Event Recording

Kim Cameron - The Cloud is Rewiring the World: What Does it Mean for Identity?


The Cloud is turning out to have important “emergent properties” – features not previously observed in computing systems, never imagined by cloud architects, and not yet widely discussed or understood.  They will be key to determining which strategies prevail in meeting cloud era challenges. Kim Cameron discusses how this impacts the world of identity – leading to better applications and simpler identity solutions for people and things.

Next presentation is also from a vendor. We also, we only have vendors tonight. It's but not really a vendor. Let's say it's given by also an IM veteran Kim Cameron. Nice to see.
Hi,
Long time. No, see. Okay. Well I think I'll start with just a few caveats here. Little bit of context. I'm not talking today about Microsoft's hybrid strategy in private clouds, round of applause. No, the I'm just, I really wanted to use today to talk about the things that I've learned this year now, I suppose that must sound fairly self-serving and so on. But I think that in this period of incredible development in the cloud, what we see happening is, is really fascinating. And I just wanted to share some of the things that I'm seeing and be able to talk about those things with people at the conference, for people who really wanna talk hybrid, I'm available Thursday at 5:00 PM. We're having a presentation, the future of on-premise active directory in the days of Azure active directory. So there we will be drilling into actual hard, nuts and bolts of things.
And for those who would like to, I know people have talked to me about learning about Azure, a D D a D B to C, just please visit us in the exhibit space. Okay. Now I know some people in the room may not be aware of what we mean by the word tenant in a multi-tenant cloud service that really makes the rest of the presentation impossible to understand at all. So I thought it would be actually worth just spending a second on that in the service, in the idea of what, what I really consider a cloud service, as opposed to a private cloud, you have many different tenants who represent the entities that use the service. So in enterprise and government computing, those tenants are enterprises and government departments, government governments at the federal provincial state, local levels and so on. And they can be of all different sizes.
They can be little tiny tenants. They can be test tenants. They can be massive. What we call mega tenants with, you know, hundreds of millions, even billions of people in them, or devices or pieces of software being registered and all that kind of thing. So that's what we mean by tenants. And the idea here is that the tenants are all independent from each other. So the service isn't really one service. For example, if Microsoft is operating a multi-tenant service, we don't own the information in the service. Each of the tenants owns the information in their talent and a number of a number of us in the industry have, have adopted this approach. And when I talk about the cloud, I'm I'm, I want you to read it as multiple clouds. I'm gonna give examples from Azure active directory in the place where I work, because that's where I actually know what I'm talking about, which I thought might be amusing, but I'm really referring to the same phenomena happening all across the industry.
And I'm talking about what emergent properties. So what I mean by that is when without really trying to do so you, you discover that a complex system has new mechanisms of, of behavior, new structures, new patterns, new properties that you haven't seen before. So they arise during the process of self-organization of the system. We're familiar with this in biology, as we see more complex systems built out of simpler ones. And I believe we're seeing that in the cloud, the emergence properties that I'm gonna talk about are concentration rate of adoption, commonality of operations issues with the issues with concentration, the speed of evolution and the immune system, the immune system being directly related to the transformation in natural selection that happens within the cloud environment.
Now, of course, a lot of people would imagine that the cloud could look like this. And when I was about 17, I thought so, but for reasons that many of you're familiar with in terms of the huge investment in, in, in, in capital and everything else, that's required to create one, the level of expertise. And so on the cloud really looks much more like this. So it's concentrated. It's going to be concentrated. It's a given because of the, basically the economic factors that form the out outstanding definition of things in order to get the cost benefits and everything else, you have to have the concentration. Now, the concentration is interesting because it produces both positive and negative outcomes. And I'd like to begin, you know, being an internal optimist, as everybody knows, I will begin with the positive couple of the positive outcomes. So one of them is this astonishing rate of adoption.
Now I'm showing here what I, what I decided to do is to just take a bunch of characteristics of Azure active directory, normalize them all and put them on a graph so that people get, get a feeling for the rates of growth that we're seeing. And I mean, it's, to me, it's still slightly incredible that, you know, at the beginning of, of a year, you, you, you have in our case 5.5 million tenants, so that's 5.5 million enterprises or entities that are trying things out that, that, that are nonetheless enterprises by enterprises, I'm including government of, of course. And at the end of a year, it's almost doubled as, as Jackson, no, as Brandon was saying, it's, it's faster than Moore's law 9.25 million tenants at the end of one. Well, it's actually 11 months. But similarly, if, if you look at the other figures here, if you look at the user count and its rate of growth, which is the green line or the number of active applications and its rate of growth, which is the yellow line or the number of devices, which is the most astonishing, it is the blue line.
