Being involved in a lot of advisory projects at end user organizations for some years now, I'd like to share some of the fundamental changes I observe. There is always a gap between what analysts like us, KuppingerCole, predict and what is done in reality. Thus it is always great to observe that things we've predicted and proposed are becoming reality. So what has changed over the course of the last years - trends becoming reality:
- Access and Identity Management: Back in 2008, I've blogged about the relation of the terms "access" and "identity", the latter being much more difficult to explain. Today, the clear focus is on access controls, they are in focus.
- More flexible architectures: Some time ago, the idea was to have one provisioning system which covers all. Today more flexible architectures like described in one of my research notes become reality. Access Governance on top of several provisioning system allowing to protect existing investments and to move forward in smaller steps are increasingly common - and the increased maturity of Access Governance tools is the foundation to do this. Provisioning is increasingly seen as a technology layer below such integration layers (not necessarily Access Governance). And so on...
- Access Governance on top, doing things more business centric: A consequence of this is that companies focus much more on the business user and their requests for access (yes, for access, not mainly for identities). This isn't entirely new but the way IT interacts with business has changed over time.
- Integration with service request approaches (not service desk, like BMC believes): Another tendency is to integrate access and identity requests with other service requests, either in the IAM/Access Governance tools (like in Quest One ActiveEntry or through Avatier AIMS, to name just two) or in service catalogs. However the interface has to be fore business users, not the IT - e.g. not the service desk itself. Service desks are as well increasingly part of the integration, within the more distributed architectures mentioned above, but for the manual part of fulfillment in systems which aren't connected through a provisioning system.
- Bodies of rules, policies,...: The, from my perspective, most important change is that more and more projects start with the definition of "bodies of rules", policies, concepts - and not with the selection of a technology. That definitely makes sense: You don't start building a house by buying stones, you start with blueprints.
- Externalization of security out of applications in a standardized way, based on XACML and other approaches (and yes, there are real world projects out there on this)
- Hybrid cloud IAM and Access Governance - how to deal with mixed environments
To learn more about the trends as well as the best practices don't miss EIC 2011, where thought leadership and best practices come together.