Initial Publication Date: 18 November 2023

Abstract

Identity and Access Management (IAM) is the most critical factor in determining the success or failure of your digital programs. IAM done right provides the foundation for securing, managing, innovating and building your digital enterprise. This report focuses on the development of a rolling five-year IAM technology/operational infrastructure plan that includes the establishment and maintenance of identities throughout their lifecycle, security of these critical assets, support for applications and consumption of identity services. This report puts “stakes in the ground” with specific projections as to where we believe IAM will and should be over the next five years and our recommendations towards how to best get there. We recommend our clients use this as a starting point as you build out your own IAM program, decide on investment priorities for 2024 and beyond and increase your institutional understanding of the role, risks, and interdependencies IAM plays in your future-state business.

This report includes our updated and prioritized TechVision Research “Top Twelve List” of the key areas to focus on as you develop your IAM strategies, architectures, and roadmaps. We’ll also give you our perspective on the maturity and progression of each key area. Areas that have changed since our earlier reports include the impact of AI and generative AI on Identity services (positive and negative), an increased focus on new password-less authentication models, the movement towards a comprehensive IAM/IGA platform and continued expansion of object types and use cases. As you plan your IAM budgets, architecture, and priorities for 2024, this report is a great starting point.

 

Authors:

Gary Rowe                                                   Doug Simmons

CEO, Principal Consulting Analyst         Principal Consulting Analyst

[email protected]             [email protected]

 

 

Executive Summary & Key Advice

Identity and Access Management (IAM, or simply “Identity”) is the foundation that supports, secures, personalizes and provides governance for new and evolving Digital Enterprises. Identifying every “inherent risk” element within and outside of an organization is paramount to providing the right security controls and services at the right times to the right individuals, applications or services. As these risk elements expand to include IoT devices, processes, RPAs, new generative AI output and complex hybrid environments, the Identity foundation plays a critical role in mitigating risk and supporting old and new use cases.

This report focuses on supporting our clients in the development of a rolling five-year IAM technology/operational infrastructure plan that includes the establishment and maintenance of identities throughout their lifecycle, security of these critical assets and support for multiple applications and consumption of identity services. We then make specific projections as to where we believe Identity Management will and should be going over the next five years and describe how organizations can best leverage this new era. While we are addressing core features (such as scalability, performance) and specific categories (Customer IAM, Identity of Things), these topics are important considerations that enterprise security, IAM teams and line of business leaders should factor into the architecture supporting your next generation IAM service portfolio. Our prioritized “Top Dozen” list categories follows and each capability will be described in detail with specific recommendations throughout this report:

1. Centralized Identity Governance
2. Next Generation consolidated IAM/IGA/PAM Platforms
3. AI to support IAM/IGA/PAM and protection from AI-based Attacks
4. Explicit support for and Integration of Cloud and Hybrid Identity
5. New Models for Phishing-Resistant and Streamlined Authentication
6. Improved User Experience
7. Zero Trust/Zero Friction Security
8. Unprecedented IAM Scale, Speed and Diversity of Object Types
9. Identity Services and Security Controls as Microservices
10. Customer/Citizen IAM
11. Privacy Protecting Identity and Security Services
12. Decentralized Identity Systems/Self-Sovereign/Verifiable Credentials/Web3

 

This list represents the major themes for IAM/Security architects, strategists and leaders’ expert context to factor into a five-year planning horizon, but it isn’t just technical. We also consider the business impact the various IAM capabilities have with Global 2000 organizations and large government clients in light of technology as well as business trends.  Our prioritization is also influenced the unprecedented advancement, hype and impact associated with generative AI, the proliferation of IoT devices, the on-going governance challenges as organizations increase their digital footprint, the industry movement to integrated IAM/IGA/PAM platforms, new security approaches, new development models, our direct experience with the value of getting governance right and a continued emphasis on user experience at every level.

We start our prioritized list with an overarching theme of focusing on mitigating risk and regaining control building on strong IAM governance and the reality that most large organizations haven’t completed their cloud migration and need to prioritize the secure management and administration of their hybrid environments. Centralized governance was the number one priority in our previous Future of Identity Management report and remains our top priority.  It is not enough to improve the core IAM capabilities via technology deployment, it is also critical that enterprises put the proper governance, processes and management in place to provide the necessary control, knowledge, categorization, discovery and auditability of the services supported by identity services.

Most large enterprises are looking to simplify, consolidate, integrate and better choreograph their identity systems and services. So the future of Identity is about both supporting future state business and technology needs as well as fixing some of the foundational elements of IAM that continue to plague enterprise identity and security leaders. TechVision recommends going through a capabilities-based reference architecture process and refreshing it every 18 months for your increasingly critical IAM foundation because digital programs will not succeed without a strong IAM foundation. This report is highly actionable with specific takeaways and next steps for organizations planning for their next generation of IAM services.

Introduction

Identity Management has always been a challenging area for organizations to get a handle on as it very personal (one’s identity), but also foundational as IAM has “hooks” into many of the applications, resources, security functions and services that support the modern digital enterprise. As identity moves to the forefront, the logical and physical silos separating customers, third parties, contractors, employees, “things”, processes will become less distinct and the governance of these environments is critical to business success. This is leading major vendors including Microsoft, Okta, CyberArk, OpenText and portfolio of Thoma Bravo companies (Ping, ForgeRock and SailPoint) to build (or acquire) more comprehensive integrated portfolios. There are also vendors such as Radiant Logic that are supporting IAM/IGA platforms by integrating and managing offerings from multiple vendors creating a virtual platform.

Most current capabilities behind access control, authorization and provisioning concentrate on tight boundaries and context developed from the application outward. Few tools are designed for external management and interfaces, but designed and implemented as a discrete unit. This competes with a regulatory or process driven desire to integrate with systems that need to penetrate application boundaries and interact with application functions. This is why integrating an access management or provisioning system with, say, an ERP system is so problematic, but this is just one example of future state integration needed within IAM enclaves as well as with other key enterprise applications.

Traditional IAM discussions have mostly targeted human identity. There is a parallel and equally significant world within identity that  focuses on machine/robotic/artificial identities that will need to be better integrated with more generalized IAM environments. The scope and magnitude of the latter is rapidly expanding and needs similar attention with respect to control, authority, capability, and regulation.

We predict that identity will become so commonplace and important that a chief identity officer will report to the CEO or the board in most organizations within the next three years. It gets back to a core premise we’ve espoused for years; “You can’t secure, support or govern what you can’t identify”. Governance over identity information, processes and data will be shared by identity programs that are composed of business leadership and executed by technology professionals. Leveraging identity in its various relationships to the organization will become a competitive advantage, by leveraging its employees, partners and suppliers, and customers. The idea of internal IGA and control over all of the legacy and current applications will be subsumed by the need to protect and leverage the tools and decisions associated with people and machines. IGA will become a feature of broader identity platforms. The rough patches represented by legacy tools will be smoothed over by solutions more consistent with current and future needs.

Identity is the foundation or the control plane for any successful transition to a Digital Enterprise. Identity and Access Management (IAM) remains the way we identify, authenticate, authorize and monitor all principals – whether people, applications or things,  that interact with assets within the Digital Enterprise. While we’ve talked about “Identity being the new perimeter” for decades, this concept shifted into high gear by the movement to the cloud, more digital service offerings, partner supply chains, a bring your own device (BYOD) culture, an increasingly remote workforce and the proliferation of IoT devices.

This report will first focus on the key issues and technology trends, then covers the top areas enterprises should pay attention to in priority order within an IAM foundation; and we’ll then describe how to architect, prioritize and incorporate new capabilities into your Identity and Security programs.

To give the future of Identity Management the right context, we’ll start with some of the key trends that will drive Digital Business and Digital Engagement over the next five years. Most of these trends are not new; they represent existing trends we expect to continue to be relevant over the next several years. These trends will directly impact the next generation of IAM products and services. While some of these trends may seem obvious and certainly not all-inclusive, we are highlighting specific trends that impact our IAM foundation. These trends include:

