• 5470-elon-musk-s-hyperloop-train-could-travel-from-los-angeles-to-san_1440x900-e1376375568928-2

    Discovering your “Edge” in Identity & Access Management

    Any way you look at it, IAM will become an increasingly important area of focus for IT and business leaders. We need a vantage point which to see and better align IAM investment opportunities that will have the most impact on ability of the business to compete and grow in the coming years.

  • WP_20141125_15_24_22_Pro

    Evolving The IAM Architecture

    To effectively address IAM requires that the organization be able to understand and engage with a dynamic, changing, and complex business environment. The IAM architecture must evolve to easily integrate with cloud applications, federate with partners, support multi-factor authentication and enrich authorization and access policies. Whether your organization likes to be agile, adaptive or lean, the IAM architecture must evolve to support the growth mindset that charges the business to increase revenues, improve efficiency, achieve regulatory compliance and embrace new operating models with the cloud and services in mind.

  • 110902CVDsm

    IT Reimagined – Better Governance Ahead

    If there is one thing we should be talking more about as an industry, it is that we need better governance and to talk more about integration, management and security shaping our priorities and stop all the whining about the end of IT.

  • From Gustav Mahler to Identity & Access Governance
  • Doesn’t Anybody Use IdM Standards Anymore?

In thinking back over the year about what a wild ride it has been for the IAM and InfoSec community at large, there is no shortage of topics waiting to be addressed from the boardroom to the datacenter. Taking lessons learned from the headline breaches (Target, Home Depot, Sony) to emerging tech opportunities (POS, Internet of Things (IoT), Apple Pay) to dealing with challenges and problem areas in IAM, there is clearly a lot of that can be applied and carried forward that will shape our work and our lives in 2015.

In thinking about our roles in this thing we call our work, it is easy to lose sight of how our assumptions and plans can be foiled and disrupted by threats and trends that you were not focusing on before. Many of the professionals I run into at conferences, especially vendors, tend to be focused on solving problems that their particular solution solves for without much respect to the broader concerns of the business. That is why it is important for IT leaders and architects to frequently spend time staying on top of what is happening in the industry, in business and in the world. As professionals who have responsibility for or a stake in IAM for your organization, we ought to care deeply about making sure that scale, efficiency and superior security are top principles that define our work and our legacy. As a business, not having these principles to guide investments in IAM will have a direct and immediate impact on customer experience and employee productivity. (more on this in another blog post)

2015-01-01_13-50-58

If you are making the effort to find more meaning in your career, and to enhance your overall value to your clients or employer, then it is imperative to discover, develop and maintain our “Edge” in our chosen craft. My own experience with discovering and developing an edge started with writing and blogging on the management and strategy of IAM, and not the technology itself. It’s not that execution is not important, its that having peripheral vision and managing from this vantage point is a necessary and valuable activity. Most technicians (E.g. architects, developers, managers, etc…) who set their sights on architecture and strategy will not truly become liberated from their past lives and effective in the business of IAM until their peripheral vision is developed adequately. Marc Cuban, in his book How to Win at the Sport of Business stresses, “It’s not whom you know. It’s not how much money you have. It’s very simple. It’s whether or not you have the edge and have the guts to use it.”

“It’s not whom you know. It’s not how much money you have. It’s very simple. It’s whether or not you have the edge and have the guts to use it.”  – Marc Cuban

If you are focused on addressing the problems your organization faces today, you are focused on the wrong problem. As leaders, we need to be thinking about the new models and strategies that will entirely transform the way we do things today and help the organization become more agile and customer focused. One of the great opportunities today is to look at how an integrated view of IAM and GRC will begin to address issues that span a diverse range of applications and user experiences and make existing investments even more effective. One way for an organization to discover an edge is in the way it manages IAM through integration with GRC and automation within its own operations.

IAM spheres of influence

When I discuss this vision for the future of IAM with the leaders and stakeholders at my company, initial reactions range from blank stares to flat out skepticism due to the magnitude of change (and potentially disruption) that implementing this model can bring to the IT department, and in some cases the business itself. For one, I don’t disagree that the effort is significant, will require a budget on par with a frontier investment, or that there is risk involved. Imagine if Elon Must were the CIO or CISO of your organization, the pervading attitude must be “If something is important enough, even if the odds are against you, you should still do it.” (Hyperloop anyone?)

“If something is important enough, even if the odds are against you, you should still do it.” – Elon Musk

Any way you look at it, IAM will become an increasingly important area of focus for IT and business leaders. We need a vantage point which to see and better align IAM investment opportunities that will have the most impact on ability of the business to compete and grow in the coming years. This is not exactly something I can prescribe as each organization will have a unique set of challenges. On a professional level, you can begin with discovering your edge and doing the work of vision, architecture and strategy for your clients or your company. You can begin expanding your influence and credibility by starting the conversations with stakeholders and leaders in your company who will be involved in some way in your overall IAM strategy.

One place you might begin discovering your edge, if you haven’t done so already, is by reading this short paper I wrote on Managing IAM.

I am always happy to respond to questions either on Twitter, or in the comments section of this post.

All the best to you and your career in the coming year!

For those of you following the progress of my book Virtual Identity, I just completed Chapter 3 Evolving The IAM Architecture, and would like to offer a preview of the goodness to come.

To effectively address IAM requires that the organization be able to understand and engage with a dynamic, changing, and complex business environment. The IAM architecture must evolve to easily integrate with cloud applications, federate with partners, support multi-factor authentication and enrich authorization and access policies. Whether your organization likes to be agile, adaptive or lean, the IAM architecture must evolve to support the growth mindset that charges the business to increase revenues, improve efficiency, achieve regulatory compliance and embrace new operating models with the cloud and services in mind. All the while, the IAM architecture must evolve as the business evolves, taking the following opportunities into consideration:

  • The opportunity to transform the IT operating model from legacy to ITaaS
  • The opportunity to securely integrate with partners and 3rd parties, extending operations outside of the corporate network to business networks for distributors, resellers and developers
  • Replace legacy IAM stacks with more cost effective tools appropriate for the needs of the business
  • Applying IT policies consistently from server farms and infrastructure, to databases, ERP and HR applications, enterprise portals, mobile applications and the growing number of SaaS applications utilized by the organization
  • Monitoring, threat modeling, threat detection, remediation and governance for SaaS

These opportunities are not to be overshadowed by the threats and vulnerabilities facing organizations today, many of which were discussed in Chapter 2 Security Driven IAM. From an architecture perspective, we need to expect that nothing short of massive scale, security and governance of IAM will allow organizations to realize the full potential of IAM and GRC initiatives, integrating important high level capabilities as shown in the following figure, The Venn of IAM and GRC.

The Venn of IAM and GRC

I have been seeing a lot of articles like this lately, and it seems everyone might think the sky is falling. Truth is, the smart IT guys will just move on to IT In the cloud. Really don’t think that a battle is being lost here because the business wins, and for shareholders in IT, they win too. As governance goes, we need to have better visibility and control of applications and data inside the firewall as well as across the SaaS (PaaS, IaaS, et al.) ecosystem.

Sort of been talking about this for awhile now. If there is one thing we should be talking more about as an industry, it is that we need better governance and to talk more about integration, management and security shaping our priorities and stop all the whining about the end of IT.

Scope for better governance

Scope for better governance