Postcard from the Gartner IAM Summit

2 weeks ago I attended Gartner’s first IAM summit. Entering an arena long dominated by Burton and RSA, they nonetheless seemed to have a respectable turnout, even if it was mostly people like me curious to find out what their treatment of the space was going to be. The fact that it was in Vegas was another kind of incentive, with the consequence that I missed a couple of early morning sessions.

The content mostly seemed to be aimed at a crowd more generic than the crowd you would encounter at, say, Catalyst. However, they did have a few interesting sessions. Lawrence Lessig’s keynote on the “Future of IDeas” was really interesting, even if his famous presentation style suffered through two projector outages and a light outage. His talk more or less expounded on the notion of needing an identity metasystem for the internet, and the need for us to do something before the government steps in after some kind of internet calamity.

But the session that generated the most discussion between me and my colleagues was Roberta Witty’s session on User Provisioning (or UP, as Gartner calls it). While fairly informative for the lay attendee, she made two statements that were a little controversial (at least for us UP geeks).

“Provisioning is an interim solution”
The above is what I actually say an attendee at the session writing in her notebook. In her session, Roberta said that the emergence of Web Services and SOA architectures would mean that the need for provisioning would start to disappear, as soon as 2010. Now, those of us in the provisioning space have long been saying that the emergence (hopefully) of the SPML standard would definitely eliminate costly provisioning connectors. We have also been saying that externalizing identity data, authorization and security will also lead to a lesser need for provisioning in automated, role-based or attribute-based scenarios.

However, the fact is that provisioning systems add a whole business layer on top of IAM (see my previous post: ‘Ask Dr. K: The IdM Elevator Pitch‘) that will not disappear. As long as businesses need operational flexibility and agility, the need to support ad-hoc, request-based access provisioning will not go away, and that is where provisioning systems will continue to play an important role. The compliance benefits from control attestation (in addition to access attestation), SoD enforcement and workflow perspective will continue to require a management layer on top.

“Role Management will become the focal point for Compliance”
The second point she expounded on was her view that role management systems will become the central point of compliance shortly. Her view is based on her opinion that since role mining tools need to have information about access privileges in order to discover privilege patterns as roles, they are ideally placed to do compliance activities like attestation and SoD policy violation detection. Again, the point is a little skewed. And I don’t say this because I have a provisioning bias. I am, in fact, also involved heavily in Oracle’s role management strategy.

Yes, role management systems (more accurately, role mining systems) have this kind of data in their repositories, but so do provisioning systems. One of the first usages of provisioning systems in compliance-driven enterprise environments is the deployment of reconciliation connectors to pull in the “who has what” information. This includes not just the names of accounts that users have, but fine-grained entitlement information as well. And the capabilities of provisioning systems (well, at least ours) in this area are long established, with a lot of sophistication built into the reconciliation capabilities. Most role mining systems are limited to flat-file based data imports. In fact, some of the bigger role mining products build “integrations” with provisioning systems to obtain the privilege information from the provisioning systems instead of having to go to the target systems themselves. And tout this as key capabilities.

It is also important to keep in mind that BRM systems are just like provisioning systems in that they don’t need to pull in all access data into their realm of scope for their operation. It is almost never the case that enterprise roles are defined based on the access that users have in all systems. In fact, it is usually a much smaller set of systems than provisioning systems typically have to deal with. Especially if you want the mining operation to have a chance of succeeding. Provisioning systems are often key to helping the enterprise clean up access privileges in preparation for role mining projects, by providing attestation and “who has what” reporting to enable the removal of unnecessary access. Project managers of IdM deployments know to not go near role mining till access clean up has occurred.

On a happier note…
I will say that I didn’t disagree with everything I heard at Gartner. In his keynote, Neil McDonald of Gartner talked about ERP becoming the “new center of gravity for IAM”, making ERP players like Oracle very important in the IdM space. Now I can’t really disagree with that view, can I?