• Artificial Intelligence (AI), Machine Learning (ML) and Generative AI. While generative AI has been in the headlines for the past year it is based on a progression of advancements in AI and ML over the past several decades.  AI is increasingly being adopted and improved to drive automation, gain security insights, enable “intelligent” processes and better leverage the massive amounts of available data and shared signals. AI is also a factor in IAM in that AI-generated attacks will target valuable identity data and must be factored into your identity programs.
• Increasing Automation As digital has become more-and-more pervasive, these digital processes need to be more efficient and effective and this is achieved via increased automation given the increasing complexity and costs associated with manual processes. This is driving the trend towards automating everything that can possibly be automated including “things”, processes, workflows, manufacturing, supply chains…Automation isn’t just digital, but includes physical automation such as self-learning, reconfigurable robots, RPAs for software processes and the automation of IoT devices are all including in the next generation of process automation.
• Remote Work, Hybrid Work and Bring Your Own Device (BYOD). This trend leads to an increased use of virtualized services to securely support remote environments like they were local while not exposing private information. Hybrid environments will continue to be critical elements of most enterprise foundations.
• Security Investment, Visibility and Intelligence: Attacks continue to accelerate and they are becoming targeted at the most valuable assets including identity data. Generative AI is raising the stakes and the capabilities of attackers, but can also be used to prevent attacks. Anything related to security and mitigating risks in large organizations will continue to be a major factor in the Future of IAM.
• Web3 and Metaverse: Web3 is the next generation of the Web; a distributed, user-centric model. This next generation of decentralization will be led by efforts such as Decentralized Identity and Verifiable Credentials that TechVision has covered over the past 6 years. Metaverse uses new technology like digital reality and AI to create new ways of more immersive digital interaction. Web3 is using blockchain and tokenization and user-centric identity to build a peer-to-peer data layer within the Internet that allows for ownership of digital goods.
• DevOps and Microservices: The pervasive movement to DevOps and Microservices continues to accelerate as flexibility, reusability, service/support and speed drive this sea change from the older waterfall development models. This permeates into our IAM programs and architecture going forward.
• Internet of Things (IoT). The Internet is extending connectivity to physical “things” at a rapid pace. Almost everything in the physical world can be labeled (tagged), accessed, analyzed, connected to and, in theory, optimized. These devices can be connected to the Internet and to other individuals and organizations, but there are also complex relationships to manage, personal information to protect and a plethora of challenging security concerns. A key element of this trend will be the merging of “the logical with the physical” which is an overarching trend impacting so many aspects of the new digital enterprise and next generation digital business models.
• Big data and analytics. Big data is widespread and is fueling more sophisticated predictive (and prescriptive) analytic capabilities. Big data combined with Generative AI and ML provides a foundation to better analyze, corroborate, correlate and use this data, especially for runtime authorization decisions with minimal friction. Big data can also be used to help secure assets and detect anomalies – as well as to provide key insight to governance teams responsible for maintaining the efficacy of the IAM infrastructure. As more data is collected, it must be correlated in new ways to try to better understand trends in causation and intent.
• Privacy and regulatory controls. Legislative and regulatory controls such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and hundreds of regional, state and local regulations are requiring increased investment in better data privacy controls and adaptive data protection architectures.
• Movement to the Cloud. While Cloud computing continues to gain momentum and is becoming the primary means of delivering applications and services to the workforce and consumers, most large enterprises are still in this hybrid mode and will be for the next few years. Most large organizations and supporting multi-cloud strategies to mitigate risk of vendor lock-in, but this, in-turn, creates additional complexity. Securing the management and administration of more complex hybrid environments will continue to be important for the next several years.
• Wireless and Mobile. Mobile is pervasive in many parts of the world and this impacts so many aspects of business and personal life. Smart phones are getting more sophisticated and 5G is making access faster. The increasing reliance of smart phones has major ramifications for both identity management and security. These devices can be used to provide geo-location services needed for runtime authorization contextual awareness, provide a second and third “factor” for authentication and can be used to securely store user-controlled attributes sharing (e.g., digital wallets). These trends will accelerate over the next five years with smarter and more powerful mobile devices, a movement to better user experience (including “password-less” authentication using passkeys and other approaches) along with more reliance on wireless/mobile to participate in the digital world.

 

The trends described above are influencing today’s thinking on the future of identity management. There are increasingly more objects to identify, more data to classify, more connected devices, increasing privacy concerns/regulations and an accelerating blending of personal and employee devices and  data that creates challenges/opportunities for the next generation of IAM.

The Future of Identity is more than responding to and leveraging these trends; it is about supporting the journey enterprises are engaged in as they become digital.  Identity and Access Management done right provides the foundation to mitigate risk, provide stronger governance and to become a “Safe and Secure” Digital Enterprise.  We’ll now examine our Top 12 prioritized list.

Future of IAM: The Top 12 List

While every organization should factor in your own considerations; your current technology landscape, major business and technology challenges/initiatives, your appetite for risk, budgets, Line-of-Business (LOB) initiatives, your assessment of key technology trends, security posture/risk profile, your response the post-pandemic environment and overall business goals, this list and our recommendations in this report can be a starting point. The TechVision Top 12 list is our perspective on the key areas of focus enterprises may have in planning for their future-state IAM portfolio. We are also prioritizing our list based on our perspective on large enterprise priorities, but this is simply a starting point and will vary widely between industries, geographies and organizations.

We describe the future of IAM within the following dozen categories we’ll explain in detail:

1. Centralized Identity Governance
2. Next Generation consolidated IAM/IGA/PAM Platforms
3. AI to support IAM/IGA/PAM and protection from AI-based Attacks
4. Explicit support for and Integration of Cloud and Hybrid Identity
5. New Models for Phishing-Resistant and Streamlined Authentication
6. Improved User Experience
7. Zero Trust/Zero Friction Security
8. Unprecedented IAM Scale, Speed and Diversity of Object Types
9. Identity Services and Security Controls as Microservices
10. Customer/Citizen IAM
11. Privacy Protecting Identity and Security Services
12. Decentralized Identity Systems/Self-Sovereign/Verifiable Credentials/Web3

 

Each of these areas represents a significant part of what we believe will be the future of IAM. Let’s now look at the details of each of the areas that comprise our “Top 12 List” starting with Identity Governance, the ability to manage the diverse and volatile environments most large organizations currently maintain.

1) Centralized Identity Governance

Identity Governance should be a top priority for most large organizations as this includes the processes and technology to manage and secure and increasingly diverse set of resources at scale. Gaps in governance such as delays in deprovisioning employees after they leave an organization are major attack points.  Also delays in provisioning new employees can have a major effect on productivity.

The  major technology component of Identity Governance is Identity Governance and Administration (IGA)  that combines entitlement discovery, the decision-making process, and the access review and certification of access governance coupled with the identity lifecycle and role management of user provisioning. What makes Identity Governance difficult is that it heavily premised on people and process, not just technology. While computing is moving to the edge, governance needs logically centralized controls and visibility. Governance is tied into overall business goals, policies and security/risk metrics and is critical in managing all aspects of a digital enterprise.

This is number one on our list given the importance of Identity Governance, the security gaps that may result from lack of attention to this area and the value in connecting policies and business goals throughout a digital and physical organization at scale. This is really hard to get right and TechVision encourages you to thoroughly assess and improve where necessary your Identity Governance foundation.

IGA operates at the intersection of business process management and access automation allowing people and systems to communicate with each other, fulfilling day-to-day operational needs. This is an area where increasingly available data sets, AI/ML (including generative AI) and tools to further automate IGA will be critical going forward.

A comprehensive IGA program across diverse constituencies can help identify and manage these risks and address compliance requirements.  Identity Governance is not an area to be short-changed or ignored and this is especially risky and costly as enterprises become increasingly digital internally and externally. Throughout the digital age, the most difficult activity – and responsibility has traditionally been the governance of users’ information entitlements and access rights and the instantiation of these rights consistent with policies across an enterprise. There are two categories of governance that are critical to the future of IAM as follows:

1. Governance of the IAM infrastructure
2. Identity Governance and Administration (IGA)

 

Governance of the IAM infrastructure is crucial because this is where the business meets the people, processes and technologies that support it. Organizations often struggle with creating, sustaining, and completing IAM initiatives because these initiatives must address ongoing shifting sets of business priorities, information security threats, user expectations, and vendor capabilities. It is important that organizations don’t categorized IAM as a “project”, but instead view it as a “program”.  In fact IAM is an IT Program that is centered on a much longer time horizon because programs don’t typically “end”. Instead, programs become ongoing initiatives that maintain a consistent level of skilled staffing, run specific projects within the program and constantly keep abreast of the business priorities, security threats, user (and management) expectations, emerging technical approaches and standards, and vendor capabilities.

Most organizations should start with an IAM Governance team in place to properly address the subject of Identity Governance and Administration (IGA). Similar to IAM governance in general, IGA has not always been given adequate attention and funding within the context of enterprise identity programs. This needs to change as the effective management and governance of identity-centric access control services is a key to enterprise security and essential to the efficient operation of identity services.

To reiterate, enterprises need a consistent framework for operationally managing and governing their rapidly expanding digital ecosystem – and IGA is an important piece. At its core, the goal behind IGA is simple: Ensuring access to the right resources (such as data and compute resources and applications/services) by the right subjects (end users, applications and other non-human entities that consume those resources) using the proper assets (devices, infrastructure components, applications, virtual and cloud components). This means separation of duties, no accumulation of access privileges and accountability for the information access rights associated with every subject in the organization.

A key component of IGA is, ultimately, the automation of the identity lifecycle (often called Identity Lifecycle Management) through an identity provisioning infrastructure. This helps both fulfillment and the enforcement of access decisions. The automation and enforcement helps prevent deviation from these decisions and reduces the amount of effort required for the next round of annual or more periodic access reviews. It also ensures that access is removed when the subject’s affiliation with the organization changes. This tends to be one of the early means of improving an organization’s IGA in a visible way.

From a technology perspective, a governance perspective and a process perspective, governance, administration and lifecycle management need to be a significant area of investment for most enterprises over the next five years. Regulatory compliance, intellectual property preservation and often brand image depend on it.

Furthermore, IGA must navigate the on-premise, cloud and virtual environments that are increasingly prevalent. This complexity and the need for real-time access decisions to be made support new IGA investments by users and vendors.

Vendors such as SailPoint, Saviynt, ForgeRock, Microfocus, Clear Skye and Ping Identity are notable mainstream IGA players with Okta, Microsoft and others expanding their IGA capabilities as we’ll further describe in the following platform trend. Serious, continuous governance is key to an effective and extensible IAM program and also critical to properly managing enterprise risk.

