Matthias
Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth. I'm an Analyst and Advisor with KuppingerCole Analysts. Today we want to talk about some announcements that we want to make. We want to announce that there will be updates around the major concepts in IAM that KuppingerCole Analysts provide. And that is on the one hand the Identity Fabric and the IAM Reference Architecture. Today we want to start with the update of the Identity Fabric for the years 2025 and following. And for that, I have invited two guests. I have invited Dr. Phillip Messerschmidt and Martin Kuppinger. So first of all, I want to welcome Phillip. Hi, good to have you.
Phillip
Hi, Matthias. Thank you for being here. Thank you for the invitation and the chance to speak.
Matthias
Great to have you and you are an expert in the Identity Fabric and actually the person whose brainchild the Identity Fabric is, are you Martin Kuppinger. Welcome Martin to the show.
Martin
Thank you, Matthias, for having me here. But if I remember correctly, you also have been involved in the process when this, the Identity Fabric was initially created. If I remember right.
Matthias
That's true. Right, right. But I'm a bit shy. I always try to point at the right persons then. But let's start with the discussion around the Identity Fabric. So the first question is open. So somebody has to volunteer, who can explain the concept of the Identity Fabric and why is it so important for evolving digital landscapes? Who wants to start? Volunteers? Otherwise, I pick one.
Martin
Me? Maybe I can quickly start with where this comes from. So basically, I think the initial trigger was in a project where we thought about, so basically what is the job of IAM? And at the end of the day, the job of IAM is to provide seamless yet secure access to each and every service for every type of identity and to provide the capabilities and the services needed in there in a consistent manner. This was where we thought about, does it really make sense to think in a lot of tools... or especially when we started seeing, okay, there's consumer identity management, which heavily overlaps in many areas with B2B, so partner identity management or employee identity management and so on. So should we have yet another identity management for each and every problem? And probably not. And this was really from where the Identity Fabric was born to think about how can we come to a holistic perspective, to an integrated perspective on identity management, which helps organizations to reduce the complexity of their IAM while moving forward with modernization.
Matthias
And the Identity Fabric, it really filled a gap. So it was really well accepted within the industry. But also we've been using it as advisors in our projects. And we talked a lot about it. We did videos and documentation and blog posts. And it really was well accepted. So it's out there now since 2020, I think. That was where the early starting points.
Martin
I would even say it is well accepted.
Matthias
It is, absolutely. Yeah, it is of course accepted and many organizations, many vendors also adopted it and use it for their individual presentation of their products and to explain where they fit in. And on the other hand, customers are using it for a benchmark, for using it, this is ours and that is the blueprint. And let's compare this. Now, of course, I have to get to you, Phillip. What prompted the need for an update? Why do we need to update the Identity Fabric? It's around for four or five years now. What are the key changes that we will focus on in the next session and in many other sessions that will follow?
Phillip
So obviously, the whole IAM world has developed in the meantime. So four to five years, that is more or less like one development cycle that we see here. We have new trends. We have seen them on the EIC this year, new trends around authorization. We have new trends around the identity, around authentication. And we try to reflect this development in all these main areas of IAM within the Identity Fabric. And this is why we have to update the version that we currently have to reflect these trends in the new concept and deliver that to our customers and to the companies out there that are looking for a structured approach to IAM.
Martin
Yeah. And I think it was, from the very beginning, there was always a bit of a continual sort of modernization and updating of the Identity Fabric framework. So it isn't that we did one many years ago and right now did the first sort of update, but it's really more a continual thing. Even while this update maybe is a bit bigger to all these, I would say more fundamental changes here, currently serving the industry.
Matthias
The Identity Fabric as the key overarching holistic concept will not change that dramatically, but we will see rather substantial changes when it comes to the next level of detail when we look at the identity and at the IAM Reference Architecture. And what we did, I think that is one of the most important things, is that we more closely aligned the Identity Fabric with the Reference Architecture. So that is a more a more stringent, more consistent way from the Identity Fabric to the IAM Reference Architecture. So why is that important and how can maybe you, Phillip, explain and highlight the ways that we use, for example, in advisory, the Identity Fabric for assessing, for creating, for evolving identity blueprints?
