CRN recently chaired a fascinating and lively discussion with industry experts on the challenges of establishing effective identity management in today’s increasingly mobile and boundless corporate environment.
But, as the panel discovered, IDM means different things to different people and one of the more pressing issues for companies involved in this space to establish meaningful parameters and definitions so as to help organisations better understand their vulnerabilities as well as the opportunities to improve organisational processes and increase efficiency.
A key theme, of course, is mobility as organisations try to manage the expectations of staff while ensuring that the right polices are in place to strike a balance between freedom and controls. Not only are staff demanding to bring their own devices, they are also now in effect bringing their own identities.
Our panellists also shared some interesting experiences about the relative advantages of deploying identity management solutions at greenfields or legacy sites, while the cloud of course provided an interesting side bar, especially in terms of its potential to help smaller companies develop more cost effective identity management solutions.
John: All they’re going to do is say ‘here’s a list of providers that we can talk to on Facebook and a bunch of other ones really’. But that’s really not releasing the identity. It’s just kind of going ‘okay we know who you are, but we still own the identity’.
Richard: Back again to the 100-point check, instead of turning up to the bank with a photocopy of your bank, passport and driver’s licence and so on, and doing a face-to-face proof, there’s a move into online verification, identity verification, which actually achieves the same result.
The integrity of the 100-point check is still there. The banks can rely on it; therefore they can transact and deliver value. If that’s the case, if that capability is available, doesn’t it still apply that the organisation has access to be able to consume that, as well?
John: It depends on the identity. I have a Facebook account. You can look me up as John Jones within the organisation and do a 100-point check. But whether or not I’m actually that person on Facebook is a different thing altogether. So Facebook has addressed this with organisations in the last year or so as more have moved to create their own Facebook pages. It’s only more recently they’ve gone and actually provided visibility of the index file, so now anyone can make anything.
Gabriel: I think we shouldn’t confuse two concepts here. There’s basically the matter of how you establish somebody’s identity in the first place, and I think that’s what Richard is talking about here with the 100-point check. What they’re doing there is accessing things like births and deaths records, to establish that a person of that name does exist and looking at other factors to identify.
That’s how you establish them upfront, but then it’s how you actually continue to prove their identity on an ongoing basis, and to me that’s where there’s far more opportunity to adopt new and emerging technologies – things like the actual phone and other things they bring along to the party to say ‘here I want you to use this to prove I am who I am in future – I’ve established here now that I am who I am and this is how I want to be identified in future’.
Richard: It’s a good point. How much of a market is there for consulting organisations like yours to deliver that to customers, deliver that thought leadership to customers?
Gabriel: I find myself in discussions around that all the time. I think it’s very instrumental for the business we’re in.
Mark: Because we’re at the start of that movement, I think we need to move towards a different way of looking at identity and access, because they’re two different things.
There’s going to be quite a bit of opportunity over the next three years for organisations such as us to go in and hand-hold organisations and guide them through. Where those conversations lie or shift from the traditional technology chat, which is ‘come and play’ for a lot of technology companies, we’ll see more engagement with legal teams and talking with the business front and talking with HR.
CRN: The conversation’s been weighted very heavily around actual security and compliance and all these strategies for risk mitigation, but what about the productivity and efficiency benefits that can flow from an intelligently thought out and deployed IDM strategy. Presumably this is the harder part of the sell?
Mark: Yes, particularly when you’re talking about smaller businesses. So my history is not from technology and info security. It’s from service management, so I set up service desks and IT teams.
One of the biggest drivers for investment in security solutions was the challenge of resetting passwords in call centres. And it still hasn’t changed with all the technology that comes through. There’s an enormous amount of money spent on supporting identities. This is due to a cold-hard fact about business. It’s about retaining customers.
The more time staff are on the phone to a call centre, the less time they are in not generating new business. So getting ‘high-end’ organised and having the 100-point check is an enormous productivity challenge.
Richard: The biggest thing from our experience probably in the last three years, our largest growth in our business, with 50 percent plus year-on-year growth over the last three years, has absolutely been productivity and delivering.