2) Next Generation Consolidated IAM/IGA/PAM Platforms

One of the biggest challenges for large organizations is achieving consistency in the increasingly complicated digital and hybrid world we now live in. Basic identity services are complex to begin with, and if you add multiple identity silos, separate IGA/PAM services, application and device identities, it is easy to understand why consistency is challenging.  This is especially true in large organizations. As an organization factors in the diverse requirements between managing employee identities and those of your customers/partners, even more silos are often created, increasing the complexity and management burden. This results in turning a seemingly simple process such of providing a consistent and updated contact directory really hard or impossible to achieve. These inconsistencies are really problematic as IAM is often the basis for key digital services, access decisions, audits, applications, provisioning, risk management and so much more. IAM today is often like building a house with a crumbling foundation and the industry and those paying for IAM services  must change this.  A consolidated platform “promises” to help in this journey.

The importance of Identity and Access Management coupled with the challenges in managing multiple identity repositories and services has resulted in most major IAM providers expanding their offerings to move towards a more comprehensive and integrated IAM/IGA/PAM platform. TechVision has developed separate reports on the more significant integrated IAM platform plays including Microsoft’s Entra offering and strategy, CyberArk’s expanding portfolio of IAM/PAM capabilities (acquired Idaptive several years ago), Okta’s expanded IAM platform to include IGA/PAM capabilities and Thoma Bravo’s suite of companies (the private equity firm that has acquired several IAM/IGA and Security vendors) that includes Ping, ForgeRock and SailPoint. Other vendors such as OpenText, SAP, Radiant Logic and One Identity are also expanding their portfolios and offering additional pieces to support a next generation integrated platform.

Whether your organization is positioned to select a primary integrated IAM/IGA/PAM platform in the foreseeable future, it is important to recognize that most major suppliers are committed to a next generation IAM/IGA/PAM platform. There are also vendors such as Radiant Logic that are working to build a virtual platform supporting what they call an “identity fabric” collecting attributes across multiple repositories and using this data to make better real time decisions.

This topic is important and TechVision has worked (on the consulting side) with several organizations that are at decision points in terms of moving to one of these consolidated platforms or continuing to use a mix of best of breed offerings. No matter what approach your organization decides on, it is important to make a well thought out decision leveraging an objective process (such as the development of a future state reference architecture we’ll describe later) in assessing the pros/cons of these divergent paths.

3) AI to support IAM/IGA/PAM and protection from AI-based Attacks

AI, ML and now Generative AI are finding their way into almost every area of technology/business and Identity Management is no exception. Virtually every security and identity vendor has some level of AI/ML program on their roadmap if not currently available.  Even those without “legit” AI capabilities are often claiming to be AI-enabled or some such phrase. As TechVision reported in our Three Waves of AI report several years ago, there are many levels and capabilities within the AI spectrum with Generative AI getting much of the attention and investment today. TechVision published an early Executive Level Set on Generative AI by Gary Zimmerman in early 2023 and that is a good starting point for those wanting to get a broad overview on the topic as you figure out how to govern and move forward in your own generative AI program.

So, with most vendors claiming to support AI, what are some of the specific factors that make it so important as we plan for the next generation of IAM? Some of the key elements include:

• The massive amount of available data
• New digital use cases
• Increasing need for location and contextual data with work at home, shop at home and now the return to the “next normal”
• The need for “frictionless” security that can be supported by better understanding (via contextual data/AI) normal and abnormal activity
• Strides in AI/ML/RPA/Generative AI
• State sponsored attacks requiring stronger, proactive security measures

 

Identity and security will increasingly leverage contextual information, machine learning and AI to be more proactive in addressing security threats.  Generative AI provides the ability to further automate and make better decisions without human intervention. This future of security will have to be much more proactive as attacker sophistication grows exponentially while largely remaining invisible to “legitimate” users. Given the evaporating traditional network security perimeter, it will be necessary to fully understand the identities being managed, the context of those identities relative to what they are trying to do and the risk-managed resources the enterprise wants to protect. As traditional firewalls begin to fade, there needs to be a means of ensuring the accuracy of identities initiated within and outside of the organization resulting in the full integration of IAM into enterprise security and risk programs. This goes back to the need for a solid IGA/Governance foundation, as identity is the best and sometimes only perimeter and in many cases, the only way to protect ever more distributed IT information resources.

Relationship and contextual data is critical for any Digital Enterprise program as we’ve described in several of the future state areas of focus. Relationship or context-based identity correlates relevant data with the identity information being stored in the IAM system. Relevant data can include behavior data, location data, usage patterns, preference data, personal data, systems information, group memberships and many other types of data that can be correlated with identity information.

Current use of AI is largely limited to rules-based post-event examination of logs or anomalous behavior detection, looking to uncover recent or in-progress inappropriate activity. There are also applications that will provide risk scoring, based on known events, for specific devices or accounts. But by adding machine learning, statistical modeling and predictive analytics to the IAM toolkit, the focus can change from detecting a recent bad event to anticipating or predicting – and preventing, an upcoming attack.

This will allow Identity Management to shift back into preventative mode without the friction that arises from requiring pre-provisioned accounts for every target asset. This has significant implications for securing assets and protecting privacy.

Context-based IAM coupled with machine learning based on big data and shared signals can be a critical part of the next generation of security and threat detection. The business benefits of protecting confidential client data and IP will be major areas of competitive advantage (or at least avoid a serious competitive disadvantage) in the future.

IAM can provide greater focus, greater assurance of a participant’s identity and provide a platform for intelligent decision-making without crossing privacy and legal lines . Generative AI can also be used to create very powerful next generation phishing attacks, the propagation of credible fake news/data and other bad outcomes that need to be mitigated in the next generation IAM/Security offerings and perhaps through regulatory controls. For example, the rise in the quantity and quality of phishing attacks has led to the rapid ascension of Passkeys and other forms of phishing-resistant authentication.

4) Explicit Support for and Integration of Cloud and Hybrid Identity

Integration of identity silos across cloud, on-premise and hybrid environments remains one of the biggest challenges large organizations face. The overall inability to properly integrate and normalize identity data across the various IAM silos has led to the movement to create these vendor-centric IAM platforms discussed earlier.

Identity ultimately needs to be a utility and, as such, we’ll need standards, support for cloud and hybrid environments – including better cloud automation and capabilities such as virtual directories, privileged access management and federation to bridge the gaps between on-premise and multi-cloud environments.

Identity Data Integration also known as an Identity Data Fabric is an important IAM capability in support of hybrid environments that still exist in most large enterprises.  Most IAM systems authenticate resources based on their identity in a directory infrastructure such as Active Directory/Azure AD, as well as authorize access to systems based on the resources’ identity attributes such as roles or group membership (e.g., AD/Azure AD). Microsoft is currently addressing this with its Entra IAM strategy that we describe in detail in our report published in late 2022. Given that identity data is generally spread across multiple on-prem and in-cloud repositories, a robust approach to relying on and using this information during run-time is exceedingly important today. A vendor that helps enterprises find a common ground for normalizing and orchestrating disparate IAM data from multiple sources and silos is Radiant Logic, as they have been focused on solving these challenges for the past 25 years. Ping Identity also has an offering called PingOne DaVinci, an orchestration platform and connectors designed to support this challenge.  Another vendor supporting the area of policy orchestration worth investigating is Strata.io.

An important objective for most enterprise IAM environments is to better standardize how coarse- and fine-grained authorization is performed by funneling all IAM data access through what TechVision Research refers to as an Identity Data Service. Identity data services provide applications secure access to identity data to meet operational needs such as authentication and authorization while protecting sensitive identity information.

The necessary components and features in an identity data services deployment include an identity data services interface, a directory management and audit interface, directory access protocols such as REST endpoints (APIs), Lightweight Directory Access Protocol (LDAP), Web Services (WS), Java Database Connectivity (JDBC), and Structured Query Language (SQL), virtualization services (such as virtual directories), synchronization services (such as meta-directories), and directory services. Standards, integration tools and better centralized controls will help provide consistency in your future state IAM environments as you gradually retire systems and consolidate.

5) New Models for Phishing-Resistant and Streamlined Authentication

The industry has been claiming for a decade or so that “passwords are dead”, but the rumors of their death have been greatly exaggerated.  Providing streamlined authentication and moving from passwords needs to be an area of emphasis by vendors, standards bodies and enterprises as we move forward. The good news is that there is light at the end of the password-less tunnel; it is called Passkeys.

The password problem is getting worse and is a major area of focus for technology industry vendors, large enterprises and individuals. We simply don’t have the capacity to remember the large and growing number of user IDs and passwords as digital engagement accelerates and passwords are subject to phishing attacks. Furthermore phishing attacks supported by generative AI and associated technologies are very, very powerful and can largely be thwarted by password-less models.

Since TechVision’s last Future of Identity report published in the middle of 2022, perhaps the biggest development is major vendor support and increasing momentum behind Passkeys. Apple, Google and Microsoft committed in May, 2022 to expand their support for a common password-less sign-in standard created by the FIDO Alliance and the World Wide Web Consortium (W3C) called Passkeys and the early results have been promising. The vendors and the FIDO Alliance have been educating, promoting and deploying Passkeys with unusual velocity over the past 18 months. TechVision recently interviewed  Andrew Shikiar, the Executive Director of the FIDO Alliance and he described their mission as to “help reduce the world’s over-reliance on passwords; and Passkeys are a key element of this mission”.  They working with the W3C Working group and the key mobile device vendors and TechVision believes that this is one of the most important efforts to follow and our clients should at least be evaluating the role Passkeys can play in modernizing, simplifying and better securing the authentication foundation without relying on passwords. The expanded support for password-less also includes using an individual’s phone as a roaming authenticator and providing multi-device FIDO credentials to ease the transition to replacing/upgrading a mobile device while maintaining security.

