Analysts typically are pretty close in their opinions. They’re analyzing the same markets and pool of vendor solutions, so it stands to reason that they wouldn’t depart much from each other. So it can be entertaining when they disagree, except that as a practitioner, eventually you will have to make a decision on which one is right.
It’s like trying to decide for Donald Trump or Hillary Clinton if you’re a US citizen. Remain in or leave the UK. Pasta or chicken on the international flight. The choices are tough, because the implications are so significant, and the outcomes so murky.
While Identity and access management (IAM) is a mature discipline supporting internal employee access to applications, what is the future of IAM in support of end customer interactions? It turns out, that future seems to be murky as well.
Digital Business Transformation and the impact on IAM
To start, the terminology remains unsettled. Various analyst firms refer to the trend toward greater interaction with consumers using digital technologies as “digital transformation” (IDC), “business transformation” (Gartner) and “digital business transformation” (Forrester). A search indicates that they use these terms interchangeably and somewhat inconsistently. But the important point they agree on is that there is an expanding demand on the part of consumers to have access to information and services instantly and digitally, and this will create a need to change the way consumer Identity and access management (CIAM) is provided.
As consumer reliance on digital technologies increases, expectations for direct and easy access to information, such as electronic medical records or seats available on a flight, will only increase. Retailers, of course, have been interacting with customers online for over a decade, and the IAM systems they use are typically segregated from the IAM used for employees. But, how should other organizations map out the decision to implement consumer IAM?
The debate - how to enable Consumer IAM
When considering IAM in support of digital business transformation, Gartner has called for a “bimodal” approach. Mode 1 represents the legacy estate of applications typically accessed by employee and internal users, while mode 2 is the process of enabling access for customers. The idea is to run two separate, parallel IT organizations in support of both modes.
Martin Kuppinger of KuppingerCole analysts sees it a different way, though. In a recent blog he pointedly declared, “there is no Consumer Identity & Access Management at all – at least not as a separate discipline.” He makes the case that there are no customer-facing applications that do not also require administration and operational support from employees. Therefore, it is potentially a security risk and management challenge to run two separate IAM systems to support application access for employees and consumers.
Forrester is critical of a bimodal approach, saying, “CIOs need a single, bolder business technology (BT) strategy to accelerate innovation and simplification, not a two-class system that adds more front-end and back-end silos of complexity.” Forrester does promote Customer IAM, although they advise against using a homegrown system and working with a vendor solution that is fit for purpose.
How do you choose?
This decision really is one that requires an evaluation of future business plans. From a security and risk perspective, Martin Kuppinger makes a good case that there is value in having a unified system for front and back-end IAM, but Forrester points out that scalability will be the major consideration to effectively support both systems. However, some CIOs will see a bimodal approach as a quick fix to get the best of both worlds and stay ahead of digital transformation. And, many IAM vendors are working to address both use cases in their portfolios, which may make the choice easier.
We know that these types of questions have no easy answers, especially when the analyst firms disagree. But, understanding the points of the debate can help inform a decision best for your organization.