Identity and access management are significant workloads in most enterprises, large and small. And this workload is all about governance and technology - the backbone for most if not all personal and business interactions within the enterprise where some level of trust and assurance is expected by and between employees, partners, customers, and applications. To be done properly, identity and corresponding access management requires a complete set of policy, business process, and technology infrastructure to provide a trust backbone. Everything from background investigations, to physical access and logical connections to applications, to information classification, to the provisioning and consuming of secure web services, to password resets and expiring digital certificates, to audit trails and compliance, customer service, partner and supplier management, and on and on, all have direct connection to identity management, digital or otherwise.
So with everyone talking and writing about the cloud with interest in transitioning non-core, value generating workloads to cloud based services, should identity management be one of the workloads considered? If so:
- What part of the identity management lifecycle is most appropriate to start with?
- What is the impact on existing identity infrastructure and what is reusable?
- Which components of the identity life cycle present the highest payback at the lowest risks when considering cloud services?
- Is identity governance a new and up-and-coming cloud service (a significant new "I" in IaaS)?
A significant shift in identity management is already underway. More and more identity infrastructure is distributed and users are more and more mobile. So the real question is not “should identity be managed in the cloud”, but “when and how it should be managed, and how do I get there in a safe and reliable way”.
More and more personal and business identities, or more accurately, claims to identity, are being created outside vs. inside the enterprise through innovations like Google Apps, ooVoo, the iPhone, and the significant growing market of SaaS-based applications and user-centered identity standards. User-centered identity gives everyone the opportunity to manage their own identity, customize it for particular purposes, (i.e., give only so much information to an outsider as is necessary for them to transact with you in the way you need), and be scalable across the network. Another way of looking at it allowing the individual to have identity as a kind of service rather than something done to you by outside interests (e.g., an employer or service provider). People are accessing apps running all over the place from all over the world. The perimeter of the enterprise is dissolving.
Action Item: Cloud computing is another frontier for identity management and corporate governance, and the CIO, CRO, CISO, and business line managers have a lot to consider. New approaches, practices and technologies need to be considered as LOBs look to SaaS-based applications to deliver more value, and customers look to simplify their lives online which today include long lists of silo’d identities with little interoperability, and the social and standards communities online try to solve the technical challenge of how people can manage their own identity across the range of websites, services, companies and organizations that they belong to, purchase from and participate with.