“Password-less” authentication was originally defined in IEEE P1363.2 two decades ago, describing the use of a password-authenticated key exchange (PAKE) protocol that is secure against off-line dictionary attack. This specification defines a zero-knowledge password proof (ZKPP), which is an interactive method for one party (the person or thing to be authenticated) to prove to another party (the service requiring authentication) that it knows a value of a password without revealing the password itself to the service requiring authentication. In this manner, ZKPP prevents any party from attempting to guess the password without interacting with the person or thing that actually knows the password. ZKPP can also enforce exactly one password attempt (i.e., “guess”) in authentication process.

New password-less models also focus on leveraging vast amounts of “know” data coupled with AI/ML and various factors associated with MFA as well as using Blockchain to help eliminate the need for passwords. This is also a key area of focus for the Decentralized Identity vendors.

6) Improved User Experience

As enterprises progress toward their overall digital program goals, one of the biggest hurdles is in achieving an optimal user experience. No matter what security controls and technology infrastructure organizations put in place, if it is hard to use, business goals may not be met. How many times do prospective customers leave a web site when it becomes hard to navigate or the user believes that there is too much personal information being requested/demanded. There are so many elements to a great user experience including response time, how information is presented, how authentication is handled, how authorization is handled, personalization/customization and many other hard and soft capabilities. While user experience applies to every aspect of next generation digital programs, often times the biggest impediment to a great user experience falls in the area of Identity and Access Management. Simply authenticating can be a challenge and being forced to re-authenticate (sometimes multiple times) is even more problematic. Authorization to the right resources at the right time can be a challenge as can leveraging IAM attributes and other contextual data to provide an optimized experience.

The future of IAM increasingly is about engaging users of every category in a way that is most appropriate for their specific use case. This includes customers, prospects, employees, contractors, partners, administrators and developers and it is important that user experience is a focus for each category. User experience includes response time, automation, personalization, flexibility and reducing friction are all part of this category. User engagement has a brighter light shining on it today given the broad success of digital programs and the role that IAM plays in digital.  While there are many benefits to improving user experience, at a minimum we need to avoid driving customers and prospects away by making registration and authentication cumbersome.

7) Zero Trust/Zero Friction Security

Zero Trust is philosophy, architecture and an overall approach to upgrade an organization’s security posture. TechVision has added the Zero Friction part to keep visible the need to make security controls as “frictionless” as possible for all stakeholders. Zero Trust/Zero Friction achieving the right balance between strong security and optimizing your user experience consistent with your organizations goals.

The ultimate goal is to achieve both ease of use and appropriately strong security and we believe that the right IAM foundation is the primary mechanism for locking down the IT infrastructure, protecting enterprises and supporting a Zero Trust approach while enabling better user experience and personalization. It starts with a robust and inclusive IAM foundation. This balance between Zero Trust and Zero Friction is, of course, contextual and the right IAM foundation can help modulate the security controls needed (and associated “friction”) based on a variety of data points. For example, a prospective customer (or in the case of a government agency, a citizen) simply seeking information should have minimal (or even no) authentication friction, while a customer conducting a financial transaction requires stronger authentication while keeping the friction as low as possible. A robust IAM foundation is critical in achieving this balance. At the TechVision Chrysalis conference in November of 2022 both General Motors and Honda discussed how their Zero Trust programs were tightly integrated with and dependent on their IAM programs.

So what is this connection between Identity and Security in supporting a strong Zero Trust/Zero Friction program? The reasons are pretty simple (at a high level): security is required to ensure that the identity system is not compromised and IAM is the foundation for describing the resources to be secured. Furthermore, there is an expanding portfolio of objects to be identified and contextual information that may be of considerable value. You can’t have effective security without a strong identity management service portfolio because it limits visibility as to who is entering the network, the resident applications or and matching the appropriate entitlements.

Zero Trust/Zero Friction Security should include IAM as the primary conduit for locking down the network and applications. The emerging IAM reference architecture comprised of additional elements such as verifiable claims, Multi-Factor Authentication (MFA), Passkeys, modernized governance, strong contextual data coupled with AI and ML services can provide support for a “Zero Trust” Security approach we believe enterprises should be moving towards.

Password-less authentication and other mechanisms that improve the user experience while maintaining strong security include leveraging greater insights as to what is  “normal” and what is “anomalous” activity by using tools to collect and interpret  contextual information, analysis and remediation, and further enhanced by AI/ML and adaptive access controls that incorporate contextual awareness to make better runtime decisions. The more you know about a requestor of entitlements, the less you need to acquire and the more frictionless the experience can be for the user.

Enterprise IAM systems are the cornerstone for authentication and authorization. They hold credentials in the form of certificates or passwords as well as authorization privileges associated with static security group memberships – or dynamically through a rich set of user/device/thing attributes that can greatly enhance contextual awareness to facilitate finer-grained runtime authorization decisions and support a “least privileged” model.

The combination of strong IAM systems, cloud-scale, reliable data, contextual awareness, analytics and machine learning provides dramatically increased visibility to help discern anomalous behavior. Established patterns across multiple companies (enhanced with large data sets and AI/ML), geographies and user profiles helps to establish this baseline. Further analytics include authentication events, application usage and privileged activity monitoring which helps to feed the security systems and will be inextricably tied to the IAM systems.  It is all about leveraging the right IAM capabilities to support the balance between ease of use and strong security.

8) Unprecedented IAM Scale, Speed and Support for Diverse Object Types

Future State IAM will need to include virtually any type of object or representation of an object that needs to be accessed, managed, or supported in some way. Objects associated with Internet of Things (IoT) devices, complex relationship information, security tokens, customer data, geographical data, process data, organizational information, ownership data, entitlements, groups, consent proof, physical tokens or devices, roles, group membership, DIDs, RPA data, Verifiable Credentials and many other elements will be part of next generation IAM. In effect, we are only scratching the surface when it comes to object types (also referred to as principals) and their associated data. Decades of IAM development on top of Lightweight Directory Access Protocol (LDAP) directories as well as Microsoft Active Directory have led us to the current adoption of a more or less standard schema (e.g., inetOrgPerson) that has served IAM fairly well up to this point…but this needs to continue to expand and scale.

Identity management systems must adapt over the next five years to better support the multiple layers of emerging requirements the Digital Enterprise will demand from the IAM foundation. This involves three primary elements; 1) increasing the number of digital identities organizations are connecting with, 2) support for new object types to be managed and 3) customer performance expectations in terms of response time and contextual awareness supporting personalization.

As enterprises increase their digital reach, new requirements may include remotely managing IoT devices/services, handling new identity-aware applications, managing big data repositories, context-based identity management systems, consumer data protection and integration, and an increasingly sophisticated threat landscape. Cloud-based identity and graph databases will help to support the scale and flexibility needed to enable future identity management systems. The movement from on-premise Identity Management to cloud-based and hybrid IAM are also key considerations in supporting the scalability,  performance and governance requirements next generation Identity Management systems will require.

So as we are plan our IAM future state strategies and architectures we need to be prepared to handle the expected scale and inclusiveness IAM services will be managing. Specific areas to focus on to meet the massive scale and diversity required over the next five years include:

• Standardizing on an Identity Data Service—a robust, pervasive “utility”
• Identity consolidation: eliminating redundant directories and data stores will improve performance
• Integrated IAM/IGA/PAM platform selection vs. best of breed determination
• Protocol standardization: OAuth, SAML, Passkey, OpenID CONNECT, User Managed Access (UMA), W3C DID, W3C Verifiable Credentials, FIDO standards
• IoT Identities on the chip: Recognition of and integration with IoT and hardware
• Graph databases and Graph APIs to facilitate rapid access to attributes associated with principals during runtime authentication and authorization events
• Cloud-based Identity support
• Hybrid Identity support
• Virtual directory support
• Decentralized Identity Services and Verifiable Credentials
• Packaged pre-defined business processes
• Leverage specialized consumer facing identity solutions or platforms with consumer/citizen lens

 

As we look to the future, Identity Management systems will scale by minimizing redundancies and heavily leveraging cloud-based services. Consumer identities will largely be managed by services that specifically focus on cloud-scale. Enterprises will increasingly depend on cloud-based identity vendors such as Microsoft, Okta, ForgeRock, IBM, SAP, Akamai, OpenText and Ping Identity to support the increased scale required by enterprise IAM solutions. Microservice-based Identity Management providers such as Cloudentity and Strata.io will enable organizations to achieve scalability of providing services  when needed.

We will also see the underlying database technology largely move to graph databases and graph APIs to handle increasingly complex relationships and dramatic increase in scale required by next generation Identity Management systems. Graph databases hold the relationships between data as a priority and have performance advantages. Querying relationships within a graph database is fast because the data relationships themselves are perpetually stored within the database. Furthermore, data relationships can be intuitively visualized using graph databases, making them useful for heavily inter-connected data. As we expand Digital Business capabilities, the context and relationships become increasingly important – and these must be determined at near real-time levels during runtime.

