Thursday, May 28, 2015

Identity needs to disappear


The disappearing machine
Photo source: Paul Chapman - The disappearing machine
In recent years, security vendors, including ones that don't sell Identity & Access Management (IAM) products, have been pontificating about how identity needs to be the focus for all things security. They (my current and previous employers included) continue to be on-message, each beating everyone to death with their own version; identity-centric-security, identity-powered-security, identity-defined-security, identity-is-the-perimeter, identity-is-the-foundation, identity-is-the-intelligence, and on and on.

Yeah, we get it. Identity is VERY important. Enough already.

The problem with rolling out the same message for years is that people stop listening. It's like the age old line in press releases: "the market leader in"; sure you and every other vendor out there. The market leader. Yeah, right.

Ok, so I'm being a little cynical. But the fact that as an industry, we've had to go all broken-record on this means:
  1. We've not been very effective in explaining what we mean. AND/OR
  2. No one gives a crap.
The truth is probably a combination of the two.

From the 10,000 foot marketing message, we have a habit of diving too deep too quickly, skipping the middle ground and heading straight into explaining, debating and architecting how everything needs to hang together. For example: "You need to federate between the identity provider and service providers using standards like SAML, OAuth or OpenID while maintaining a translatable credential that can be trusted between partner domains. Which OAuth do you mean? 1.0? 2.0? Can't we just go with OpenID Connect? Doesn't that cover the use cases? We're effectively supporting OAuth right?"

Errr, yeah. Sure. Hey, architect person, I'm not entirely sure what all that means, but we do that, right? And why do we do that again?

We often explain the "why should we care" answer by saying "you need security because you do, and identity is the key". And therein lies the problem. The "why should we care" question is difficult to answer in a meaningful, tangible way.

In addition, the reasons tied purely to security and risk no longer resonate. It's arguable that they ever did at all, but we could always pull out the audit, risk and compliance stick to metaphorically beat people with (oops, did I say that out loud).

Today, we often pull out the data-loss card. But we can do better:
Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.
I'll explain in the next post.

Update: The next post is up.