[My address to the European Identity Conference 2016. Although this starts like my TCP/IP Moment talk it goes in a very different direction. In some regards, I think this might be the most important talk I have ever written and delivered.
Giving credit where credit is due – the ideas in this piece are the distillation of many many conversations over the years. I am deeply indebted to the following peers for their help, encouragement, ideas, and support: Allan Foster, Robin Wilton, Nat Sakimura, Josh Alexander, Chuck Mortimore, Joni Brennan, and Josh Nanberg.]
Remember when we used to pay for a TCP/IP stack? Remember when we paid for network stacks in general? Hell, we had to buy network cards that would work with the right stack.
But think about it… Paying for a network stack. Paying for TCP/IP. Paying for an implementation of a standard.
How quaint that sounds. How delightfully old school.
But that’s what we did!
And now? No one pays for a TCP/IP stack.
When network stacks became free networking jobs didn’t go away. I would posit that we have more networking engineers now than we’ve ever had before. Their jobs morphed with the times and changes in tech.
It’s mid-2016 and I think we need to admit as that the identity industry now looks a lot like the networking industry did at its TCP/IP moment. The standards are mature enough. The support for them is broad enough. And another thing, not taking a standards-based approach is antithetical to the goals of the modern enterprise.
Simply put, identity is having its TCP/IP moment. And this TCP/IP moment will spawn other moments in identity management.
I want to talk about three impactful moments ahead for our industry:
- Standards-based identity
- Outcomes-based identity
- Professionalized identity
I want to talk about these moments and changes associated with them, but keep in mind that although great change is ahead, we need not be afraid of that change.
The Movement of Standards-based Identity
If you do not support federation standards, you are on the wrong side of history. If you do not support standards-based user provisioning, you are on wrong side of history. Furthermore, if you charge for standards-based connectivity, you are on the wrong side of history. You are the Banyan Vines of identity. You are the LU6.2 of identity. And if you are newer to technology and haven’t heard of either Banyan Vines or LU6.2, I rest my case.
Our identity standards are more than capable for the vast majority of use cases. Standards for federated single sign-on and attribute distribution are especially strong. Historically, user provisioning has not been great but it is getting much better with SCIM 2.0. Authorization, in the form of XACML and its related profiles, is robust and capable and its adoption curve ought to be bending upwards. Things like UMA and Minimum Viable Consent Receipt provide coverage for underserved and emerging use cases.
Not only do we have the standards but we also have conformance testing, in at least some places, such as OpenID Connect, and I expect more conformance tests in future moments.
More importantly, enterprise customers will expect to have standards built in. No one expects to have to install a TCP/IP stack in their virtual machine and no one will expect to have to install SAML or OAuth in their identity services.
Enterprises expect products that reduce risk. Standards reduce deployment and operational risk. Ergo, enterprise will expect identity standards as to be built into the services they deploy and consume.
Furthermore, technology suppliers simply cannot and will not be able to charge for standards-based identity. That is essentially asking your customers to pay for risk to be removed. In fact, it sounds like extortion. “Nice IAM project you got here. It would be a shame if something bad were to happen to that SSO process.”
Even though the standards exist, conformance tests exist and customer demand exists, some providers still do not support identity standards. I have said it before and I will say it again – if your service provider does not support standards-based identity services, they are not acting in your best interest or the best interest of your customer.
There are two reasons why a service provider is not implementing standards-based identity. They might be simply unaware that there are standards to use and libraries available to do so. I have a hard time believing that service providers are ignorant to identity standards in this day and age, but I suppose it could be true. And if it is true, then it is on us as an identity industry to do a better job making it easy to adopt standards.
The other reason a service provider may not support standards-based identity: they are sociopaths and they hate you and the rest of their customers. Not supporting identity standards makes you a S-SaaS provider – sociopathic software as a service. And the industry wants no part of you.
Outcomes-based Identity
When identity professionals become acknowledged peers and valued members of the enterprise, we will have reached the moment of outcomes-based identity. When we are responsible for helping to mitigate risk and increase customer delight then we have reached the moment of outcomes-based identity. When we are held accountable for doing so, we have reached the moment of outcomes-based identity. And at this moment, we will have forged strong ties to the Chief Customer Officer in the digital enterprise as well as the Chief Privacy and Chief Information Security officers. At this moment, we will have a strong voice at the decision making table.