Cloud-based IAM systems will offer a means to supplement or replace long established legacy LDAP/AD topologies and technologies with supposedly ‘better-faster-cheaper’ ways to manage this information securely. Replacement of hierarchical LDAP or relational databases with higher performance graph databases will become more common. Integration of multiple sources of authoritative source identity information stored on myriad databases with virtual directories acting as an abstraction layer will become more commonplace. The ability for application developers working in a modernized DevSecOps software supply chain environment utilizing micro services to create object types and attributes – and allow them to be leveraged across the enterprise where applicable, will further exacerbate the existing LDAP model. For these reasons and many others, we expect to see a slow-but-sure migration from traditional LDAP or relational data models with high performance and flexible models.

We also see the merging of physical and logical services and the Identity foundation must accommodate both. For example, TechVision published a report a few years ago on how logical access control and physical access control systems (like badge readers) should merge and/or integrate one another. Enterprises should also strive to achieve the holistic governance and management of logical and physical objects and this can be facilitated by an inclusive IAM foundation.

9) Identity Services and Security Controls as Microservices

There is continued movement to DevOps and Microservices as organizations move from a centralized, monolithic development environment to more of a “software supply chain” that is much more dynamic, open and adaptive. TechVision wrote about this inflection point several years ago in our report the End of EA and IT as we know it” that looked at the cloudification of IT and developers becoming “product managers” assembling components and building services that leverage open APIs.

Microservices start with a focus on business capabilities, not technology. It is an architecture style of developing a single application based on small, self-contained set of services running their own processes and communicating via a lightweight mechanism. There is limited centralized management or governance of these services and they can be written in different languages and use different storage approaches.  Future state IAM services need to both support these development models (Identity controls as microservices) and to use these concepts in the development of agile IAM services.

Microservices enable an ‘abstraction layer’ that can dramatically simplify application development, integration and operational support.  This is similar to the IAM abstraction layer we were describing earlier which may provide a sense for the synergy as identity services are presented via a microservices approach. In this model, IAM services and functions that are enabled in a secure, easy-to-consume manner. As new protocols, techniques and infrastructure approaches emerge (e.g., blockchain, distributed ledgers, Web 3, verifiable credentials, password-less authentication), and old techniques fade away, the impact on and disruption of the IAM infrastructure can be minimized by following the core principles we describe in this report.

Identity and access management typically involves a number of functions regarding the establishment, management and use of identities built into a monolithic application to provide access to information as supported by policies. The enterprise goal is to provide subjects (end users, applications, and other non-human actors) with appropriate access to resources (data, services, applications, and devices).

There is also the need to secure access to the microservices themselves with what is now referred to as software supply chain security. An API Gateway is often employed to help manage and organize access to each of these microservices interfaces.  The API Gateway is a server that acts as a proxy to provide a single entry point into the system. The API Gateway encapsulates the internal system architecture and provides an API that is tailored to each client and is responsible for request routing, composition, and protocol translation. All requests from clients first go through the API Gateway. It then orchestrates and routes requests to the appropriate microservice(s). The API Gateway will often handle a request by invoking multiple microservices and aggregating the results and helping to manage the process.

While a gateway hides the specific details of the microservice interfaces, it does not necessarily protect them from bad actors. To fully protect the resources managed by a microservice, many microservice containers are beginning to be deployed with IAM “sidecars” that locate access decision enforcement closer to the resources themselves. Over time, we see these sidecar services will be refactored into a service mesh of IAM capabilities to ease deployment complexity.

10) Customer/Citizen Identity and Access Management (CIAM)

Starting roughly 20 years ago the Identity subcategory CIAM gained traction given the scale, security requirements, marketing integration and user experience expectations were very different than typical enterprise IAM requirements. While CIAM is still a category, there have been many changes over the past few years including many major IAM vendors offering more comprehensive general purpose IAM offering that can be used for most IAM services including CIAM, Enterprise IAM, Partner IAM and many other use cases.  Specific vendors such as Ping Identity, ForgeRock, Microsoft, OpenText, Okta and others are moving to a core IAM platform capability that can have lenses or instances that can be applied to support the Customer IAM category.

Rounding out the vendor landscape categories we see vendors such as Cloudentity offering microservices for the developers and firms such as Radiant Logic providing a means of bringing multiple data sources into a common context.

This space will rapidly expand with significant investment over the next five years and this will continue to be a major coverage area for TechVision even as some vendors consolidate IAM into a single platform.  TechVision will have a dedicated report on the changing CIAM landscape in early 2024.

The basics for the growth and future of this space are easy to see; the connection with customers is a core part of any broader Digital Enterprise program and is a business necessity. The immediate benefits to the customer are to reduce friction through multiple login options and increase and improve engagement through self-service and progressive profiling. This leads to greater transaction satisfaction and the likelihood of brand loyalty along with the development of an on-going and rich customer relationship.

From the organization’s perspective, the upfront investment in CIAM offers faster time to market, a reduction in administrative overhead and ultimately an ongoing increase in revenue. The opportunities to get to know customers better are provided not only by cataloging preferences from their engagement history and self-provisioning.  Furthermore, many existing CIAM environments will continue to evolve toward a BYOI-centric model, where customers can avoid creating individual accounts, personas and financial details on each commerce or other website they interact with regularly by supplying verifiable credentials from a decentralized identity platform.

IoT is also an increasingly important element of most CIAM programs, but also a category onto itself that will increasingly need to be incorporated into IAM services. Customer-centric IoT can include devices such as utility smart meters, intelligent home devices, patient health care devices and much more. The infrastructure to support IoT scale will include a new or modified registration system for various IoT devices/gateways, new security policies, new privacy policies, revised regulations, new governance models, schema modifications and updated discovery mechanisms at a minimum.

Future state Identity Management systems must also be able to handle the sheer volume of connected devices, the complex relationships and the security ramifications. In addition to identifying and managing the connected device, IAM needs to understand the customer connected to the device. Expect IAM for IoT to leverage context data, advanced filtering, relationship graphs (graph databases), artificial intelligence and behavioral analytics. Securing IoT devices that may have little intelligence or security factored in will ultimately need to have identities and perhaps cryptography baked into the chip.

The ultimate business goal for networked IoT devices is to increase customer/organizational value by leveraging device connections and data within business systems to deepen service offerings and experiences. For example, IoT data with context will feed service management systems, CRM systems and affect marketing systems, sales forecasting systems, production systems and telehealth systems. The  customer insights and business data intelligence will drive differentiation, employee productivity and retention. While all of these advancements in IoT integration are impressive and realistic, they will place a tremendous load on Identity Management systems. As a result, future identity systems will need better compartmentalization to keep user and thing data and integration logically separate in order to manage service levels and risk appropriately. Future state CIAM solutions must be able to handle this.

As many of these capabilities are moving to the cloud our next needed capability is support/integration of cloud services to create a seamless “Identity Fabric”. We will also see Customer IAM leverage or integrate with Decentralized Identity and Verifiable Credentials we’ll cover later in this report.

11) Privacy Protecting Identity and Security Services

As Identity Management is extended leveraging AI, big data, analytics, biometrics, geo-location data and more, the data aggregated/analyzed about individuals if not properly treated, may be in violation of various privacy laws and ethics. When developing Identity and Security programs make sure you are considering the impact on individual privacy. Furthermore you may want to consider privacy in the design your IAM programs, security programs, governance and, in particular,  details about what data is being collected/retained, how the data is being used, analytics that provide specific data about an individual…as these are areas that must be considered.

Areas to consider addressing from a privacy perspective include:

• Changing how and where organizations evaluate, store, and use personally identifiable information (PII) especially in the EU. There will be more centralization of core sensitive information into closely guarded data “vaults” and greater control as to how and when this data is accessed.
• Each citizen, employee, customer (i.e., “user”) will ultimately maintain personally identifiable information in a similarly protected data vault, and share that information for their benefit.
• Abstraction of existing sensitive data to protect privacy including user identity information, sensitive personal information, sensitive corporate information (e.g. intellectual property) will become the norm, reducing the amount of proliferation of the actual sensitive data.
• The use of decentralized identity and verifiable credentials with zero knowledge proofing to limit the unnecessary storage and propagation of PII.
• Building flexibility into the governance policies and data storage platforms to adapt to the evolving privacy regulations issued in various jurisdictions (GDPR, CCPA, etc.).

 

It isn’t all about regulatory compliance and fines; organizations are being increasingly aggressive in collecting, correlating and acting on PII which is, increasingly alienating prospects and customers. This “trust” is hard to establish, but easy to break. This is becoming even more important as many customer interactions became digital during the pandemic. So enterprises need to balance how Identity Management systems support privacy and regulatory compliance while maintaining business goals. We believe it starts with separating the identity information from other PII and carefully controlling access to the core identity data.  PII requested and retained will increasingly be limited to data with consent explicitly granted for storage and use.

Consent will need to extend to how the data will be used and to whom it will be disclosed. The issue for most organizations is not whether to leverage context-based identity information; it is how much is enough and what information is really needed. Most organizations will need to retain some data about each individual as it pertains to their transaction history (e.g., recent purchases), device identifiers, personalization, proximity, affiliation and so on.  This is where a well-defined privacy policy is of considerable value in walking the fine line between the collection/analysis of personal data and organizational risk. Look for consent management capabilities within your vendor’s IAM capability portfolio.