The money is coming from the project; it’s absolutely where the ROI is. The biggest drivers in terms of ROI are customer acquisition and retention, and identity goes to the heart of that through customer experience, meeting customer expectations, exceeding customer expectations and product service delivery. So we’re seeing a huge amount of new money and continued investment. It’s not just a stand-up project to try and resolve this, it’s about continuous investment.
David: So Richard presumably a large part of customer spend is within the firewall? Or is it outside? Are people spending it in their own domains?
Richard: Our experience over the last couple of years has been two thirds one third. One third around governance, provisioning, what I call the plumbing – on-boarding, off-boarding, business process. It’s maturing in terms of governance and gestation onboarding and offboarding, especially around applications.
That segment has been growing at an industry average of 15 to 20 percent year-on year, but our biggest growth is actually in online. I call it online – both internal and external – because of the de-perimeterisation, the blurring of the lines.
I was sitting with the CTO of a telco last week. His major questions concerned his two key constituents: ex-customers and internal. He said ‘I don’t care anymore. They are the same. They are constituents. They are people and identities that I need to work and deliver products and services to’.
They may have different drivers, but from an internal perspective, the products and services being given by the business and productivity in that employee pool, products and services to deliver a new capability and revenue streams and jump on board, before being wiped out by your competitors in speed to market, it’s the same.
CRN: Are partners around the table here seeing exciting opportunities for small businesses with regard to marketing and deploying IDM solutions? Presumably in the enterprise and mid-tier companies there’s a reasonable understanding about IDM, but what are you experiencing further down the chain?
Mark: We are seeing some opportunities. However, at the moment the cost of an ID is prohibitive. So for SMBs to do that, a key option is ID as a service (IDaaS) where they can release that cost, and make it just an item on their ledger.
Rene: Do you think there’s an opportunity for all of us here to look at providing Identity as a Service, or doing more of managed services, where the client still owns the infrastructure, but where our task is the responsibility of managing the infrastructure? Do you see that as a vehicle for getting into mid-market and smaller accounts?
Mark: I’d say that the writing’s on the wall, but I don’t think it’s that simple. All you’re doing is shifting the problem. Someone else has to take on the big cost of getting that infrastructure running. There are a few software providers and the numbers are growing. So the writing’s on the wall. Are they delivering on the services that are required? That is the question.
Richard: I keep getting asked by customers and parties, ‘can we do this as a service?’ And I think the key thing is from a maturity perspective, complexity is still there, and the challenge to overcome is not whether you can do it as a service, but in actually defining and operating identity as a domain internally, let alone trying to outsource it.
It’s like the outsourcing discussion of 20 years ago. Organisations said ‘get this cost of my balance sheet and give it to someone else’, but that still didn’t drive down cost. Complexities still remain and value wasn’t derived. And now we’re hearing about selective sourcing, which makes a lot more sense.
Does anyone see selective sourcing yet in the identity space yet being really an option? If so, what sort of capabilities are a priority; what can be delivered to the mid-tier and small tier markets more effectively?
Mark: Well we’re doing select sourcing at the moment and also seeing it in the US. Australia is a little bit behind on that front, as businesses tend to watch and see where it’s going before they jump on-board, although there is a lot of outsourcing going on within corporate Australia.
Reno: In light of the current economic situation, with massive redundancies in the public sector and everybody slashing their budgets, how do we see identity management changing, where people are handing over parts of their infrastructure to a managed service provider, or outsourcing major chunks of their business? How do we see identity management working in that sort of a framework?
John: I think like everything else in IT, over time the service providers will start to provide it as a service to their clients, in the same way that they provide other services today. We’re starting to see that now in every other IT segment, where they have basically said, okay we now understand how to put a wrapper around this and offer this to our clients. So I think it will happen. The question is when.
Reno: It opens up a whole area of separation of duties, privileged account management, now all these newer things, newer areas, that have been around for a while, but I think it’s now ‘who’s responsible?’ But also from a client perspective, still having a level of visibility and being able to report on it, even though you’re no longer in control of it.
