Identity is having its TCP/IP moment

[This is my keynote from Cloud Identity Summit 2015. Unlike most of my talks, this one did not start with a few phrases and then an outline and then a speech and then a deck. This one dropped out of my noggin in basically one whole piece. I wrote this on a flight back home from London based on a conversation with a friend in the industry. Oh, there is no deck. I delivered this as a speech.]

[Credit where credit is due: Josh Alexander gave me the idea for the username and password as cigarettes and the sin tax. Last year, Nat Sakimura around 2 in the morning in my basement talked about service providers charging for username and passwords to cover externalities, and I completely forgot about the conversation. Furthermore, at the time, I didn’t fully track with his idea. I totally get it now and want to make sure I assign full and prior art credit to Nat – the smartest guy in identity, sent from the future to save us all.]

 

 

Remember when we used to pay for a TCP/IP stack. Remember when we paid for network stacks in general? Hell, we had to buy network cards that would work with the right stack.

But think about it… Paying for a network stack. Paying for TCP/IP. Paying for an implementation of a standard.

How quaint that sounds. How delightfully old school that sounds.

But it was. And we did.

And now? No one pays for a TCP/IP stack. Or at least no one pays for it directly. I suppose you can say that what you spend on an OS includes the cost of the network stack. It’s not a very good argument but I suppose you can make it.

When network stacks became free (or essentially cost free) networking jobs didn’t go away. I would posit that we have more networking engineers now than we’ve ever had before. Their jobs morphed with the times and changes in tech.

It’s mid-2015 and I think we need to admit as that the identity industry now looks a lot like the networking industry did back then. The standards are mature enough. The support for them is broad enough. Moreover, not taking a standards-based approach is antithetical to the goals of the modern enterprise.

Simply put, identity is having its TCP/IP moment.

Going through our TCP/IP moment has three implications:

  1. Not being standards-based is officially on the wrong side of history
  2. The business model for identity will change
  3. We as a profession and as an industry are not under threat from our TCP/IP moment

I am going to explore the first two of these implications so that you can better understand the third – that although great change is ahead, we need not be afraid of that change.

Not being standards based is the wrong side of history

If you do not support federation standards, you are on the wrong side of history. If you do not support standards based user provisioning, you will soon be on the wrong side of history. You are the Banyan Vines of identity. You are the LU6.2 of identity. And if you are newer to technology and haven’t heard of either Banyan Vines or LU6.2, then I rest my case.

What I said last year continues to be true: our identity standards are more than capable for the vast majority of use cases. Standards for federated single sign-on and attribute distribution are especially strong. Historically user provisioning has not been great but it is about to get much better with SCIM 2.0. Authorization, in the form of XACML and its related profiles, is robust and capable and its adoption curve ought to be bending upwards. Things like UMA and Minimum Viable Consent Receipt provide coverage for underserved and emerging use cases.

And it isn’t just that there are standards to be used. We have seen good work in conformance testing of those standards. Conformance serves as a testing tool for technology providers and a mechanism to remove risk for a technology selection for enterprises. For those of you who missed it, the OpenID Foundation released an open-source conformance test for OpenID Connect. This is an important milestone along OpenID Connect’s path of maturation.

So not only do we have the standards but we also have conformance testing, in at least some places. And yet service providers and software vendors aren’t necessarily using those standards.

Case in point, there’s a popular instant message system used by development teams. It doesn’t support SAML. It doesn’t support OpenID connect. Its user forum has dozens of pages on this topic: please support SAML, please support OpenID connect. The comments almost consistently read “please please please… If you support SAML, my enterprise would adopt this tool right now. But we can’t if you won’t.”

My reaction to threads like this, to products like this, is “why do you hate your users?” Comments and feedback from customers are gifts. And yet many service providers do not acknowledge those gifts. When you have prospects telling you, “please add these standards that make me (and you) safer and more efficient,” I can see no reason not to add standards.

A pathetic counter-argument is “our service isn’t enterprise only and non-enterprise users need a way to create a username and password.” My retort is “why do you hate your customers?” Why do you make individual users create yet another username and password? At the very least, you ought to be supporting 3rd party credentials. It’s a step in the right direction; it is a step towards supporting identity standards. And the individual user wants this… so long as they get the appropriate privacy assurances and protections.