These are the attributes about a person that we store in order to retain context within each user interaction with applications, services and systems. TechVision Research recommends an Identity Data Service (AKA an Identity Data Fabric) as a ready means to assimilate user/transaction data in various repositories in order to allow applications to be more context-aware.  One of the biggest threats to privacy are pockets of data that the company from a central governance perspective is not aware of, and an Identity Data Service can address this.

So how do we use IAM and this contextual data to provide more consistent privacy and data protection in this increasingly regulated world? Enterprises should start with an inventory of their personal data and look to only keep PII that is absolutely necessary for their business. Second, make sure you understand the data you have, where this data lives, the user consent specifics and map that to your access control policies. Encrypt, mask or tokenize sensitive data wherever possible. Discovery is part of this process. This is where gateways, federation and virtual directories can help to extend connectivity and enable discovery in a managed fashion. Third, map your current programs and future plans against the GDPR, CCPA and other relevant privacy and data protection regulations. Fourth, bake in privacy as early as possible in your development cycle following the rules of Privacy by Design.

12) Decentralized Identity Systems with Distributed Ledgers and Verifiable Credentials

TechVision has written five research reports that cover Decentralized Identity and Verifiable Credentials over the past 7 years and we are working on an update for late 2023/early 2024, so we’ll describe this model at a high-level here. Decentralized Identity with a verifiable credential ecosystem has the potential to be the foundation for the new Digital Enterprise by supporting the sharing of only the necessary and relevant elements of verifiable information necessary to perform specific transactions. The goal of Decentralized Identity is to develop mechanisms to easily establish trust, gain explicit consent and easily share relevant information with these services without requiring a 3^rd party to control and/or intermediate every transaction. It is effectively the basis for a viable Bring Your Own Identity (BYOI) universe.

Kim Cameron (one of the pioneers in IAM over 30+ years) once said that the problem is that the Internet doesn’t have an identity layer. Let’s consider that the challenge isn’t just the absence of an Identity layer, but the lack of a consistent Trust capability as a core part of the Internet.

Decentralized Identity is a disruptive approach to addressing the trust problem at its core— determining how to prove control, technical trust and human trust as follows:

• The presenter of the attribute (credential) has control of the unique identifier that the credential was issued to, the credential hasn’t been tampered with, and it hasn’t been revoked. This establishes technical trust.
• The issuer of the credential has the authority to issue it, and explains the criteria used to create the credential. This establishes human trust or provenance.

 

While this disruptive approach may still be a few years away from wide-scale adoption, the impact is so deep and broad that most enterprises should be examining this area and considering how to incorporate a trusted decentralized identity ecosystem within their intermediate to long term planning horizons.

 At a base level Decentralized Identity is different from traditional identity services in that it can also support password-less authentication, identity proofing and has the potential of moving the industry to a user-centric identity model that has been discussed and explored over the past 30 years.  That said, Decentralized Identity has taken a long time to be deployed and in certain areas such as password-less authentication the attention (and investment) is moving to Passkeys which has support from Microsoft, Google and Apple and many others and is being supported by the FIDO Alliance.

Decentralized Identity has the potential to provide data protection, risk mitigation, and data quality improvements for both the individual and the enterprise. Data protection is improved by limiting the amount of data exchanged to what is necessary to maintain the relationship. For example, payment data isn’t needed if a prospect is just browsing. Risk mitigation is improved by the exchange of provable credentials between the parties as needed to complete the transaction. Also data quality is improved as correct data is provided when needed (JIT) as opposed to correcting previously stored data after the fact. This means from a privacy and liability perspective, the relying party doesn’t need to store and manage the payment credential because it will be sent (and verified) in real time the next time it is needed.

This new piece in the modern identity puzzle is called a verifiable credential. This can be thought of as an Identity metasystem that uses credential exchange as the unifying protocol for exchanging Identity data and to verify the claim being made from an authoritative source.

In this manner, decentralized identity documents (records) on the ledger contain “pointers” to the holders of encrypted and signed verifiable credentials for the identifier. A verifiable credential is a qualification, achievement, quality, or piece of information about an entity’s background such as a name, government ID, payment provider, home address, or university degree. Such a credential describes a quality or qualities, property or properties of an entity that establish its existence, uniqueness and trustworthiness. Entities (people, organizations, devices) need to provide many kinds of credentials as part of their everyday activities.

As organizations progress towards digital transformation, entities they interact with need to be able to instantly establish trust by presenting the proper credentials and providing the digital proof that the credentials are valid. Human- and machine-mediated decisions about job applications, account access, collaboration, and professional development will depend on filtering and analyzing growing amounts of such trusted data. This of course is the opportunity associated with Generative AI as well and perhaps these technologies will intersect and provide additional capabilities in the future. Therefore, standardization of digital credential technologies makes it possible for us to issue, earn, and trust these essential records about their counterparties, without being locked into proprietary platforms or vendors.

As we described in the sections on Zero Trust/Frictionless Security, BYOD and CIAM, decentralized identity’s transparent model can support Bring Your Own Identity (BYOI) in a more secure, immutable and non-repudiated identity ecosystem that effectively crosses enterprise and personal identity boundaries. The current missing link is the trusted, federated ecosystem for sharing such credentials across domains, and that is the chasm decentralized identity will most likely bridge. Make no mistake, decentralized identity functioning as an anchor for identity proofing and authentication is an important and relevant part of the future of IAM.

Vendors are also continuing to be active in this space including Microsoft with their Entra announcement last year and integration into LinkedIn, Evernym’s acquisition by Avast (now called GenDigital), Ping’s integration of their ShoCard acquisition(now called PingOne Neo), IndyKite’s Identity platform leveraging decentralized identity, the 1Kosmos platform, IBM’s decentralized identity platform and several others.

Furthermore, the usability of Decentralized Identity and Verifiable Credentials will be greatly enhanced with the proliferation and, ultimately, standardization of Digital Wallets. David Goodman from TechVision will be writing a report on this topic in late 2023/early 2024.

Decentralized Identity is a necessary prerequisite for Web3 (see Gary Zimmerman’s recent TechVision report on this topic) that has the potential of changing the core architecture and design of the Web towards a more decentralized, inclusive model.

To close the topic, think of this as a redefinition of the relationship between the user and the enterprise. Each participant in a decentralized identity ecosystem becomes their own IDP. Trust is established because identifier control is digitally proven by a network and the related credentials are defined and verifiable as needed by trusted authorities – better data protection, risk mitigation, and data quality.

Implementing and Executing on the Future of Identity Management

Thus far we’ve highlighted the top 12 areas in TechVision’s priority order that large organizations may want to focus on in preparing for the future state of IAM. But this list isn’t enough even if you modify it with your key priorities. We need to execute on this vision, architect our solution, deploy products and services, integrate and get our IAM foundation right.

This section describes how an enterprise should prepare for the future of IAM. The stakes are so high and as we regroup, secure and improve our IAM foundation post-lockdown, it is the right time for most organizations to formalize their IAM processes and programs. This includes collecting and prioritizing requirements, understanding your current state/maturity, developing a reference architecture and, based on these factors, developing overall strategy and your 2024 and beyond deployment plans.

This assessment provides support for your development of a more formal reference architecture and then gets into specifics including the governance processes, your cloud migration, integration, development of a flexible foundation/identity fabric and other tactical needs your organization should be prioritizing and deploying to execute on your future of IAM.

In many ways, IAM is no different from any other large business process engineering effort. Today, many large organizations, IAM environments are primarily viewed as an IT responsibility. However, delivering technology is not the most significant challenge; fully understanding business needs and changing participants’ behavior are greater challenges. As the ensuing age of Zero Trust, the Digital Enterprise and location independence/identity reliance begins to materialize, the IAM program must be managed and viewed as a business program, not simply an IT – or even security project.

A well-organized IAM program provides the necessary structure for all IAM services in a way that addresses the challenges of coordinating technology projects that require identity-related services, ensuring alignment with business needs and providing oversight of ongoing operational activities.  We believe the key for most organizations will be to make progress on IAM governance and adopt a holistic view of the governance life cycle.  We feel governance  is so important (and Identity Governance was Number 1 on our Top 12 list) we’ll provide additional details on this topic starting with the IAM Governance activity cycle:

Figure 1: IAM Governance Activity Cycle

Governance of a modern IAM program requires three core elements:

• Alignment of IAM investments with business priorities
• Effective IAM policies, standards, and processes
• Harmonization of IAM activities and communication across multiple functional areas

Technology deployment without appropriate governance simply cannot succeed. Therefore TechVision recommends that enterprises immediately begin engaging in the following activities:

• Objectively assess your current IAM governance program—using an external resource if possible
• Establish an IAM Steering Committee (if you don’t already have one)
• Engage an executive sponsor for the IAM program
• Articulate the purpose and authorities of the steering committee, preferably via a formal charter
• Engage decision-making IAM stakeholders to participate in an IAM steering committee
• Conduct periodic meetings (monthly if possible), with a focus on decision-making rather than information sharing since information-sharing forums tend to lose focus and participation over time
• Charge working groups as needed to provide input to the steering committee. Many of the same people are likely to be required for multiple working groups, so care must be taken to avoid over-extending individuals by running too many working groups simultaneously
• Record all meeting minutes and distribute to stakeholders through a formalized communication channel (at minimum, email distribution lists)
• Publish IAM policies and standards that encompass all regions globally.
• Build IAM requirements into the standard set of security requirements for projects, contracts, and procurements
• Train project managers and IT procurement specialists in implementing new IAM-related checkpoints
• Develop methods to ensure policies and standards are followed. Develop methods to track and record exceptions that assign residual risk ownership to the appropriate business stakeholder(s)
• Review current contracts and agreements where identity data or access to corporate resources is involved to assess whether IAM requirements are clearly and appropriately addressed. Establish a project to implement remedial actions as necessary.