John: Going back to the SMBs, a lot of smaller organisations are adopting phone-based services, like Google Apps and all those sorts of things anyway. It has everything you need. I can get to it anywhere. There’s a whole plethora of apps there, and it’s incredibly convenient. All the identity management stuff is managed by them – so I think for organisations starting up today, they’d be mad to go and buy their own stuff and put it together.
But businesses that have been around for a while and are more medium sized? You certainly see them looking at whether they can use the service. You still have the problem where you’re looking at authentication as a service. That’s one thing and that’s fine. There’s quite a lot of these sports of service providers around that have a large customer base, but interestingly I don’t think a lot of them are actually making money yet.
And then there’s the actual management piece if you like, the actual provisioning of identity and those sorts of things. That’s a much more difficult problem, because even if you put that somewhere else, you still have to plumb it back into the organisation. So there’s certainly an opportunity there for companies like ourselves to take what they currently have, cut it out if you like, have a new piece up in the cloud and then plumb it back in and maintain business continuity while doing that.
But this is not an easy thing to do. It’s not necessarily an identity management kit, but it’s very much ‘how do I get this stuff and cut it out, go through the cloud and then put it back in while maintaining day to day service levels?’
Reno: So there’s certainly opportunities there. David, question for you, ASG has a very large managed services practice and doing a lot of work in governance through partners around the country. How does ASG solve that sort of problem, where a client may be running a particular technology? Do they ask ASG to consume their service or what they have in place as a component of what you offer back to them?
David: Yes, look I think I would echo John’s comments there, we do the provisioning, we do the operational administrative side of the identity management. But when it comes to the rules, the access authorisation rules, what they should be, then that’s predominantly back to the customer. So we’re acting as a proxy. Whether that will change in future, again I agree with John that it’s an opportunity to get out there, be more strategic and be more advisory, in terms of how they should be operating.
Craig: Another thing is they don’t have a clear understanding of what identity and access management is to the point of being able to pick a piece and then put it in the cloud. It’s just this large amorphous kind of blob of stuff.
CRN: Does the cloud really change the way you all think about IDM or is it a bit overblown? Or are you finding that the traditional policies and strategies for IDM apply equally to the cloud?
John: Customers want to use their internal identities to get access, so they are unlocking things like federation, not in the way that federation was originally intended, but just really to expand their ecosystem through to the partners, and other non-core things really. So it certainly is changing for a lot of people.
Richard: I agree. The interesting thing about cloud and SaaS is that it’s just now another application integration point. Some of the clients you guys service in your day-to-day engagements have 500, 1000, 2000 internal applications.
The difference with cloud based services and SaaS is that they can be consumed in five seconds, and the business bought that off the shelf and said ‘I want that’ and you know the cloud service offerings can have exponential growth of integration requirements for an organisation. So I see exponential growth because SaaS and the cloud provides opportunities for customers to consume faster.
John: I think it’s a big opportunity for us in this industry, because it’s the sort of thing organisations waiting six to 12 months to get CRM, six to 12 months to get another box in place, want. It means that they can reach and attach another service relatively quickly. But they have to do identity management and all those sorts of things. So in some ways it could bring some of our business forward.
Reno: Mick, you have a risk part of your business which is quite large. Are you seeing the cloud as an area where people are somewhat stuck in the grey zone, where they think it is the responsibility of the provider, less a responsibility for them?
And are you feeling vulnerable from a commercial legality perspective? And the same for managed service providers where people have outsourced it to a provider. There’s the question of ‘who is viewing my data?’ Where’s the separation of duty
Michael: Customers want the efficiencies and perceived cost savings that cloud provides them. So they are pushing some of the risks onto it. They are trying to get direct answers out of the software service vendors to how they address certain risks, because what the cloud providers are saying is ‘come and join us, we can get you this new service within 15 minutes and it will cost you less’.
It’s all good, but there are certain risks associated with that, certainly at the enterprise level. Some cloud organisations do it better than others.
But the key thing is to look at what the main business drivers for cloud are compared to the traditional legacy model. Reduction of costs is part of it, but coming back to the earlier conversation around efficiencies, is the cloud really the perfect model?
