IAM & Security in the Era of Cloud and Mobility

11/11/2014 | Posted by: Petteri Aatola | Subject: IAM, Information Security Image for IAM & Security in the Era of Cloud and Mobility

Last week I attended the NetIQ BrainShare conference in Salt Lake City. In this blog post I’ll reflect on the content and themes – as I experienced them myself.

There was a lot to choose from at BrainShare. I built my agenda mainly around IAM and security. Especially I wanted to learn about NetIQ’s vision for the future and what that could mean for future product releases. I was also keen to learn more about how to leverage the current product portfolio in new ways.

On Vision

NetIQ’s IAM vision focuses strongly on identity. The importance of identities is growing and will continue to do so. The answer to the question ”Who are you?” is and will be very important. Why? Because the answer to that question, the identity, will be the only common link in the security landscape. Only through that question and answer can we determine what should and should not be done in a given situation. For example, to allow or to deny access. In the era of cloud, mobility and Internet of Things ”Who are you?” becomes increasingly important as the surroundings get more complex. NetIQ sees identity as the nucleus of an atom. Around it you have electrons – applications, services, mobile devices and so on.

Another key vision for NetIQ was that the two core areas of IAM – Identity management (IdM) and Access Management (AM) – are not going to go away. On the contrary, they continue in an increasingly important role as organizations try to cope with the pressure coming from megatrends such as data, cloud and mobility. I agree. Managing identities and their access is something every organization needs to solve, one way or another. And I agree the importance is growing. Organizations that have well established IdM and AM in place will continue to leverage them and also to fine tune them to cope with megatrends. It is unlikely that we see any disruptive changes in the fundamentals of identity and access management. NetIQ shares this vision and it is reflected in their product strategy as well: they will continue evolutionary development of their current IDM and AM products.

So no revolution in sight for IAM in upcoming years. But what about those evolutionary changes, what might that include? Well, as mentioned earlier, those megatrends will set the need for changes in this area as well. One of the big ones is mobility. The mobile use of enterprise software and services is growing at an accelerating rate. Enabling secure mobile use is what IAM has to be able to provide in the future, just like it has done in the traditional IT infrastructure.

User is King

NetIQ also believes the user and user experience is a high priority. The user experience for business users has to be easy and familiar. Users are very used to using mobile apps. They are simple and easy: just buy from the store and you are good to go. NetIQ envisions that in the future this similar kind of usability should be available for IAM products as well. This could mean that it would be possible to ”buy” or to request access as you would do from mobile store and afterwards your entitlements/access accounts would be presented to users as apps are currently presented in mobile devices.

As regards to future visions on IAM products, NetIQ is looking to have all the products use a more combined approach. That would mean all the different products would have a sort of a common platform that they would all use. One idea was that there would be a common catalogue view that would show everything that is essential regarding all security products. Another thing would be reporting; in the future all the products would use common reporting platform as opposed to each of them having a separate reporting module.

One rising theme in BrainShare was Access Governance. Organizations that already have centralized and perhaps even very automated IDM should in addition have some kind of procedure to verify that the information in IDM is up to date. Or to verify that the target systems do not have a user that IDM does not know about. True Access Governance will gather and verify the information straight from the target systems and compares this information to what is found from the IDM. This is an area in which many organizations currently fall short and I see that this will be an important development area for many during the next few years.

Cloud and SaaS

Cloud. The megatrend above all others also frequented in the presentations of BrainShare 2014. From an IAM perspective the focus was on how to link new cloud services that the organizations are using to their current IAM solution. This is an area where NetIQ has invested heavily on, having developed CloudAccess as a product to bring a straightforward solution to this space. What I like in CloudAccess the most is that it offers simple and fast access management to cloud services and it is feasible for smaller organizations as well. CloudAccess is also a product where NetIQ has already exercised their vision on the improved user experience, which is clearly a major improvement. For example, the old User Application in Identity Manager or Access Console in Access Manager was something mostly for tech-savvy users. However, on CloudAccess I am happy to note that it is indeed friendly to average users as well. The user experience of Access Manager, and other products that will be developed into the same direction, is very good usability news.

Another theme related to the cloud, or more precisely to SaaS was NetIQ’s own SaaS offering to IAM. It takes the essential features of Identity and Access Manager products and packs them into an offering that can be bought as a monthly service priced per-user. The product is quite easy to understand. I would see that even though so far SaaS has not been a very common way to purchase IAM, it will be an increasingly interesting option for organizations going forward. Of course buying SaaS has its limitations. The offering has a couple of options and they include what they include and nothing else. Therefore it is not as customizable as traditional on-premise implementations. Of course that is exactly what SaaS is all about: something easy to buy, easy to sell, easy to deliver – and something that scales, so the cost is not as high as in the traditional approach.

There was a lot more at BrainShare 2014, but these were the most interesting themes in my opinion. As a conclusion, I would say NetIQ’s vision of the IAM future is well-founded and easy to agree with. Many of the things that will be available sound pretty cool – and useful. I look forward to seeing the vision in action!

Petteri Aatola
Director, Identity and Access Management