This list reflects TechVision Analyst learnings after working  with hundreds of organizations over the past several decades supporting client strategies, architectures, vendor selection, process/business integration and other factors within IGA and governance.

While governance is the initial area of focus, it is also of considerable value to have a structured IAM reference architecture and decision making process to act quickly and consistently in this volatile world. TechVision has covered this in several reports, so we’ll provide and abbreviated version here, but note that developing a reference architecture is critical. We’ll start with what a reference architecture is and why you should care.

What is and why should you use a Reference Architectures?

Reference Architectures are standardized frameworks that provide a model for a domain, sector, or field of interest. Reference models or architectures provide a common vocabulary, reusable designs and industry best practices. They are not solution designs and as such are not meant to be implemented directly. Rather, they are used to guide more concrete efforts. Typically, a Reference Architecture includes common architecture principles, patterns, building blocks and standards.

Why would you want to use a Reference Architecture?  Here are five reasons why adopting a Reference Architecture is a good thing:

1. A Reference Architecture helps you to get an understanding of a domain. It provides a starting point for your own enterprise architecture effort and provides you with a basic vocabulary and structures.
2. A Reference Architecture supports interoperability. In our increasingly networked world, organizations need to connect and cooperate with all manner of other parties. The standards and building blocks provided by a Reference Architecture facilitate these connections.
3. A Reference Architecture supports digital transformation of the enterprise. For many enterprises, transformation means their value chain is being redistributed among partners, service providers, and customers. If all parties speak the same language, use the same standards, and recognize the same boundaries between functions, processes and/or services, it will be much easier to recombine their elements in new ways.
4. A Reference Architecture facilitates measurement. Often, the differences between companies are not in the design of their business processes, but in their execution. Using reference designs makes it much easier to compare progress and execution results with others.
5. Measurement leads us to a fifth reason why a Reference Architecture is important: regulatory compliance. Often, Reference Architectures are prescribed (or at least strongly recommended) by regulators. For example, in the EU General Data Protection Regulation (GDPR) privacy protection principles, practices and processes are standardized and mandated. This leads to audit requirements and business reporting standards that are supported by a proper Reference Architecture.

We’ll now examine the TechVision IAM Reference Architecture as a baseline for developing your own model.

The TechVision Research IAM Reference Architecture.

The TechVision Research Reference Architecture for IAM is a master template that identifies the IAM capabilities (rather than technologies) that can be improved or enabled, allowing business stakeholders and technical architects to achieve a common language for IAM functions, which can then be refined over time. ­­­ This high-level template starts the journey.

Figure 2: IAM Reference Architecture master template

These IAM capabilities are described at the highest level as:

Interact: Interact is a layer of user interaction (UI) and application programming interfaces (API) that simplify consumer and application developer interaction with the rest of the IAM infrastructure. In this way, non-experts can follow the best practices of IAM without having to be experts in the field.

This allows the enterprise to:

• Incorporate new security capabilities without having to reengineer applications.
• Increase speed to market by removing security from the critical path of service development.
• Enhance security through the automatic adoption of best of breed security and privacy components.
• Decrease on-boarding friction by isolating complex security infrastructure through intuitive user interfaces.

Access: Access is the layer that answers the “Who has access to what?” question. It ensures customers can confidently exchange information and get the services they need to buy and use your products. It ensures employees and partners have all the digital resources they need to get the job done, nothing less and nothing more.

This allows the enterprise to:

• Ensure the right people have the right access to the right resources at the right time.
• Protect the assets of the company and its customers.
• Reduce productivity drains and costs caused when people can’t access the resources they need.

Change: Change manages the relationships between all the moving parts within the digital environment. Change establishes the connections between people, devices, applications, and data when they enter the environment, manages the connections while the relationship exists, and disconnects when access is no longer necessary.

This allows the enterprise to:

• Establish and maintain the proper rights, entitlements, and restrictions in order to reduce your attack surface, because Users and their identities are the most vulnerable link in a network.
• Orchestrate identity across device, network, and application boundaries because in the absence of the traditional security perimeter, identity is the common denominator across the entire digital environment.
• Prevent toxic combinations through transparency of entitlements across business processes.

Manage: Manage is where the administrators of the IAM platform upgrade, configure, tune, troubleshoot, document, and audit the platform and its components.

This allows the enterprise to:

• Incorporate new security capabilities without having to reengineer applications.
• Increase speed to market by removing security from the critical path of service development.
• Enhance security through the adoption of best of breed security and privacy components.
• Increase agility through isolating security software releases and patches to the underlying infrastructure components.

Measure: Measure is the lens into the digital environment. It allows live behavior observation, anomaly detection, platform health checks, and deeper analysis of usage and threats. It also provides the audit and reporting capabilities necessary to prove you are performing your duty to protect.

This allows the enterprise to:

• Understand behavior to improve the customer experience.
• Detect vulnerabilities before they are crises. The costs of prevention are much less than the costs of a breach.
• Prove compliance as required by law.

Store: Store is the shared place where the identity profiles, attributes, and relationships are kept and maintained. It may be physically centralized or distributed, and contains the map which defines “who has access to what?”

This allows the enterprise to support two important groups:

• For customers, it becomes the backbone for the entire customer experience; the customer data layer where all your interactions are captured.
• For employees, it becomes a user-centric view of entitlements across the entire digital environment.

These capabilities are present in all IAM systems (to varying degrees) and, in each of these areas, there are decisions to be made and many layers of supporting capabilities. In time of change operations for example, there are capabilities associated with the management of entitlements such as access reviews and entitlement catalogues. This category also provides a set of identity lifecycle management capabilities and identity orchestration which helps to better connect and normalize the overall set of identity services and sources of data. Each major category follows this pattern. This is the top-level foundation for TechVision’s IAM Reference Architecture and the foundation we’ll build on as each layer is further broken into core capabilities to be subsequently prioritized.

Capabilities Needed in the IAM Service Portfolio

Enterprise information protection starts and ends with the business. It involves understanding how the business works and why it works that way, turning that understanding into a set of defined duties to protect, and carrying out those duties to affect reasonable and prudent operation of the business. From an IAM perspective, this means we start with a business focus on the capabilities that need to be in the IAM service portfolio. Building on the Top-Level of the Reference Architecture shown previously in Figure 2, we can now inject the IAM capabilities in business terms, such as “How can I consume and use the service?” Within the Interact layer, this implies a requirement for an intuitive User Experience. There is no mention of interface types, protocols, or related technologies – just the capabilities required, in non-technical terms.

Figure 3: Capabilities Needed in the Portfolio

In answering the questions outlined in Figure 3 (and the follow-up questions they may spawn), the business requirements are defined and refined before any technology is applied. Then at each Reference Architecture layer, the typical types of capabilities that correspond with the requirements in the service layer itself are defined; the Access layer describes common capabilities associated with accessing resources. On the other hand, the Change layer describes capabilities that are focused on managing the users’ or things identity lifecycle as they make their journey within the enterprise.

The purpose is to assure the utility of the content – and how this is accomplished depends on the context of the business at hand.  Because enterprises have many moving parts, structuring a protection program requires an architectural context in order to be effective and efficient. The following identifies the structure of such an architecture and the elements it normally contains. Taking this as a starting point, details typically get filled in at increasing levels as the specifics of the needs of the enterprise are analyzed and structured.

Capabilities of the Combined Portfolio Architecture

The next level of the architecture outlines the functional capabilities that are the foundation for a best-in-class IAM Reference Architecture. Each category is broken up into multiple capabilities at a level of greater detail. For example, interfaces can be for applications / developers (APIs, messaging services), Lines of Business, self-service or even robotic processes. This applies to each category and, based on stakeholder input, use cases and priorities can be further developed into Reference Architecture patterns or templates for specific services.

Remember, the Reference Architecture is not focused on the actual implementation of things that carry out these controls. Rather it is a model of what the controls are, how they work, and how they interact to assure the utility of content. It is important to understand that these functional capabilities consider all type of objects and use cases within the IAM foundation. For example, identifying, securing, and collecting data pertaining to IoT devices is expected to be accommodated within the IAM Reference Architecture.

As ultimately implemented, different enterprises use different IAM capabilities in different ways to meet different protection needs. And they do so differently for different content and business functions because of the different risks and potential consequences associated with failures and costs associated with protection. One size does not fit all.

Once the required business capabilities are identified, the next layer of the TechVision Research Reference Architecture for IAM (Figure 4) allows us to explore each of the specific technology or process elements comprising each capability in the form of a combined portfolio architecture.

Figure 4: Combined Portfolio Architecture

Once again, it is important to acknowledge that the combined portfolio architecture needs to reflect the business requirements so the components and descriptions that follow are items we’ve seen within our clients but may not represent your specific situation. Use them to guide your thinking as you explore and build out your own IAM architecture.

