A maturity level matrix for Identity Fabrics

The term and concept of Identity Fabrics has become popular in recent years. We observe widespread adoption of the concept as the foundation for further evolving IAM (Identity & Access Management) infrastructures. To provide a guideline for organizations, KuppingerCole Analysts have developed a maturity model for Identity Fabrics, as we have done for other areas of IAM and cybersecurity.

What makes up maturity of an Identity Fabric

When working on such maturity models, the first question to ask is what makes up maturity in that segment. For Identity Fabrics, there are five main areas:

  1. Supported identities: The scope of an Identity Fabric must extend beyond the workforce. Ideally, it covers all types of identities, human and silicon ones, but at minimum all human identities, including customers and consumers.
  2. Convergence: Identity Fabrics are about a holistic perspective across all functional areas for IAM. This does not mean that there should be only one tool used – it can be more, but they need to be integrated.
  3. Integration: Integration is required at all levels, from the user interface to a consistent set of APIs, the Identity API layer, and to data. Again, this does not mean “only one database”, but the accessibility of data across all functional areas.
  4. Flexibility: Identity Fabrics are flexible by default. This requires modern architectures, based on microservices and – unless delivered as Saas only – flexible deployment models, but again also a comprehensive set of APIs.
  5. Supported systems and services: Identity Fabrics must support the hybrid reality of organizations, from modern SaaS to legacy applications.

With Identity Fabrics being defined as a comprehensive, modular, and flexible approach for all IAM, not every IAM infrastructure qualifies as an Identity Fabric.

A maturity model for Identity Fabrics

Based on these baseline requirements, even the level 1 (“initial”) raises the bar a bit higher than some might expect. The blueprint must cover all areas of IAM. It requires a unified UX (user experience) at least for the main capabilities.

Fig. 1: A CMMI model targeted at Identity Fabrics. There is a minimum level of maturity required to call the IAM infrastructure an Identity Fabric.

Most importantly, the architecture and the interfaces must be “modern” in the sense of having flexibility in deployment and providing a consistent set of APIs, so that the the API layer can then be used by other services such as modern digital services to request and consume identity services.

Fig. 2: The KuppingerCole Identity Fabrics model as the foundation for developing organizations’ own Identity Fabrics concepts.

This does not mean that there is no place for existing, traditional IAM solutions. They can form a part of the Identity Fabric and deliver services, until modernization can take place. Moving towards an Identity Fabric is a journey. Traditional IAM solutions can even be utilized for a longer period for providing connectivity to parts of the legacy IAM infrastructure.

More on this at EIC 2023

Identity Fabrics are a key topic at the European Identity Conference 2023. My colleagues Christopher Schütze, Dr. Phillip Messerschmidt, and I will run a pre-conference workshop on “Building the roadmap for your future IAM”, where the concept of Identity Fabrics plays an essential role. In the Identity Fabrics track, I will give a presentation on the Identity Fabrics Maturity Model. I’ll be around for the whole conference (no surprise…), so don’t miss the opportunity to meet  me in Berlin.