, because it’s the sort of thing organisations waiting six to 12 months to get CRM, six to 12 months to get another box in place, want. It means that they can reach and attach another service relatively quickly. But they have to do identity management and all those sorts of things. So in some ways it could bring some of our business forward.

Reno: Mick, you have a risk part of your business which is quite large. Are you seeing the cloud as an area where people are somewhat stuck in the grey zone, where they think it is the responsibility of the provider, less a responsibility for them?

And are you feeling vulnerable from a commercial legality perspective? And the same for managed service providers where people have outsourced it to a provider. There’s the question of ‘who is viewing my data?’ Where’s the separation of duty

Michael: Customers want the efficiencies and perceived cost savings that cloud provides them.  So they are pushing some of the risks onto it. They are trying to get direct answers out of the software service vendors to how they address certain risks, because what the cloud providers are saying is ‘come and join us, we can get you this new service within 15 minutes and it will cost you less’.

 It’s all good, but there are certain risks associated with that, certainly at the enterprise level. Some cloud organisations do it better than others.

But the key thing is to look at what the main business drivers for cloud are compared to the traditional legacy model. Reduction of costs is part of it, but coming back to the earlier conversation around efficiencies, is the cloud really the perfect model? 

What customers are asking for is this particular service, with this particular cost. They don’t care if you’re running it on Unix or NT or anything like that anymore. They just want a system that provides a lot of efficiency that supports their direct business model.

When you’re looking at the cloud model, as far as identity management in the traditional sense and provisioning, all customers want to do is have some kind of identity aggregator out there. We have identities pushing into the system, and we’re provisioning that to run other accounts, other applications.   

So what they’re buying from us is a system that directly supports the organisation’s business models in that area. And once an organisation changes their mindset into that type of model, the efficiencies that are provided are absolutely brilliant.

Back in the late 90s in North America we provided a solution for a ticket organisation. They had a business driver which was one identity within an organisation, because customers had three different identities to access six applications. 

Once they adopted that identity centric model, they provided their identity to the organisation once, the application developers consumed that identity and once that framework was put in place, 12 months later, they’d rolled out 140 applications across that organisation, all based on the back of that identity framework, which is absolutely brilliant as far as efficiency savings go. 

For the medium-sized organisations we talk about, it’s cost prohibitive, because what they’re targeting is just an easier way of going on one console and creating identities and just provisioning to active directory and exchange.

The shift in paradigm from the cloud is that people are buying a service and it’s an out of base model. We are no longer talking about are we using .NET or Pearl or Delta, or which technology are we using to provision or internally which technology is best, because frankly it doesn’t matter. 

Rene: Michael, you and I had a discussion recently where you said it’s all about keeping it simple and trying to deploy a value proposition to the client and then growing it over time. Obviously identity management offers so much and when you try and take it on this big it’s a lot harder than if you try and start with a smaller piece and then get them to consume larger chunks of it.

Michael Absolutely, and touching on what John said from a business agility perspective, which is where you’re talking about productivity, rather than a full cloud-based solution, a hybrid solution may be better. Typically, we’re finding that businesses haven’t deployed identity in a lot of instances, and we either have a lot of legacy applications and provisioning as we talk about .Net, Pearl or whatever, and all these scripts happening.

The problem is they lose their agility, because really what they should be able to do is have a good identity framework there, that allows them to unbolt an application without it affecting their whole organisation, so they can just pick and choose which one, whether it be cloud or on-premise.

And if all you’re talking about is a connector, rather than the impact of one script, that could have a massive impact on an organisation. So the agility part is important and just bringing it down to a smaller, more bite-sized opportunity, rather than trying to boil the ocean. It seems to me that organisations are looking at that now more and more, because of cloud, because of the applications they want to connect to. 

CRN: We were speaking earlier about social media and there has been a few mentions of Facebook here and there. What are the opportunities for resellers in terms of helping their customers develop IDM strategies that factor in their existing or evolving social media strategies?

Michael: Good question. I think the first thing we need to figure out is who to speak to within the client. Over the years we’ve grown tired of talking to security and the traditional sort of IT. Now with the adoption of social media and the cloud, all lines of business think that they can just get out there and form relationships. I think we need to change the people that we’ve been talking to and I think talk more at a business level.

There’s probably the opportunity to get into different parts of the customers that we’ve all been dealing with for many years. It’s now different, with different discussions with more business orientated people. It needs to be simple and it needs to be actionable, while delivering an ROI.

Richard: If we’re dealing with the parts of the organisation charged with better enabling and engaging with their customers - internal or external - consulting is a huge growth area.

And as Rene said, being able to define a value proposition that’s actionable and gets a short sharp ROI, within the context of delivering into a back-end governance framework that will provide the ongoing enablement, is going to be key.

David: What I’ve noticed is we’re having to view the clients differently and we’re having to change who we’re having discussions with, but also internally, all the partners here at the table, we’re also having to look at the people that we’re bringing on-board, the people who make up the sales force and the account management guys within our businesses.

Because it’s a different breed now, and we need a different breed of sales person who can understand the connection between business and IT and we all know they’re not easy to find. It’s just an observation that we also need to change how we go to market and how we convey our value proposition.

The CRN identity management roundtable was held in partnership with Oracle and Nextgen Distribution.