What typically comes next is the development of specific use cases and associated patterns that are used to help prioritize the portfolio of IAM capabilities during a specific period such as FY 2024. But getting a handle on governance and defining your reference architecture is only part of executing on your Future of IAM. One of the big challenges many large organizations have is with convergence and integration of the wide array of IAM solutions and approaches. Use this reference architecture as a baseline to drive subsequent architecture, requirements, priority and vendor selection decisions. While the reference architecture is not vendor specific, it provides you with a basis for ultimately evaluating vendor offerings based on your key needs and priorities.

Recommendations/Conclusion

In this report we provide our experience-based vision and perspective on the future of IAM. We frame this with our Top 12 list in priority order and describe the core capabilities, key vendors, industry initiatives, business drivers and execution strategies. Where possible we describe common over-arching themes that outline critical directions for most organizations to consider.

We’ll close with a few key themes and specific steps to take in this section, but understand that your next steps should follow the processes we’ve described throughout this report. Our prioritized list of areas we’ve defined as the Future of IAM is simply a starting point. We recommend that most large enterprises start with the core IAM architecture principles we’ve described to include identity data services, federation, loose-coupling and standards-based integration as fundamental keys for successfully addressing today’s and tomorrow’s IAM burden. This is the starting point for most IAM programs.

We also continue to describe a model for identity abstraction that provides a services oriented architecture with the flexibility and integration needed to provide IAM as a “utility” within and between organizations. This is the end state that is easy to say, but so hard to achieve. The reality is that when organizations attempt to upgrade their IAM environments in response to the changing user and device landscape, they all too often find out that many of their enterprise business applications have been hard-coded to specific, often home-grown and on-premise identity systems that don’t interoperate, can’t scale and are rigidly inflexible. This has resulted in significant technical debt that continues to accelerate and is evident in virtually every large organization TechVision has worked with.

An architecture built on these principles will provide flexibility to quickly integrate emerging BYOI approaches including self-sovereign identities, OpenID Connect, FIDO2, Passkeys and OAuth. Additionally, such an architecture provides the scalability and elasticity to effectively support the Identity of Things and machine identities by eliminating the monolithic, single-purpose approaches that incorporate specific groups of things as one-off solutions. Other areas of recommended focus include:

• Making governance the capstone of your overall IAM strategy moving forward. While regular communication and interaction can be difficult to maintain over many years, it is imperative that the enterprise understand that the proliferation of people, devices, things and services/microservices coupled with the focus on “zero trust” means that the IAM infrastructure needs to be properly and continuously governed. Create an IAM governance model, establish the teams and charters, re-examine existing policies and processes and get focused on the IAM path you want to take to achieve your business objectives.
• Understand that Zero Trust/Zero Friction by its nature puts the emphasis on IAM and consider all aspects of Zero Trust within the context of your IAM program. Most get Zero Trust, but make sure you also get Zero Friction as this is increasingly important as we consider the “new normal”.
• Evaluate capabilities of contextual awareness coupled with more advanced AI and ML utilities to begin to enable high-performance runtime authorization that uses context to support granularity of access controls.
• Prepare for object and attribute proliferation with continued adoption of Zero Trust principles – including IoT, by evaluating graph database technology, cloud-based services and other means of scaling and including multiple object types.
• Deploy MFA as an effective way to improve the level of trust that someone is who they say they are in our Zero Trust world. While MFA isn’t perfect, it is far superior than traditional password-based authentication.
• Consider Passkeys as an approach to achieve password-less authentication at scale
• Deploy JIT PAM as a way to get serious about least privileged access and mitigating risk given the proliferation of unmanaged privileged access (e.g., service accounts) that exists in most organizations.
• Be bullish about standards and do not let any vendor (large or small) steer you away from standard protocols and interfaces. We are now in an era of ‘progress, not perfection’, meaning that absolute perfection comes at the expense of interoperability. In other words, you may find yourself painted into a corner by relying too extensively on one vendor’s ‘perfect’ solution.

 

With these principles in mind, many organizations must rethink their current IAM strategies. The vendor movement to integrated IAM/IGA/PAM platforms alone is changing the landscape. The next few paragraphs will leave the reader with a summary set of actionable priorities, tactical steps and program principles to be considered in “future-proofing” your IAM strategy.

For 2024, the technical planning trends that impact your IAM program are:

• Identity-first security strategies will enhance cybersecurity postures.
• Rapidly growing identity needs will require an identity fabric architecture.
• Organizations will have to reestablish IAM hygiene and raise the bar.
• Carefully evaluate the risks of Generative AI and adapt your IAM foundation to mitigate these risks.
• Organizations will manage more user constituencies in more environments.
• Governance is emerging as one of the most important elements of the digital enterprise and IGA is a major element of an enterprise governance program.
• The number and sophistication of attacks on IAM infrastructure will increase.
• Stronger identity data strategies will enable analytics and generative AI application in IAM.

 

In this report we present TechVision Research’s vision of the future of Identity Management.. To summarize, these are the most salient points to consider as you evolve your IAM program in the context of where TechVision Research sees the industry going:

• Start with Governance and a focused effort on formalizing your IAM program from requirements collection, to current-state assessment/maturity assessment, to developing a reference architecture to systematically prioritizing use cases and capabilities.
• Zero Trust Security and IAM are inextricably linked, with IAM becoming perhaps one of the most important facets of the organization’s security program to ‘get right.’
• The Internet of Things (IoT) will require scalable and reliable infrastructure for establishing identities for these Things. Enabling appropriate access for these identities throughout the connected ecosystem is stretching identity to new limits.
• Privacy is and always will be a top concern, and identity data requires stringent protection and closely governed usage.
• Cloud computing will continue to gain momentum and cloud-based IAM must be strongly considered as a viable means to store identity information, authenticate users – both internal and external and provide at a minimum coarse-grained authorization services.
• An improved Dev/Ops model building and deploying IAM in the form of secure microservices will hasten your organization’s ability to thoughtfully move your environment to the cloud without the risk of ‘forklift IT migration’ and its inherent risk to identity data.
• The advent of mobile has major ramifications for both identity management and security. IAM architectures can and should embrace the mobile user (and device) landscape. BYOD, wireless and mobile means identification based on static location (or a corporate device) is no longer an option.
• Artificial Intelligence is beginning to help organizations consume and derive value from big data and drive decision-making through powerful analytics, and more robust context-aware runtime authorization decisions and rapid increase in AI-enabled threats. AI/ML and contextual data are the foundation for “Frictionless” Security.
• Big (IAM) data enters the fray as pervasive social media/data brokering and sophisticated predictive analytic engines drive the hunger for and availability of more and better user data.

 

Addressing these trends requires considering these IAM architectural and program principles:

• Embrace Identity Abstraction to enable looser coupling, better data protection and a reliance on stable authoritative source identity data.
• Leverage Identity Federation to enable cloud integration, looser coupling and better user current affiliation reliability.
• Plan for Bring Your Own Identity (BYOI) to foster standard identity verification, reduce internal user identity processing and facilitate cloud integration.
• Deploy Privileged Access Management to protect the most important information assets within your organization -especially in hybrid cloud environments, with a bias towards JIT PAM.
• Establish an Identity and the Internet of Things Architecture Strategy to ensure scalability, reliability and security of the things that are going to be increasingly entering your network.
• Evolve to Relationship and Context-based Identity to better verify identities at run-time and more granularly control access privileges.
• Expect Deprecation of Traditional Enterprise Directory Services and don’t stake your long-term future on Active Directory or LDAP and consider moving to the “next generation” integrated IAM/IGA/PAM platforms.
• Consider Cloud-based IAM in order to simplify your architecture, reduce deployment/maintenance costs and foster quicker adoption of fast-moving standards like OAuth 2.0, Passkeys, OpenID CONNECT and others.
• Begin to evaluate and leverage new, more disruptive approaches including self-sovereign identity, distributed identity, blockchain-based IAM, verifiable claims and microservices concepts applied to Identity services.
• Make Identity Management a linchpin of your security program.
• Scale IAM by avoiding short-term vendor-influenced shortcuts by supporting standards, embracing the cloud, developing a loosely-coupled architecture, promote identity-as-a-service and federating.
• Make Identity a Privacy Enabler by reducing identity data proliferation and abstracting identity data.
• Make Identity a Business Enabler by treating it like (properly protected) big data and implementing delegated access management standards when warranted.

 

2024 is the year to define these principles and foundational elements that will assist you in getting ready for the future of identity management, because the future is now. Thanks for reading this report and remember TechVision will work with our clients on a consulting basis to support and help with the execution of the recommendations we make in this report and throughout our research portfolio. Good luck on executing on the your Future of Identity Management.

About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skill sets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

About the Authors

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. He was President of Burton Group from 1999 to 2010, the leading technology infrastructure research and consulting firm through the sale of Burton to Gartner.

Mr. Rowe has personally led over 100 consulting engagements, 50+ educational seminars, published over 50 research reports/articles and led three significant technology industry initiatives. His combination of business skills and his deep understanding of technology provide a balanced perspective for clients. Core areas of focus include identity and access management, directory integration, cloud computing, security/risk management, digital transformation, IT business model changes, privacy and blockchain/distributed ledger.

Doug Simmons brings more than 30 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM.  Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for ten years and security, and running Global Identity Management and Security Consulting at Gartner for five years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.