You'll see the same kind of what I think of as just astonishing rate of, of, of adoption. And so the question is, you know, how can you get this kind of rate of adoption? And I think, you know, we, we all know deepen our bones that it's through network effect. The network effect is you have some kind of an initial mechanism that, that starts these things off. So for example, Microsoft had office 365 as a, as an initial initial cloud service that, that had a lot of adoption, very fast. Salesforce had all kinds of users, cetera, cetera, etc. So you have this initial sort of a thrust, and then you have this virtuous cycle. If, if office office users are organized in organizations which become tenants, the tenants then end up having a number of users and those users can grow extremely fast as they decide to put people onto the system.
And all of those users have devices more and more devices, it seems. And then as users and devices and tenants are on the system, more apps will be attracted. Both apps created by Microsoft itself, for example, or apps created by third parties. Those apps will attract more tenants. The tenants will attract more or will have more users and so on. And so if you actually put together the, the numbers, you can see that these things actually layer to create even, even a, a more profound effect. You, if you take the volumes here, then you can see that the act of apps, all of these different vectors contribute to the, to the, this astonishing growth.
So we're left because of all of the tests, tenants, and all this kind stuff. I, I, I don't wanna make you think that I, what I was showing you is raw metrics that are coming out of our systems. There, we, we figure when we clear away the test tenants, you know, we've got about 8 million organizations, et cetera, et cetera. Now concentration brings benefits. As I said, the, the adoption is certainly a benefit because that creates this huge resource in the, in the cloud that helps people and, and is cost effective, but there are other benefits. And this is the one that really surprised me and that I wanted to talk to you about today.
And I, let me begin by saying compliance with standards in the cloud is not optional. They actually are the very basis of the digital world, but standards as anybody who who's worked with standards knows they, they allow for many options and enterprises have traditionally had very different operational procedures. Now, I don't know, are there, I'm sure there are people in this room who have, who have been, who have suffered from the fate of having to do a cross organizational project, where you have two teams run by two different operations teams and you have to get them to implement and connectivity over the same protocol. I won't go into it cuz it's gruesome. I'm sure. You know, it will probably bother some of the people in the audience to hear what goes on, but it's a tremendously wasteful experience. I ask you to consider this what the cloud actually ends up producing. The multi-tenant cloud is operational commonality. This operational commonality allows compliant automation of connectivity because it's no longer a member of it's no longer a question of convincing the operations teams about how they should figure out how they can interact. And inter-operate, it's simply built into the operational nature of the system that it will interact.
So to put it in a nutshell, what is operational commonality? Well, we at Fabricam want to let Kentoso sales employees access our reseller site. You have requested it thus. It is. So there's no argument between the operations teams. There's no issues about the, how the protocols fit together. It's just an outcome. It is an emergent property of the cloud that you end up with operational com commonality. And I really hadn't, I haven't heard this discussed and I hadn't really thought about it or predicted it. It just suddenly was staring me in the face. And I just think it's so important. I wanted to talk about it here. So what is operational commonality? 8 million enterprises running their identity systems the same way securely and professionally.
I read a very interesting article by Martin. Of course, all his articles are very interesting as, as everybody knows. And it was, it was dealing with the question of a lot of cloud providers don't even support standards. And here he is talking about SAS providers. So they, you can't log in with open ID connect. You can't log in with Sam. We can't do anything like that. You have to use usernames and passwords, and you're basically stuck because your users want to do these things, but you can't. Now my, my view is that 8 million enterprises together have the economic power to convince cloud providers to support standards securely and professionally their strength in, in numbers in that sense. So my view is that these concentrations of, of commonality will be able to propagate to other parts of the system and increase its its security and robustness.
Now, on the other hand, there are big issues with concentration. Monoculture is the, is the obvious thing that people, people worry about. People say, well, the behavior is predictable. It's easier to attack or it's all, there's a honey pot. It's a wider impact for of the attack, but the mitigations are actually very interesting and people should think about them. First of all, if the behavior is predictable, you have finite surfaces. So when you have operational, when you have the operational identity, then you, you can actually have finite surfaces and be able to analyze what, what the vulnerabilities are in a different way. You can use intelligence, cloud intelligence for real time defense because you're all within the same operational environment. And so you can have signals that work across the whole organization, the whole, the whole set of tenants and detect the at the earliest. And anomal in terms of using behaviors that are, that are, that are, that are anomalous with respect to those expected.