But this is not possible if we continue to take a project-centric view of identity and not a program-centric one. This is not possible if we do not shift to outcomes-based identity.
In the moments ahead for identity there are only two things that matter: mitigating risk and delighting customers. The outcomes of our identity programs will be measured by those two things. Either we will help mitigate risk to our enterprises or we will help delight our customers. Ideally our identity programs will do both but it is likely that our programs will be structured only to focus on one, so doing both will be aspirational. In the moments to come, this industry will move point projects measured on dubious return on investment numbers to something meaningful: the outcomes of programs.
In an outcomes-based identity world, we will be judged the successful achievement of our larger goals and the outcomes of our programs. We will not be graded on how well we do the basics. For example, having automated user provisioning is no longer praiseworthy just as having TCP/IP connectivity is no longer praiseworthy – it is expected.
Risk and delight: those are the two outcomes that matter. How well did we work with our security peers and how well did we work with our customer success peers.
Risk. Our ability to mitigate access-related risk has never been more needed than in today’s hyperconnected world. Who has access to what and when did they have access have never been more pertinent questions. Identity is a critical security control for every enterprise in every industry. But in order to be seen this way, we must do more than just report the results of access certification. We must do more than just guarantee high identity assurance. This means we must express the totality of our identity programs in terms of risks mitigated, be they operational, brand, or technical risks, and we will express this information to security and privacy peers as well as stakeholders and the C-suite.
Delight. Every interaction with a customer, regardless of industry and geography, is an identity-enabled interaction. Whether you are delivering social services to citizens, online learning to students, or luxury goods to consumers, every transaction is an identity transaction. In an outcomes-based identity world, it is insufficient to simply provide a login page and move on. That is expected. Identity is critical to every digitalization strategy for every enterprise in every industry. But in order to be seen that way, we must be able to express how our identity programs contributed to top-line revenue growth, decreased service delivery cost, and increased customer satisfaction and we must be able to present this information to lines-of-business and the C-suite.
But all of this is not possible if we do not professionalize identity management.
Professionalization of the identity industry
The relationship/dramatic tension/codependence of privacy and security gets a lot of rightly deserved attention. But neither privacy nor security professionals can fully meet their challenges because their default tools are the wrong ones for the job. The tools they are missing are identity tools. And in this way, Identity is the missing third leg of the stool.
Identity is not widely acknowledged as a key to improving service delivery, it is not widely seen as a key to increasing customer satisfaction, and it is not widely seen as a key to growing our businesses. Although we know the vital role we play, the larger world does not.
Identity’s voice is missing from the table and this is most unfortunate. I believe this is in part because, unlike privacy and security, identity has not professionalized.
Consider that privacy and security have professional organizations dedicated to the betterment of their industries. This includes professional development, shared practices, certifications, and forums for interaction.
Where can an identity management practitioner turn for advice? Vendors and implementation partners certainly can educate us about their products and approaches. Analyst firms can inform us about the market and in some cases, architectures. Local user groups can help as well. But this is a piecemeal approach.
Furthermore, consider that ISACA formed in 1976, the IAPP formed in 2000, and ISC2 formed in 1988; the CISSP certification arrived in 1994. But no identity professional organizations have appeared in all that time. You mean to tell me we weren’t doing identity management back then too? Of course we were. We were working on standards. We were learning as we went in enterprise. But we didn’t formalize our industry.
In the moments ahead, that changes. In the moments ahead we come together to formally professionalize identity management in order to enhance the services we deliver, increase awareness of the vital role identity plays, and to improve ourselves.
This requires an organization whose sole mission is to professionalize identity management. What does such an organization look like? It is an organization whose mission is to be the tide that lifts all boats. A place for professionals to learn how to make their programs and projects more successful. A place for professionals to learn how to grow their own careers. A place for professionals to learn how to work with their peers from security, privacy, and lines of business. An independent voice that extols the value of identity management as a partner and equal to both security and privacy as well as a crucial partner for customer delight with our lines-of-business.
