Digital business is changing the scale of identity and access management (IAM). In the age of digital business, IT leaders need to manage the identities of “things,” as well as the identities of people, the ways they interact, and the ways they create and share information.
Presenting at the Gartner Identity & Access Management Summit 2016, Ant Allan, research vice president at Gartner, tells the audience that a typical company today has an IAM program that focuses only on the thousands of people in its workforce.
“A stronger focus on people outside the organization, together with massive growth in the number of ‘things’ over the next five years, will mean that, by 2020, a typical small enterprise’s IAM program will span 1 million people, 10 million things and billions of relationships,” Allan says.
The massive scale and complexity of IAM in a digital business will force IAM teams to become bimodal. IAM leaders will need to first apply a Mode 1 approach to their IAM programs — traditional, emphasizing safety, accuracy and reliability, while at the same time being risk-averse.
“Mode 1 IAM is not just ‘business as usual,” he says. “The core IAM systems must become simpler, and more scalable, to meet the demands of digital business.”
IAM leaders will put greater emphasis on cloud-based IAM services and on access control tools that base decisions on dynamic identity, and attribute and contextualize information aggregated from multiple sources, rather than from “warehouses” of static entitlements (traditional access control information).
Mode 2 IAM must be simple, scalable and agile from the outset. Mode 2 — by nature, speculative, emphasizing experimentation, improvisation and collaboration, and accepting of risk — is experiential. People need to see it, touch it, and feel it, rather than just have it explained to them conceptually.
Allan shares an example of a car manufacturer that provided customers with a “gold card” app, on which their identity and personal settings would register for any rental car from that manufacturer. Such an approach encourages app development in a way that Mode 1 thinking cannot.
“IAM must parallel the movement to bimodal IT and recognize the different cultural characteristics of each mode,” he says. “To succeed with bimodal, IAM leaders will need to reinvent themselves, and their teams, and create a three-part organizational structure.”
Those three parts include:
- An operator subculture for traditional Mode 1 IT: As an operator, IAM focuses on keeping things running and delivering new solutions where the requirements are well-understood, with stability prioritized over speed and innovation.
- An innovator subculture for nonlinear Mode 2 IT: In this role, the IAM innovator enables new business designs, rather than just making legacy business processes more efficient.
- A guardian subculture for the office of the CIO, to keep everything scalable and safe: The guardian component focuses on ensuring that the business is industrialized, safe and scalable. This would typically cover governance, security and risk, IT finance, IT procurement and IT HR.
If IAM leaders are focused only on internal Mode 1 needs and are not prepared to step up, be innovators and drive IAM forward to meet the challenges of digital business, someone else within the organization will.
“IAM leaders who focus only on the ‘guardian’ and ‘operations’ roles will become increasingly irrelevant to the business,” Allan concludes.