Report Card: Incite #3 - Who are you?
Here is the Report Card on Incite #3 on Identity Management.
Incite #3 - Who are you?
Identity Management (IDM) breaks out in 2006, as ROI-driven password management and single sign-on (SSO) initiatives are deployed en masse. Smart users increasingly figure out that strong and centralized IDM provides good enough authentication and authorization for compliance purposes, accelerating market growth in 2H 2006. Yet, identity federation continues to lag in a cloud of useless vendor bickering and standards immaturity until mid-2007. Token-based authentication finally hits the wall, as passwords remain good enough and no compelling alternative appears.
Grade: B
Original Days of Incite post: here
Incite Redux post: here
Have I mentioned that 2006 was a learning year? I learned a lot about what is important to focus on and what isn’t. Clearly Identity Management continues to be a critical part of the infrastructure and a lot of money was driven towards IDM products and services.
But this largely seemed to be a large company phenomenon, since their pain in the most acute. It’s pretty hard to deal with a hundred users, absolutely brutal when you start talking about tens of thousands. So IDM continues to be driven deeper and deeper into the large enterprise.
We also saw a lot of folks using the compliance “budget” to fund these projects. Provisioning and more importantly, de-provisioning are clearly compliance exposures and IDM (at least the provisioning engines) alleviates those issues. Moving forward we will still see lots of IDM being driven into the large enterprise.
What I missed is the renewed importance of authentication. FFIEC was one driver, but phishing and customer notification laws continued to shine the spotlight on faulty authentication processes. And the ability for phishers to (in limited cases) successfully use a man-in-the-middle attack on a one-time password authentication scheme continues to show the need to refresh those technologies.
RSA getting acquired at a big premium by EMC speaks volumes for how important authentication and data protection are to enterprise security moving forward.
Federation continues to make small inroads, again largely for larger enterprises. But I wasn’t due to standards confusion as I projected in the Incite. It was more due to the need to set up business relationships with trading partners to get Federation going. That’s not going to change, so Federation continues it’s slow path to the mass market.
Overall, the Incite was not bad – but not great. I’m rethinking how identity fits into the Pragmatic Security architecture and that will impact the depth and level that I cover the topic in 2007.
I think SSO is one of those talked about things this year, that didn't make all that many inroads outside large business. I think this is largely due to administrators just not knowing what this means. In most shops, SSO means an Active Directory (or other directory) account and password. Even remote users eventually hook back into RADIUS or AD through something else. The real power and need for IDM and SSO is still really lost and not grasped by most of us administrators in anything but a huge organization. We're not really sure what to do to implement this, or if we already even have it. Two-factor authentication? Smartcards?
I think that is what kind of stunted this area. We talk a lot about it, but we've yet to take some steps forward as we're not sure where to start walking.