As in the past years, Kuppinger Cole has worked out 10 top trends in IAM (Identity and Access Management) and GRC (Governance, Risk Management, Compliance). Things are going forward in 2009, despite the economic crisis – even more, especially GRC vendors are benefiting from the crisis and the increasing investments in GRC. The need for Risk Management is well understood now.

But our analysis shows that there are advancements in many other areas of IAM and GRC as well. The impact of Cloud Computing, new electronic passports as a means for authentication, and more discussions about privacy are just some few of them.

Trend No. 1: GRC as the Business Control Layer for IAM

GRC (Governance, Risk Management, Compliance) is the superstructure for IAM. GRC provides the business controls (e.g. policies, roles,…) to manage identities and authorizations. Thus, the typical provisioning layers will either be expanded to support GRC requirements or become more lightweight, as just sort of an interface layer between the business controls and the systems which are provisioned.

Overall, the maturity of GRC platforms will increase further. That includes the addition of missing features as well as a better support for business policy management and better interfaces to existing provisioning systems for an effective authorization management.

Trend No. 2: Growing Maturity of Identity 2.0 Approaches

Identity 2.0 becomes more mature. Over the course of the last year, attention shifted from the lightweight OpenID to the more sophisticated Information Cards, now supported by the open ICF (Information Card Foundation). We will observe an increasing momentum in that area, even while the discussion about valid business models for the Identity 2.0 world – especially for Identity Providers – still will be intensive this year.

Trend No. 3: Multi-purpose Cards gain Momentum

A quiet evolution has happened in the market for authentication tokens. Multi-purpose cards are increasingly important. These cards support not only the strong authentication for IT systems, but as well the physical access to buildings and sometimes even payment functions or other features. These advanced cards are increasingly considered as the mechanism of choice for strong authentication, reducing the number of tokens employees have to carry and the logistics costs for such cards through their use for several use cases.

Trend No. 4: Context and Versatility become Reality

Context-based authentication and authorization has been discussed for quite some time, as well as versatile authentication (e.g. the flexible choice of authentication technologies within one platform) has been. Both approaches are becoming increasingly mature and are supported by more and more vendors. In that context, soft-tokens are now frequently supported as one approach for authentication, as well to reduce logistics costs as to provide a fail-over in case that a physical token has been lost or destroyed.

Trend No. 5: More IAM and GRC for the Cloud

Cloud Computing will be the next big thing in IT – a fundamental paradigm shift which provides much more flexibility for IT infrastructures than ever before. That requires IAM as well as GRC for the cloud. Currently, there is only little support for basic IAM standards like SAML. The increasing pressure of customers in a growing market will lead to a broader support for existing and upcoming standards like SPML, OAuth, XACML or CARML as well as to the definition of new standards.

Trend No. 6: Portable Identity Information for Social Networks

Today, typical social networks don’t support a flexible exchange of the identity information (including the relationships and all the other data) which is stored in these networks. That will change. There are first approaches for open, exchangeable identity and relationship information for social networks. There is an increasing pressure of users on the providers of social networks. And there is the impact of Identity 2.0 which allows building new types of social networks. Thus, the lock-in of information in social networks will come to an end.

Trend No. 7: GRC going beyond IAM

GRC will not only become sort of a business control layer for IAM – GRC will also expand beyond IAM. Some first vendors have started to add SIEM (Security Incident and Event Management) capabilities to their GRC platforms. And some of the large vendors are in the starting blocks to add ITSM/BSM (IT/Business Service Management) and other features. Over time, we expect GRC to become a more complete business control layer which allows providing business policies and controls to IT and the status information back from IT to business.

Trend No. 8: First Impacts of new Electronic Passports

The new Electronic Passports (ePA) will become part of IT strategies, especially in Germany with the sophisticated approach of an ePA supporting as well features for non-governmental use cases. There will be first solutions supporting the ePA for strong authentication as well as for integrating Identity 2.0 technologies with the ePA.

Trend No. 9: Increasing Service Orientation in IAM and GRC

A service-oriented approach for IAM and GRC will become increasingly important in three areas: Defining and managing IAM and GRC services, building lightweight, service-oriented implementations especially for provisioning, and supporting SOA. Overall, that will be part of a shift from today’s frequently monolithic approaches towards a more flexible concept of IAM and GRC.

Trend No. 10: Privacy is back – and there are more Solutions

Privacy has been a no-brainer for a pretty long time. Despite some regulations, there hasn’t been much discussion about privacy. And, even more, there haven’t been significant technical improvements to support privacy requirements. That is changing. New technologies for supporting privacy, especially the concept of “minimal disclosure” are on their way – and there is by far more discussion about privacy issues than it has been for years.