Phillip
That's very good and important question. So when I think about the Identity Fabric as an approach, it's really about structuring a strategic view on IAM for a certain organization. And the Reference Architecture drives that perspective one level deeper. It gives more detail to the Identity Fabric, where we basically see which identity type can access which object. The Reference Architecture provides much more detail to it, delivers the functional capabilities for each and every pillar. So we are aware of the four pillars, administration, authentication, authorization, and audit and risk. And for each of these pillars, we deliver much more functional capabilities in the IAM Reference Architecture. And based on that, we can approach IAM in a structured manner to assess the current maturity level, we can assess the requirements a company needs for certain use cases. There are a lot of different perspectives onto the topic that we can utilize the Reference Architecture for.
Matthias
Right, and I think it's also important to step back to the Identity Fabric while keeping the Reference Architecture in mind. So as you said, drawing the bigger picture, on the one hand, looking at all identities that are relevant, and on the other hand, the systems, Martin, you mentioned that, that we want to give access to. That is the global view. And if I look at the changes that we see in the Identity Fabric 2025, or to be more precise, the KuppingerCole Identity Fabric 2025, I see additional identities. We see more identities that we haven't seen five years ago. We are looking at decentralized identity. We are looking at autonomous non-carbon-based life forms like bots, like AI identities. And on the other hand, we are looking at very traditional, but yet still not well covered areas of identity and access management when it comes to target platforms, operational technologies, ICS. So this is something that we added to the picture and that also shows how much more important identities have become and we need to cover that in the Identity Fabric. Do you agree, Martin?
Martin
Yes, think that is one thing. think the basic idea was always every type of identity to every type of service. But we list more services, there are more to list and more identities to list than there were back, whatever, six, seven years ago or so. I think the other thing which also probably is really becoming more relevant are the the architectural concepts that are woven into the Identity Fabric. So I think when we started with this, lot of the things like modern flexible architectures, for instance, microservice architectures, but also an identity API layer, they were already there. They were there from the very beginning. But right now, I believe with the capabilities we find in more and more solutions around orchestration and the overall shift to the consumption of APIs was for identity services instead of just managing services, so to speak, or systems like creating a user in SAP. We see this paradigm shift becoming increasingly important. And so I think that that is also something which is very important to understand. It doesn't fundamentally change it. Most of that has been there, but there will be, I believe, more attention on new evolving concepts for really building a comprehensive Identity Fabric where different pieces become sort of, as I've said, woven together. And it's always interesting. I had a lot of conversations about that terminology and basically, Identity Fabric is both types of fabric. It produces and delivers services and it's a mesh which connects different components of identity management.
Matthias
Alright, anything to add, Phillip?
Phillip
So when I think about that topic, it's maybe worth mentioning that it depends a little bit on what is driving you. What we have seen in the past is that governance was a very strong driver, especially in financial institutions and in general, highly regulated areas that a central point of governance was driving, at least for certain identity types, the IAM architecture. And what we can see now is that that worked well in the past and now gets expanded to also other areas and other identity types. So it's not just on legacy and on-premise applications for workforce identities. It's also beyond that. So more identity types like the B2B, the B2C area, we see that same for other applications like OT IT areas or for cloud applications. So that is expanding after working just fine in the past. And that is also a thing that we reflect in the new version.
Matthias
And coming back to the new version, there are more novelties to expect when it comes to the Identity Fabric 2025, because we are adding another level of Identity Fabric that goes more into detail while keeping the overall picture intact. As Martin described and as you, Phillip, described it, it's an overall picture of all identities wanting to have access to all types of services. And that is then, yeah, tunneled through these set of capabilities, services, products that represent technically the identity landscape. But we also want to support typical types of organizations and defined by their level of maturity or maybe by the way that they approach their markets, by creating some types of prefabricated subsets of Identity Fabric. And this is no contradiction because we keep it consistent with the overall Identity Fabric. But if we look, as you mentioned, Phillip, the traditional financial institutions with lots of legacy, with lots of on-premises infrastructure while moving to the cloud, getting hybrid and providing digital services looks much more different today from a startup that is cloud native and that has no on-premises systems at all. So getting to these tiered approaches for different types of identity fabrics, but all derived from one master, I think that is also something that can be really helpful when getting into discussion with typical organizations, right Martin?
Martin
Yeah. Absolutely. I think the point is, it's not sort of splitting the fabric again, up into many fabrics one organization has. But it's saying, if you're in a certain type of an organization, be it a startup, be it a highly regulated organization, whatever a medium sized utility company that is right now affected by the NIS2 regulation or that, then you probably will need different pieces and different elements within this Identity Fabric than others will. So it reduces the complexity in moving from the generic picture of the Identity Fabric to the concrete picture for a different type of organization. So it best probably will benefit most Phillip and the team because they are doing the concrete advisory work.
