A few weeks ago at the European Identity and Cloud Conference I gave a keynote called Conflicting Visions of Cloud Identity. It was the first time that I reported publicly on the work I've been doing over the last year on understanding what cloud computing means for identity – and vice versa.
The keynote led to many interesting exchanges with others at the conference. The conversations ranged from violent agreement to “animated dissidence” – and most important, to the discussion of many important nuances.
It became clear to me that a lot of us involved with information technology could really benefit from an open exchange about these issues. We have the chance to accelerate and align our understanding and to explore the complexities and opportunities.
So today I'd like to take a first step in that direction and lay out a few high level ideas that I'll flesh out more concretely in upcoming posts. I hope these will goad some of you into elaborating, pushing back, and taking our conversation in other completely different directions.
Preparing for dramatic change
To me, the starting point for this conversation is that Identity Management and the way it is delivered will change dramatically over the next decade as organizations respond to new economic and social imperatives by adopting cloud technology.
We all need to understand this change.
Organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effect way to obtain these capabilities is through Identity Management as a Service – i.e. using the cloud to master the cloud.
We can therefore predict with certainty that almost all organizations will subscribe to identity services that are cheaper, broader in scope and more capable than the systems of today.
Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.
Identity Management As A Service will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost.
Redefining Identity Management
The term “Identity Management” will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world. This is so profound that it constitutes a “reset”.
As a category, Identity Management will expand to encompass all aspects of identity:
- registration of people, organizations, devices and services;
management of credentials;
- collection and proofing of attributes;
- claims issuance;
- claims acceptance;
- assignment of roles;
- management of groups;
- cataloging of relationships;
- maintenance of personalization information;
- storage and controlled publication of information through directory;
- confidential auditing; and
- assurance of compliance.
The baseline capability of Identity Management will be to enhance the security and privacy of both organizations and individuals.
There will be a new market of next-generation identity management service providers with characteristics shaped by the importance of identity for both the protection of assets and the enhancement of relationships as we enter the era of the social enterprise.
Meanwhile, the current market for identity management products will be challenged by the simplification, cost reduction and increased innovation possible in the cloud.
Going forward, the term Identity Management As A Service will come up so often that we need an acronym. For the time being I'm going to adopt the one my friend Eric Norlan proposed over six years ago : IDMaaS. While we're at it, it is worth looking at Eric's prescient article in ZDNet - he wrote it back in 2006 when he was a partner at Digital ID World. Eric reports on a conversation where Jamie Lewis (then CEO of the Burton Group) argued that “companies would find identity data too important to hand-over to others” – a view that certainly described the way enterprises felt at that time. These issues are still critically important, though many profound evolutions have, I think, transformed the variables in the equations. These new variables will be ones we want to drill into going forward.
Microsoft and IDMaaS
One of the reasons I want to share my thoughts about Identity Management as a Service now is that they constitute part of the theoretical framework that lies behind many of the decisions about the kind of organizational identity service we at Microsoft are offering.
I'm therefore really excited to say that today we are able to start bringing you up to speed on exactly what that is. Here's a quote from today's blog post by my close colleague and friend John Shewchuk, the Technical Fellow who plays a key role in getting our cloud identity offering engineered right:
What is Windows Azure Active Directory?
We have taken Active Directory, a widely deployed, enterprise-grade identity management solution, and made it operate in the cloud as a multitenant service with Internet scale, high availability, and integrated disaster recovery.
Since we first talked about it in November 2011, Windows Azure Active Directory has shown itself to be a robust identity and access management service for both Microsoft Office 365 and Windows Azure–based applications.
In the interim, we have been working to enhance Windows Azure Active Directory by adding new, Internet-focused connectivity, mobility, and collaboration capabilities that offer value to applications running anywhere and on any platform. This includes applications running on mobile devices like iPhone, cloud platforms like Amazon Web Services, and technologies like Java.
The easiest way to think about Windows Azure Active Directory is that Microsoft is enabling an organization’s Active Directory to operate in the cloud. Just like the Active Directory feature in the Windows Server operating system that operates within your organization, the Active Directory service that is available through Windows Azure is your organization’s Active Directory. Because it is your organization’s directory, you decide who your users are, what information you keep in your directory, who can use the information and manage it, and what applications are allowed to access that information. And if you already have on-premises Active Directory, this isn’t an additional, separate copy of your directory that you have to manage independently; it is the same directory you already own that has been extended to the cloud.
Meanwhile, it is Microsoft’s responsibility to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your information.
John's post is called Reimagining Active Directory for the Social Enterprise. It's done in two parts, and following that John will join into our broader conversation about the identity management reset. I hope the combination of our two blogs can help animate an industry-wide discussion while providing a specific channel through which people can get the information they need about Microsoft's identity service offering.
Later this week: The Changing Model of Identity Management. I hope to see you there.