Another retort I have is “do you like being a toxic waste farmer?” Holding username and passwords, holding non-federated accounts makes you a toxic waste farmer. Most people don’t want to nor have the ability to safely be a toxic waste farmer. Does your line of business peer understand the risks? Does your Board understand the risks of being a toxic waste farmer? Do your investors?

For some of us, holding username and password data is a cost of doing business. Our businesses require significant investment to protect that information appropriately. We stake the trust of our brand on attempting to do as best as we can with that data. But, let me be very clear, we should be the exception and not the norm.

I have said it before and I will say it again – if your service provider does not support standards-based identity services, they are not acting in your best interest nor the best interest of your customer. There are one of two reasons why the service provider is not implementing standards-based identity. They might be simply unaware that there are standards to use and libraries available to do so. I have a hard time believing that service providers are ignorant to identity standards in this day and age, but I suppose it could be true. And if that is true, then that is on us as an identity industry to do a better job with making it easy to adopt standards.

The other reason why a service provider doesn’t support standards-based identity: they are sociopathic. Not supporting identity standards makes you a S-SaaS – sociopathic software as a service provider. And we want no part of you.

The business model for identity is going to change

The whole of the business model for identity is going to change after our TCP/IP moment. This change will affect every player in the identity market: enterprise customers, individual consumers, technology suppliers, service professionals, and industry analysts.

Enterprise customers will expect to have standards built in. No one expects to have to install a TCP/IP stack in their virtual machine and no one will expect to have to install SAML or OAuth in their identity services.

Enterprises expect products that reduce risk. Standards reduce deployment and operational risk. Ergo, enterprise will expect identity standards as a natural part of the services the deploy and consume.

Identity technology suppliers simply cannot and will not be able to charge for standards-based identity. That is essentially asking your customers to pay for risk to be removed. In fact, it sounds like extortion. “Nice IAM project you got here. It would be a shame if something bad were to happen to that SSO process.”

Where can identity technology suppliers charge is for the new and the novel? Have an amazing context-based authentication and recognition system? Great; charge for that. Deliver an amazing user experience and raise identity assurance? Awesome. Charge for that.

But what about technology suppliers other than identity technology? What about service providers for collaboration, content management, workforce automation? Their business model will have to change after our TCP/IP moment as well. Enterprises will expect identity standards-based endpoints. Our collective stomach for custom integrations will be gone. Support for SAML and its kin can no longer be a “for-fee” feature.

And individual consumers will demand more of technology suppliers. They may not know that they are asking for standards-based identity services, but they will be asking for the ability to use 3rd party credentials at each of their service providers. Do not make us create yet another username and password.

But technology suppliers can continue to make money on identity, just not in the way they expect. They can charge for extended support of bad practices. If the customer really really really wants to use username and passwords, a practice that increases risk for both customer and the supplier, then make the customer pay for it. Yes, that’s right; charge people to continue to use username and passwords. It is directly akin to charging for extended support on technology and products that have passed their prime. If you want to still use Microsoft XP, then pay for extended support. You want to use username and password (and no other factors), then you will have to pay for it.

Maybe the extended support analogy doesn’t work for you. Let’s try another – a sin tax. What if we treat username and password use like smoking? You want to light up another username and password? You are free to do so but you have to pay the service provider’s levied sin tax – the revenue goes to mitigating the risk for you and service provider. So enjoy that methylated username and password but be prepared to pay a premium.

What about service professionals? How will their business model change after our TCP/IP moment? The low value plumbing and connectivity parts of their business will be worth even less. Universal standards-based connectivity removes the heavy lift from integration and in doing so removes risk. Professional services companies know this and it isn’t a threat to their business. They want to be part of the higher value business process integration and best-practices advisory business. Our TCP/IP moment is further encouragement to do so.

But identity consumers and suppliers, along with their professional services peers, aren’t the only actors in our world. The way the identity market is studied and judged by industry analysts has to change too.

First, analysts will need new ways of measuring identity companies’ success other than strictly looking at revenue. As a peer said years ago, “If Sun can get bought and their identity products shut down, and if HP can exit the market, then it can happen to anyone.” Sun and HP are proof points that revenue and viability are not so closely correlated. Analysts must measure our markets based on the quality of a service and the reach of that service. Focusing on revenue and profitability are increasingly irrelevant, especially as platform providers offer identity services as part of their service dial-tone.