Matthias
And I think that that's an important point because in the end, yes, the Identity Fabric is a reference. This is something that we have at stock. We can pull it out. We have a slide. We can show it. We can explain it. But the fun lies in when organizations actually use that for describing their own Identity Fabric with their identity types, their services, and their in-between connecting elements that form the pipes that let data for identities flow and allow for authentication, authorization in the right place and only there. So it will be a tool, a toolkit for supporting organizations in creating their own picture of the Identity Fabric. And if they are B2B and if they are B2E and if they have even B2C customers, it will be an overlap. It will be a combination, a superset of the services, the identities and the capabilities. And that is where the fun lies and that is where advisory can use it. We will show lots more around the Identity Fabric very, very soon. There will be publications in parallel to this publication of this podcast episode. So there will be pictures to look at, more information on how this will evolve. Before we close down, maybe one question to both of you with a quick answer. What can businesses expect from an Identity Fabric 2025 when it comes to the future IAM trends and challenges that we again today do not know the same way we did not know five years ago. So how is the Identity Fabric 2025 prepared for the next five years? Maybe starting with you, Phillip.
Phillip
So as we know, the Identity Fabric is a very flexible framework. And this is why we can update the Identity Fabric from time to time. And I think that's also the strength. We can update not just to the newest trends. We can work on the specific industry requirements. We can focus specific identity types, for example. And that enables us to have this level one and level two comparison that you just talked about. So that's definitely the things that companies and organizations can utilize when we think about the strategic development over the next five to ten years.
Martin
Yeah. You know, the point is it's a framework. It always has been flexible. And if there's a new type of identity we never thought about, it just adds to a list or a new type of service. And if you have capabilities, then the list of capabilities, so we provide sort of a guidance on what are typical capabilities. Well, then we usually use the Reference Architecture to dig into the detail of what is really specifically needed for a customer, but it's just another capability. There will be definitely some very interesting things. So you talked about agents and other types of autonomous systems that have identities. Managing identities of autonomously acting systems might be, again, one of these interesting scenarios to look at. And this can be incorporated because the fabric is really the framework. where you can put in what you need, which you can orchestrate, which you can bring together to optimize your world of identity management.
Matthias
Exactly. And this is the first sneak peek. This episode of this podcast is the first sneak peek at what is happening right now. We are heavily working on that. This is not a single person approach. We are really using input from our customers, from the vendors, but mainly from our analysts and advisors to update this elemental concept that we use for KuppingerCole all the time. And there will be more information shared very soon. The picture is already out there, how the new Identity Fabric at the upper level, so the level 1 Identity Fabric does look like, and it's really the result of some intense work. But there will be more, there will be descriptions and examples of these level 2, or tier 2 identity fabrics. And in parallel, we are currently finalizing the identity or the IAM Reference Architecture. Again, to be precise, the KuppingerCole IAM Reference Architecture for 2025 and beyond because there will be a lot of changes as well while staying consistent with the overall initial picture. So there's lots more to expect. So what should you do? As the audience, please watch the space, watch this podcast, of course, but you do anyway. Have a look at our website and have a look at our blog posts. Follow us on LinkedIn, follow us on YouTube or on every any other platform that you can find us on, and there are many, to stay updated with what we are doing right now. And with our existing customers, be they vendors, be they end users, we will get in touch and show them how to update to the next version. And that will be a smooth transition. That's what we're aiming at. And there will be a lot more to share. Any final words, Martin?
Martin
Yeah, you know, we have an excellent advisory team with Phillip, with Matthias, who spent a lot of time on that. So start working with them on that because there's, I'm very convinced there's no one who's better suited to support you on your journey as identity management than the team of Phillip, Matthias and the other colleagues.
Matthias
Why should I contradict? Phillip, you won't contradict either.
Phillip
No, not much to say. Just if there are any questions, any feedback for us, let us know. We utilize any feedback for the next version or the continuous development of working with the Identity Fabric and the Reference Architecture.
Matthias
Right, and since it's a draft, if you find a typo, please let us know. So thank you very much, Phillip. Thank you, Martin, for being my guest today. Thank you for the intense work that you did on this Identity Fabric and on the Reference Architecture. There will be more to share. We will get in touch. We will let you know. And for the time being, thank you for listening today and looking forward to having you in another episode. Thank you, Martin. Thank you, Phillip.
Martin
Thank you.
Phillip
Thank you.
Matthias
Bye.
