Why is the Identity leg of the stool missing?

[Many thanks to Gerry Gebel for giving me the nucleus for this post]

In the midst of the ongoing privacy and security conversation, I pointed out last week that identity is the missing leg of the security/privacy stool. Identity is both a means of expressing privacy requirements and a necessary set of security controls, as well as a key to delighting customers and driving business engagement. A colleague pointed out that while security and privacy might be different halves of the same coin, identity is the coin itself. I’m not sure I fully agree with that but it gets to sentiment I have.

The use and protection of identity data has strong footing in both the privacy and security worlds. And yet identity and identity management professionals are not a first class member of the conversation. Why is that? One reason, in my opinion, is because we didn’t expect the industry to stand alone for the duration.

The inevitable absorption into business process that never happened

Speaking as an identity professional, I don’t think we claimed our seat at the table because, in part, we didn’t expect to be around IT for so long. 10 to 15 years ago there was a thought that identity would be subsumed by larger, adjacent business process engines. Human resource management, for example, should have absorbed identity management, at least for employee identity. I still remember the Catalyst In San Francisco where the Burton Group identity team (I was just a newbie in the audience at the time) had Oracle and SAP talk about their plans (or lack there of) for synergy between HRMS and IAM. What was clear to Burton Group was that the systems that managed your job role and responsibilities ought to be managing that in both on- and offline worlds.

Employee identity really ought to be a function of HR and an extension of HRMS’s. In doing so, identity professionals would become the technical arm of HR. Some companies tried this. Some companies put their technical role management programs within HR. Although some companies tried this approach, for political/organizational/cultural reasons, those approaches did not last.

If HR was to be the home of employee identity, then what of customer identity? Looking to the business process engines that manage customer information, one could see CRM systems absorbing customer identity functions. In such a world, the teams overseeing sales, service, and marketing processes would be the voice of the customer and their business process engines would deliver the identity functionality the customer needed.

In both scenarios the job of “standalone” identity management technology and professionals would be greatly diminished. The path forward for professionals in such a world was to become technical HR, Sales, Service, Marketing, etc professionals, acting as business system analysts serving their constituency or delivering architectures and process integrations to allow identity information to flow and be useful. These worlds did not fully materialize.

The time systems management was going to rule the world but didn’t

If identity management wasn’t going to be sucked into HR or the like, it orbited dangerously close to systems management. In some regards, employee-centric identity was borne from systems management and that set the (wrong) tone for identity for two+ decades. Remember that BMC, CA, and IBM Tivoli were some of the largest user provisioning vendors in their day. They took a systems management approach in which they tried to manage everything about a system including its users. Users were a byproduct of the AIX box you were managing – talk about a user-centric anti-pattern.

In more modern times, ITIL/ITSM groups asserted that identity management is a part of their world. Building user accounts, after all, is an IT service. There’s something to that argument and although it can serve access request scenarios well it leaves out access cert, federation, and a whole slew of other identity functions. But still, systems management could have absorbed identity management.

And while we as a professions waited to see which business or IT process world we would align with, we missed the opportunity to grow our own voice, stake our own territory, and professionalize our industry.

Professionalizing Identity

The identity management industry never professionalized. Unlike security and privacy, who both have organizations to nurture their industries and professionals, identity management has no such thing. We turn to vendors, implementation partners, analysts, and peers in our region for advice for everything from architecture to tips and tricks to getting a project funded to building a career in identity management and everything in between. Certainly all of those can be good sources of information, but it is a piecemeal approach. We need a tide to lift all boats.

I’m still thinking through the notion of a what a professionalized identity management industry would look like, how it would work, and whether it is a good idea in the first place. Hopefully by the European Identity Conference this May, I’ll have worked some of this out, but until then this is what I can share: the identity management leg of the stool didn’t get sawed off by a corporate rival. It didn’t get installed because we lacked the confident voice to say, “Identity management is crucial to both business and security.”

I think it’s time we changed that.