Misalignment and the rise of event-time IAM

Posted

My good friend, colleague, collaborator, etc Andi Hindle has started blogging and I for one am thrilled he is adding another venue for him to share his thoughts on the identity space. His latest post speaks to the concept of continuous identity – one in which our systems “have the opportunity to make [access-related] decisions continuously based on a variety of signal inputs, including user-provided input, geolocation, user behavior, third-party fraud and risk signals, and so on.” In some regards this isn’t necessarily a new idea but a lot has changed around our identity systems that make a more continuous evaluation of assurance needs and associated risks and signals far more viable than in the past. 

And while I love this notion, not only because what I wrote about Zero Standing Privilege dovetails nicely into Andi’s ideas of continuous-identity nicely, but also because it starts to lay bare something that had been bothering me about the identity market for sometime… a fundamental misalignment.

Dividing the world into two

For decades now, the identity world has been split into two pieces: admin-time and run-time. Admin-time is the work that tools and administrators do to maintain user accounts and their associated privileges. This includes how users gain both new user accounts and new privileges in those accounts. Runtime is everything related to the use of those accounts but primarily centers on single-sign on and authentication. A slightly reductive way of thinking about things is that admin-time is everything that happens before you log in, and run-time is everything that happens during the login process. (And you can dive into these topics over at IDPro’s Body of Knowledge: admin-time and run-time.)

And the notions of admin- and run-time imprinted themselves on the market. What we know of IGA tools are admin-time tools. They set up and maintain user accounts. I grew up in Admin-time Town, getting my start in user provisioning. Federation (and WAM before it) along with strong authentication are the archetypes of run-time. I would also lovingly lump classic authorization tools into this space – think XACML for customer developed apps.

This separation, for better and mostly worse, was formalized at least in part due to the analysts. IGA is equated to admin-time. And the term access management is equated with run-time. (Leave aside the fact that both manage access of someone or thing to resources via user accounts and privileges.)

Roughly speaking the world was split into these two pieces.

This dualist notion of the identity world Is overdue for a change and Andi points straight at it.

Two becomes three: Welcome, Event-Time IAM

The old notion of admin- and run-time is perfectly fine to start with but the reality is that there is a third category that we now can utilize: event-time. One can think of event-time IAM as the ability to apply controls to an existing user session based on a signal received and processed by an identity fabric. Those controls can include terminating the session outright, revoking specific privileges, or even adding specific privileges. 

It is crucial to realize that we now have the ability to actually do event-time IAM at scale. Standards such as CAEP and SSF give us a “dial tone” to send and receive signals such as “password reset” or “session terminated.” Endpoint technologies give us greater insight into the security posture of the devices people are using. Modern compute and database capabilities give us the ability to reason across a variety of environmental data, not only device posture, but also business conditions. And event-processing hubs and reach out can change user session permissions.

The terminological misalignment

Adding this new point of control opens a lot of opportunities for more contextually-based and accurate access management and herein lies a problem… our market term for these kinds of controls is misaligned.

Truth be told, what we do in admin-, run-, and event-time is access management – literally we are managing the access associated with a user either before they log into something, when they log into something, or after they have logged in. That term has become synonymous with just run-time. (And having an analyst-created fantastical quadrilateral that uses this name but houses a hodge-podge of IAM capabilities doesn’t help whatsoever.) So yes we identity nerds do love wrestling over words and their meaning, but we actually do need a term to describe the management of and application of controls applied in the midst of a user session… any ideas?

Onward

I’ll admit, I am a pretty big cynic when it comes to ideas for businesses, especially in the identity space. Making massive-scale change in well established marketings like “access management” is not easy to say the least. But there’s a really interesting vibe I am perceiving in the world identity – that well established spaces and product categories are (over)due for some upheaval. Sometimes that upheaval comes from the realization that there is more choice and more opportunity lurking places we didn’t expect. I think event-time IAM is one of those opportunities!