A professionalized industry benefits every one of us. From technology suppliers, to implementation specialists, to analysts, to practitioners – improving the visibility and the quality of our market increases the chance of our success at a personal and organizational level. If we want to have a seat at the decision making table, if we want to be equal partners to our security and privacy peers, if we want to be involved with growth opportunities in our businesses, then we must strive for a professionalized industry.
The honest truth is I am interested in the professionalization of identity management for purely selfish reasons.
I know from whom I learned the identity arts. I know my mentors. I know the people who influenced me. I know the people who helped me form my ideas, my architectures, and my presentations. Some of them are in the room. I know them. I treasure them.
But I don’t think everyone has been as lucky as I have been and I want everyone to have the same opportunities.
I worry that not everyone in our industry has access to a mentor, to a coach, to an ally, to an advisor. I think this generation of identity professionals can do more to help the next. Professionalizing identity should be our mission so that the next wave can benefit, so that our organizations can benefit, and so that our customers can benefit.
And I am thrilled to announce tonight that Kantara has stepped forward to help this effort. They have created a microsite on their site where you can go and indicate that you support the idea of a professionalized identity management industry.
In moments ahead, we become full-fledged peers of security and privacy and strong allies to the business because we help grow revenue. In the moments ahead, the next generation of identity practitioners builds on our success delivering even greater benefits to our enterprises and to themselves. But this cannot happen without professionalizing our industry.
The Moments ahead for identity
Before the TCP/IP moment you were a Netware gal, an AppleTalk dude, a token ringer. And things changed. And you adapted. You found your skills applicable as an AD admin, an eDirectory guru, a firewall jockey, an application delivery specialist.
Identity is at its TCP/IP moment and we will adapt and grow too.
And it is the best time ever to be in the industry. Ever.
The TCP/IP moment brings great change and the moments ahead are not ephemeral. They are milestone events for our products, our programs, our industry, and ourselves.
Standards-based identity removes risk from our deployments, speeds integrations, and reduces implementation costs. Not supporting this is to stand on the wrong side of history. Including identity standards in your services will no longer be rewarded with kudos or revenue – the modern enterprise demands it.
Outcomes-based identity further changes the expectations of identity in the modern enterprise. No longer will we be rewarded for doing the basics; no longer will we be measured in simple ways. Outcomes-based identity sharpens the focus of identity programs on two things: risk mitigation and customer delight. This moment requires that we present the impact of our work to new peers and stakeholders. This moment requires that we be held accountable at higher levels of the organization. In short, the moment of outcomes-based identity moves our work to executive levels of our organizations.
If we are to be amongst executives, then we must professionalize. The moment of professionalizing identity enables identity to stand on equal footing with security and privacy. It promotes the identity industry as a crucial part of both risk management and business enablement. More importantly, it provides a means for us, each of us, to improve, to help others improve, and to grow and strengthen the identity management industry. And this moment is long overdue.
Identity’s TCP/IP moment will be the catalyst for great and wonderful change. The moments that it spawns represent growth opportunities for us as individuals and enterprises. These moments, these milestones will be upon us faster than you may realize – in part because we are at our TCP/IP moment and in part because next week I know you will continue the work you are doing to achieve these milestones.
When we achieve the moment of standards-based identity, we will be able to integrate faster, deploy with less risk, and stop having to worry about the identity-plumbing and focus on the outcomes of our programs.
With the moment of outcomes-based identity realized, we will be called upon to present the totality of our identity programs’ direct impact on risk mitigation and customer delight to the highest levels of the organization. We will be held accountable and we will have earned the right to be held accountable – for we will be truly identity professionals.
When we professionalize identity, all of us will have a place to grow and a place to share what we have learned over the years. We will have a vehicle to promote identity as peer of privacy and security and as a vital contributor to our enterprises digitalization strategies.
Lastly, we have never been needed as we are needed now. For we are the keys to growth for organizations, and for ourselves. We are the keepers of identity: Employee. Partner. Customer. Citizen. We are the keepers of identity, and this, this is our moment.
Thanks for that very interesting talk, Ian. The comparison to the TCP/IP Moment – excellent – but with consequences! In my recent and current projects, I’m struggeling with the fact that Identity is expected to be commodity: free of charge and already in place like a TCP/IP-stack. In reality we still need very expensive projects to set up a secure identity management to allow customers to access their data.