Published on 12/12/2016 | Technology
IoT introduces the need to manage exponentially more identity that existing IAM systems are capable to support. IoT identity management not only requires to manage identity and authenticate human users but billions of device identities. Many of these devices would need to communicate with each other and with back end systems. Some people are referring to the new identity ecosystem as IDoT (Identity of Things) [ http://blogs.gartner.com/earl-perkins/2014/08/04/the-identity-of-things-for-the-internet-of-things/ ]. IDoT encompasses identity related relationship between devices, device to human, device to application, human to application. This is where IRM (Identity Relationship Management) comes into picture. Traditional IAM was built primarily for the use within enterprises. Over time, the expansion of e-business forced open IAM for customers, suppliers and many other external parties. But those were still managing human user. The next wave was the penetration of mobile devices where some amount of device identity management was required but it was not the primary mode of identity for many cases. The next wave, which is IoT is a true machine-to-machine ecosystem and where device identity will be a first-class citizen. Identity will become the new perimeter. Identity Relationship Management is a new way of considering digital identity.
IRM was started as a movement by a group of industry experts to transform classical IAM to fit to the demand of digital identity of the next generation under the banner of “kantara initiative” [ https://kantarainitiative.org ].
IRM brings the concept of Pillars of IRM [ https://kantarainitiative.org/irmpillars/) ] with pillars defining the priorities within requirements. There are two types of Pillars: Business Pillars and Technical Pillars.
Business Pillars
1. Consumers and Things over employees
2. Adaptable over predictable
3. Top line revenue over OPEX
4. Velocity over process
Technical Pillars
1. Internet scale over enterprise scale
2. Dynamic intelligence over static intelligence
3. Borderless over perimeter
4. Modular over monolithic
Consumer and Things over Employees: traditional IAM was developed to support identity management lifecycle and authentication of employees. In today’s and future digital world, the system must be capable of supporting consumers and internet users. The requirements are more dynamic. For example, registration of a new user in an enterprise is very different from a registration of a consumer in an e-commerce system. The artefact, validation of artefact and establishing unique identity is very different. In consumer space, the unknowns are more and hence the risks of false negative is high. It would be even higher when a device needs to be registered. Thus, the assumptions, rules, processes and exception management must be modified to support the diversity of scenarios of IoT space.
Adaptable over predictable: the rule of identity management function in IRM must be dynamically adaptable based on context. For example, rules for access management and authentication must be dynamically derived based on the contextual risk of the environment. This is even more important in IoT space. For example, a significantly large number of devices will access a system one time, many devices will converse using peer-to-peer access. All these cases, the system being accessed will not have pre-defined rules. So, the IRM components must derive rules from environmental context.
Top line revenue over OPEX: next generation identity would be revenue enabler and in some cases revenue generator. It is expected that majority of the business would move online and without secure identity management, consumers would not be ready to practice online commerce. So IRM must be considered as a revenue enabler unlike traditional IAM which was developed to support employees access and hence considered as OPEX. The interaction with many users, identity artefact collection and validation would put some of the e-commerce enterprises into position of trusted custodian of identity which they can use to spawn “Identity As a Service” line of business.
Velocity over process: in classical IAM world complex processes for identity management lifecycle delayed the process and employees lived with it for years. In IRM scenarios, the demand on the process is to fulfil request in near-time and hence the velocity must be higher in priority.
Internet scale over Enterprise scale: the increase of consumers including human users and devices would grow exponentially. IRM systems must be able to scale to serve internet scale consumers. They must be able to run 24 x 7 x 365 and must be always on. They must be able to meet SLA and consumer’s latency expectation. Since the consumers would be a mix of human users and devices, the systems must be able to handle the varied performance expectation.
Dynamic intelligence over static intelligence: traditional IAM systems are developed to handle fixed set of known events. In IRM scenarios, especially with IoT, new devices would generate new events. So static systems would not be able to meet required service expectation and security. IRM systems must be able to derive contextual intelligence by using improved AI techniques and real-time data analytics techniques to derive rules.
Borderless over perimeter: in traditional IAM, network perimeter of an enterprise defined the boundaries. In IRM world, the perimeter vanishes since the users and devices are ubiquitous and hence can connect from any geolocation and any network. Identity would be the next perimeter.
Modular over monolithic: IRM systems must be developed ground up and must be build modular. They must be designed to include sophisticated extension points. This is very important since the behaviour of the accessing consumers can and will change often and all scenarios cannot be built at the beginning. Making it modular based on well-defined framework that supports workflows and plug-ins must be present in IRM systems.
This article was originally posted on LinkedIn.
