Identity Management As A Service

A few weeks ago at the European Identity and Cloud Conference I gave a keynote called Conflicting Visions of Cloud Identity. It was the first time that I reported publicly on the work I've been doing over the last year on understanding what cloud computing means for identity – and vice versa.

The keynote led to many interesting exchanges with others at the conference. The conversations ranged from violent agreement to “animated dissidence” – and most important, to the discussion of many important nuances.

It became clear to me that a lot of us involved with information technology could really benefit from an open exchange about these issues. We have the chance to accelerate and align our understanding and to explore the complexities and opportunities.

So today I'd like to take a first step in that direction and lay out a few high level ideas that I'll flesh out more concretely in upcoming posts.  I hope these will goad some of you into elaborating, pushing back, and taking our conversation in other completely different directions.

Preparing for dramatic change

To me, the starting point for this conversation is that Identity Management and the way it is delivered will change dramatically over the next decade as organizations respond to new economic and social imperatives by adopting cloud technology.

We all need to understand this change.

Organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effect way to obtain these capabilities is through Identity Management as a Service – i.e. using the cloud to master the cloud.

We can therefore predict with certainty that almost all organizations will subscribe to identity services that are cheaper, broader in scope and more capable than the systems of today.

Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.

Identity Management As A Service will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost.

Redefining Identity Management

The term “Identity Management” will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world.  This is so profound that it constitutes a “reset”.

As a category, Identity Management will expand to encompass all aspects of identity:

  • registration of people, organizations, devices and services;
    management of credentials;
  • collection and proofing of attributes;
  • claims issuance;
  • claims acceptance;
  • assignment of roles;
  • management of groups;
  • cataloging of relationships;
  • maintenance of personalization information;
  • storage and controlled publication of information through directory;
  • confidential auditing; and
  • assurance of compliance.

The baseline capability of Identity Management will be to enhance the security and privacy of both organizations and individuals.

There will be a new market of next-generation identity management service providers with characteristics shaped by the importance of identity for both the protection of assets and the enhancement of relationships as we enter the era of the social enterprise.

Meanwhile, the current market for identity management products will be challenged by the simplification, cost reduction and increased innovation possible in the cloud.

Going forward, the term Identity Management As A Service will come up so often that we need an acronym.  For the time being I'm going to adopt the one my friend Eric Norlan proposed over six years ago : IDMaaS. While we're at it, it is worth looking at Eric's prescient article in ZDNet – he wrote it back in 2006 when he was a partner at Digital ID World. Eric reports on a conversation where Jamie Lewis (then CEO of the Burton Group) argued that “companies would find identity data too important to hand-over to others” – a view that certainly described the way enterprises felt at that time.  These issues are still critically important, though many profound evolutions have, I think, transformed the variables in the equations.  These new variables will be ones we want to drill into going forward.

Microsoft and IDMaaS

One of the reasons I want to share my thoughts about Identity Management as a Service now is that they constitute part of the theoretical framework that lies behind many of the decisions about the kind of organizational identity service we at Microsoft are offering. 

I'm therefore really excited to say that today we are able to start bringing you up to speed on exactly what that is.  Here's a quote from today's blog post by my close colleague and friend John Shewchuk, the Technical Fellow who plays a key role in getting our cloud identity offering engineered right: 

What is Windows Azure Active Directory?

We have taken Active Directory, a widely deployed, enterprise-grade identity management solution, and made it operate in the cloud as a multitenant service with Internet scale, high availability, and integrated disaster recovery.

Since we first talked about it in November 2011, Windows Azure Active Directory has shown itself to be a robust identity and access management service for both Microsoft Office 365 and Windows Azure–based applications.

In the interim, we have been working to enhance Windows Azure Active Directory by adding new, Internet-focused connectivity, mobility, and collaboration capabilities that offer value to applications running anywhere and on any platform. This includes applications running on mobile devices like iPhone, cloud platforms like Amazon Web Services, and technologies like Java.

The easiest way to think about Windows Azure Active Directory is that Microsoft is enabling an organization’s Active Directory to operate in the cloud. Just like the Active Directory feature in the Windows Server operating system that operates within your organization, the Active Directory service that is available through Windows Azure is your organization’s Active Directory. Because it is your organization’s directory, you decide who your users are, what information you keep in your directory, who can use the information and manage it, and what applications are allowed to access that information. And if you already have on-premises Active Directory, this isn’t an additional, separate copy of your directory that you have to manage independently; it is the same directory you already own that has been extended to the cloud.

Meanwhile, it is Microsoft’s responsibility to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your information.

John's post is called Reimagining Active Directory for the Social Enterprise.  It's done in two parts, and following that John will join into our broader conversation about the identity management reset.   I hope the combination of our two blogs can help animate an industry-wide discussion while providing a specific channel through which people can get the information they need about Microsoft's identity service offering.

Later this week:  The Changing Model of Identity Management.  I hope to see you there.


Published by

Kim Cameron

Work on identity.

4 thoughts on “Identity Management As A Service”

  1. Kim,

    Why not IDMaaS, the more common case assignment for the “as a” part of the name?



    [Response by Kim: Roger – thanks for this. I've now fixed the post to say “IDMaaS” rather than my original “IDMAAS”. Eric actually abbreviated it the same way as you did. What can I say? I guess I was “caps happy”…]

  2. Is this effectively cloud storage of claim information? Just establishing and correctly maintaining identity information seems to be incredibly difficult for many organizations, and I can't see that getting any easier whether the information is stored on prem or in the cloud. So I hope you will also be covering how provisioning and maintenance fit into the picture in your upcoming posts.

    Another issue that isn't going away is company mergers and splitting. Will IDMaaS help simplify that pain?

    [Kim Cameron: I agree – if we can't answer these two great questions, we all fail. So let's make sure this is part of the conversation – I hope you will help make sure that whatever conclusions we come to withstand scrutiny – I will personally have many points to make.]

  3. J'aimerais mieux IDEM (ID enhanced management).

    [Kim Cameron: Yes, Jacques, “ID Enhanced Management” is an interesting idea and is what we want to get to. Problem would be how we lead everyone who has been aclimatized to the term “Identity Management” to see that “Identity Enhanced Management” is actually the next and superior incarnation of the root idea…

    Wow! – I guess naming is something we really should work on here. We may be able to make some real progress… Could this be a job for Craig Burton and Doc Searls. 🙂

    Funny thing is that few days ago I attended the Tabla Rasa conference on ethics, spoofing and biometrics in Rome led by the visionary Emilio Mordini. As a result this was not your Tom, Dick and Harriet conference on Biometrics – it looked at spoofing as something that can be – or may even always be – culturally justified, and drilled into the cultural artifacts that help us understand this (I'll post some links in later blogs)…

    I had been asked to give a Keynote on Identity since the attendees were thinkers drawn from many other disciplines. So I did my best, and met, as a result, some very interesting people who I will try to introduce to my readers…

    In doing some research for this event I had the “aha” that the medieval definition of identity was actually bizarrely close to the way we technologists think of digital identity today (closer than more modern and arguably self-serving definitions). The medieval Latin identitas (“sameness, identity”) was abstracted from the later word identidem meaning “over and over”, which derived from the phrase idem et idem. This is really what it's all about.

    And Jaques Paul's proposal of the IDEM acronym REALLY nails this, at the risk of being slightly edgy 🙂

Comments are closed.