Second, analysts need to give room for innovation instead of expecting every identity vendor to fit in their preconceived notion of what an identity solution is supposed to look like, how it should be marketed, and how it should be measured. And they need to do so for their customers’ sake. An analyst who shall remain nameless, pointed out to me “any time a company tried to deliver identity services in a new way, with a new price model, associated with its larger business and services, they were punished by the market – especially analysts.”

Speaking as an ex-analyst, it is so much easier to deal with a new identity company by putting them in a box with similar companies. “Oh, I see, you are like Ping. You are like SailPoint.” But this approach isn’t fair to either the new company or the one I compared it too. Most importantly, it wasn’t entirely fair to my customers. It is high time the shape of our identity solutions change and the TCP/IP moment will cause this. Analysts must leave aside the notion of what identity solutions look like, especially as you consider those notions are a decade plus old.

There is no threat to our industry and our profession

Before the TCP/IP moment you were a Netware gal, an AppleTalk dude, a token ringer. And things changed. And you adapted. You find your skills applicable as an AD admin, an eDirectory guru, a firewall jockey, an application delivery specialist.

Identity is at its TCP/IP moment. And it is the best time ever to be in the industry ever.

What we must and will show the business is that after standards-based identity is in place then new opportunities appear and existing processes can be done more easily. Having the risk of the project mitigated through the use of standards, you are free to be creative. Take your knowledge and help the business see that every transaction is an identity transaction. Every business interaction is a relationship.

Identity is the key to growth in our organizations: further reach, higher value, better experience. But to be a part of this growth, we have to plug our ears to the siren song of audit-centric identity and thinking our identity processes are unique special snowflakes. Instead we just need to aid our peers as they serve our ultimate customer.

External identity. Customer identity. Consumer identity. It goes by many names. Eventually it will go by just one name: identity. Customer identity is our future. Being a crucial part of a customer identity project will require learning new languages, aiding new peers, and frankly being a little bit uncomfortable from time to time. We as an industry do not have a template, a road map, or a reference architecture for customer identity. We are still scouting the territory, finding our way.

But we, fellow identity professionals, are the best qualified to serve as guides for the business. We have learned how to use standards to make projects less risky and make business processes more efficient. We’ve learned a bit about user experience in our misadventures with passwords and have tested our conclusions with 2 factor and adaptive auth. We’ve become data custodians along the way; understanding the importance of the data we hold and respect the custodial nature of being an identity management professional.

We are keepers of identity. Employee. Partner. Customer. Citizen. And in that we represent the key to growth for our organizations.

My vision for a post-TCP/IP moment world

Let’s pretend for a moment that you’ve bought into this idea of identity’s TCP/IP moment. What then does our world look like the moment after we’ve had our TCP/IP moment?

First, basic standards-based identity services are freely available. For everyone. In every industry. On every tech stack. In every cloud. The ability to emit and consume standards-based identity is as natural and as easy as using TCP/IP. This removes unnecessary risk from our projects. It removes an unneeded distraction of establishing connectivity along which awesome will flow.

Second, service providers will provide standards-based end points. Then they will offer ability to use 3rd party credentials. Then they will allow username plus an unphishable token. In that order.

And then, and only then, will they offer username and password… for a fee.

You want the equivalent of LU6.2 support? Get out your wallet. If you want the equivalent of Banyan Vines, then you must pay for extended support.

Third, having been freed of most of our connectivity concerns, amazing things happen. Identity technology vendors can focus more efforts on novel context-based authentication and recognition systems. They can obsess over delivering amazing customer-facing user experiences. Meanwhile, identity consumers use identity services like IDEs of awesomeness. They will deliver valuable relationships via immersive user journeys.

Identity is having its TCP/IP moment. Soon thinking of paying for standards based identity connectivity and services will seem as quaint and as outdated as paying for an implementation of a TCP/IP stack. It is a natural and necessary change in our market.

This change may not be comfortable but it doesn’t pose a risk to us as identity professionals. We have never been needed as we are needed now. For we are the keys to growth for organizations, and for ourselves. We are the keepers of identity, and this, this is our moment.