twitter facebook rss

IAM: Proprietary Vs Cloud

Posted by on June 1, 2015.

Wisegate will shortly publish the results of a survey into the current state of Identity and Access Management (IAM) maturity within business. Almost 150 CISOs took part. What we’re going to look at today is attitudes towards identity and the cloud.

Surprisingly perhaps, use of the cloud to store and provision user credentials is still low within business; but it is beginning to grow. The reason for this slow growth probably has less to do with trust or the lack of it as it does with a growing experience in handling cloud vendor contracts.

(c) John Klossner

(c) copyright 2014 John Klossner,

In the early years of the cloud there were relatively few service providers. The providers held ascendancy and they offered ‘take it or leave it’ contracts. Risk was pushed towards the customer, and contract terms were rigid.

With something as business-critical as user credentials, most companies left it. But the balance of power is changing. With more providers there is greater competition and a growing flexibility over contract terms within cloud providers. Business is also learning how to handle cloud contracts – it has to: larger companies today can easily use more than 1000 different cloud services.

So a better balance is being struck. Cloud vendors are learning how to deliver critical conditions like audits. And business is coming to terms with sometimes balancing paper audits with third party attestations and on-site physical inspections.

The result is that although cloud-based IAM provisioning is still low, it shows signs of growing and is likely to grow very fast over the next few years. In 2014, only 2% of companies used cloud for identity management ‘moderately’, and none did so ‘always’. By 2015, 13% were using cloud ‘moderately’, and 2% ‘always’.

Taken from the Wisegate 2015 IAM Maturity Survey

But there is one area that shows little sign of growth – and that’s the use of social media credentials. More and more small online service providers are allowing users to access internet services via their social media ID and password. It makes a lot of sense – it effectively pushes effort and responsibility (if not risk) to big companies like Twitter, Facebook and LinkedIn, while simultaneously making access much simpler for the user.

It also makes sense for small service providers with small or hardly existent security departments to leverage the expertise and power of these large companies. But this is not an argument yet being accepted by business in general. Large companies have their own specialist security departments with their own security experts – and the ease with which social media accounts can be compromised by bad actors seems to make this a risk too far.

Nevertheless this social media credentialing approach seems to have spawned the future of identity and access management: the use of specialist third-party companies to attest the user’s identity. It’s a compromise between the old government desire to effectively maintain a strict centralized national identity database and the more modern wild west of social media.

There are currently three initiatives in progress, all using this basic concept: NSTIC promoted by the US government and Verify being developed by the UK government (see: NSTIC – it will prove our identity but will it protect our privacy?); and the independent open source Identity 3.0 being developed by the NFP Global Identity Foundation (see The Global Identity Foundation). My personal preference is for Identity 3.0 for two fundamental reasons: it has little government involvement and is truly global.

The question, however, is will the business world accept this new approach to IAM when it is currently rejecting the social media version; and if so, will it adopt a government or independent version?

So far I have seen little interest in any of these among CISOs. But that is not surprising. You cannot solve today’s problems with tomorrow’s solutions – and all of these solutions are currently little more than vaporware proven solely on paper.

It will be different in five years time. CISOs will have a choice between maintaining their own expensive proprietary identity ecospheres, or tapping into an inexpensive wider one. The US and UK governments will press for their own systems to be used. They will do this by making online government services available only through NSTIC and Verify identities.

When CISOs compare the cost of running just their internal password management and maintenance efforts with piggy-backing of a system effectively underwritten by government, I suspect things will change. I hope they will choose identity 3.0 (probably Identity 3.5 by then) – but they will almost certainly choose one or the other.

So what does the Wisegate survey tell us? Overall it shows relatively slow improvement in overall business IAM maturity – and very little adoption of cloud credentialing. Business is still concentrating on maintaining its own proprietary identity ecospheres, and slowly improving them. We know, however, that a revolution is coming.


Insights is a unique commentary inspired by and drawn from the peer-to-peer conversations of some of the most senior CISOs and CIOs in the world. All are members of the gated Wisegate community where they meet virtually to discuss issues and problems in information security.

The statistics in this article were taken from the Wisegate IAM Maturity Survey, 2015.


Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Insights | Tags: , , , ,