What customers are asking for is this particular service, with this particular cost. They don’t care if you’re running it on Unix or NT or anything like that anymore. They just want a system that provides a lot of efficiency that supports their direct business model.
When you’re looking at the cloud model, as far as identity management in the traditional sense and provisioning, all customers want to do is have some kind of identity aggregator out there. We have identities pushing into the system, and we’re provisioning that to run other accounts, other applications.
So what they’re buying from us is a system that directly supports the organisation’s business models in that area. And once an organisation changes their mindset into that type of model, the efficiencies that are provided are absolutely brilliant.
Back in the late 90s in North America we provided a solution for a ticket organisation. They had a business driver which was one identity within an organisation, because customers had three different identities to access six applications.
Once they adopted that identity centric model, they provided their identity to the organisation once, the application developers consumed that identity and once that framework was put in place, 12 months later, they’d rolled out 140 applications across that organisation, all based on the back of that identity framework, which is absolutely brilliant as far as efficiency savings go.
For the medium-sized organisations we talk about, it’s cost prohibitive, because what they’re targeting is just an easier way of going on one console and creating identities and just provisioning to active directory and exchange.
The shift in paradigm from the cloud is that people are buying a service and it’s an out of base model. We are no longer talking about are we using .NET or Pearl or Delta, or which technology are we using to provision or internally which technology is best, because frankly it doesn’t matter.
Rene: Michael, you and I had a discussion recently where you said it’s all about keeping it simple and trying to deploy a value proposition to the client and then growing it over time. Obviously identity management offers so much and when you try and take it on this big it’s a lot harder than if you try and start with a smaller piece and then get them to consume larger chunks of it.
Michael Absolutely, and touching on what John said from a business agility perspective, which is where you’re talking about productivity, rather than a full cloud-based solution, a hybrid solution may be better. Typically, we’re finding that businesses haven’t deployed identity in a lot of instances, and we either have a lot of legacy applications and provisioning as we talk about .Net, Pearl or whatever, and all these scripts happening.
The problem is they lose their agility, because really what they should be able to do is have a good identity framework there, that allows them to unbolt an application without it affecting their whole organisation, so they can just pick and choose which one, whether it be cloud or on-premise.
And if all you’re talking about is a connector, rather than the impact of one script, that could have a massive impact on an organisation. So the agility part is important and just bringing it down to a smaller, more bite-sized opportunity, rather than trying to boil the ocean. It seems to me that organisations are looking at that now more and more, because of cloud, because of the applications they want to connect to.
CRN: We were speaking earlier about social media and there has been a few mentions of Facebook here and there. What are the opportunities for resellers in terms of helping their customers develop IDM strategies that factor in their existing or evolving social media strategies?
Michael: Good question. I think the first thing we need to figure out is who to speak to within the client. Over the years we’ve grown tired of talking to security and the traditional sort of IT. Now with the adoption of social media and the cloud, all lines of business think that they can just get out there and form relationships. I think we need to change the people that we’ve been talking to and I think talk more at a business level.
There’s probably the opportunity to get into different parts of the customers that we’ve all been dealing with for many years. It’s now different, with different discussions with more business orientated people. It needs to be simple and it needs to be actionable, while delivering an ROI.
Richard: If we’re dealing with the parts of the organisation charged with better enabling and engaging with their customers - internal or external - consulting is a huge growth area.
And as Rene said, being able to define a value proposition that’s actionable and gets a short sharp ROI, within the context of delivering into a back-end governance framework that will provide the ongoing enablement, is going to be key.
David: What I’ve noticed is we’re having to view the clients differently and we’re having to change who we’re having discussions with, but also internally, all the partners here at the table, we’re also having to look at the people that we’re bringing on-board, the people who make up the sales force and the account management guys within our businesses.
Because it’s a different breed now, and we need a different breed of sales person who can understand the connection between business and IT and we all know they’re not easy to find. It’s just an observation that we also need to change how we go to market and how we convey our value proposition.
The CRN identity management roundtable was held in partnership with Oracle and Nextgen Distribution.