Another issue with concentration is fear of dependency. People becoming prisoners, a vendor protocols and APIs or lockup of their data. But I think there are mitigations here, first of all, binding commitments to standards and demonstrating API access to all tenant data from the beginning. This is one of the things that Microsoft has really put a lot of investment in. And you know, I, in order to think about the, you know, I don't wanna sound too blocky, Chaney, but support for distributed data stores as ways to, to, to ensure lack of lockup of data. Now another of the emergent properties is the speed of evolution. You know, code development takes about as long as it did. Pre-cloud I, I had some, some of my colleagues tell me, Kim, that's just not true. It's it's much, much faster in the cloud, but you know, as an architect, I'm not entirely convinced.
So, but the main difference is the whole customer base can simply turn it on. In other words, when the code is done, you can turn it on. So this very interesting graph here from, from, from AAD is about turning on device, count, turning on this new capability to register devices in the directory. And you can see the rate at which it happens. And all of a sudden you have 40 million devices registered. I mean, that's really unprecedented compared to the way things used to happen. Another example, I'll, I'll just draw from the a, a D B to C thing. You know, you can suddenly just put a switch that allows people to turn on professionalization of their customer relationships, reduce their risk and all those other things. And there, what I learned was that through preview customers can now directly impact and help heal code very early in the process because you're developing in the cloud.
You can let people in, you can monitor any problems that they're having. You can make them, you can have a collaborative process that is incremental. You don't have to build the whole thing in your basement and then see if it floats the customers can be part of the security validation. We've had governments, for example, adopting this technology who did all of the security analysis when, when, when the product was still under development. So all of this results in a much higher standard at GA. So for example, by the time a product is GAed at Microsoft, now it has all of the metrics of a production system because it's been incubated in a production environment.
So I'll sort of move here, just, just to give you come back to this question of the astonishing rate, the number of consumer identities managed by 1000 organizational customers currently in the B2C preview is greater than 4 billion. So if you talk to those customers, they will tell you that within that period of time, I, I showed you a second ago. They expect to have their 4 billion customers in, in, up and running. I'm gonna have to go really fast because I think I started a little late. Am I? Where am I am at the end here?
Five minutes, one minute. Okay. Why don't you look at this, the emergent immune system it's entirely different when you do your code review, you know, when you do a security review of code one team and a security and a, a operations review by the operations team, you get a different quality than when you have a unified joined review of code and operations. It's simply a different level of, of capability. You have to have automated J J I T processes, machine learnable, access patterns and all of those things. And this is what, what we've been adopting. And I know our competitors have too, where what we're trying to do is use the global sensor network with machine learning so that we can detect and auto remediate in real time and developing customer oriented mechanisms for people to manage that. Here's one where the system discovered that somebody's username and password was on one of the leaked lists of usernames and passwords that appears on the dark internet. And you can actually inform the system administrator that he's got this problem of compromised credentials.
And along those lines, we're investing a billion dollars this year alone in a holistic security strategy. So there's an impact on natural selection. A new immune system changes natural selection. It's more security based. It's entirely security based. I must say that this year is the first year, first time in my entire career that I saw my manager say, okay, I'm gonna take all of our work and put it on hold, and we're gonna do no new features for two months. We're just going to harden and review and just look at every square inch of our surface area and harden it. And this one could have seen if there had been a security incident. No, this was with no security incident. So I believe in other words, that this emergent immune system is actually changing the natural selection of the cloud environment. Okay. Thank you.
Thank you, Kim. I think we still have one short for a very short question because the one, probably many people would like to have an answer to. Can we show the question list please?
Oh, you're analyzing my, my you're analyzing the questions in real time. That's just like the security approach.
No, just reading them.
Oh, okay.
Okay. There you go. Okay. Do you think it's kind of a little bit, okay. Maybe not too fair, but anyhow, maybe you can find an elegant answer. Do you think that companies register Azure because they rely on Microsoft security or because they don't care and want to work fast?
I think there are different kinds of companies in the world. I don't think you, I can't put them all in one category, but Microsoft, I mean, I know that I have customers who really, really care about their, their security, the number of huge global 2000 customers who are reliant on this technology is extremely high. So they, they, you know, they, their, their jobs depend on security just as yours do. And, and mine does. On the other hand, at the very bottom of the market, you have people who don't care. They, they have no IP to protect. And so they'll naturally I, IP protection is not an issue if you have none. So I think that you actually, this goes on both, both, both directions.
Thank you so much.
Thank you.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #156: CIEM Is Entering the Privileged Access Management Market

The PAM market is changing and expanding. Paul Fisher talks about the latest trends for Privileged Access Management, the role of CIEM, mergers and newcomers in this important market segment.

Webinar Recording

Effective IAM in the World of Modern Business IT

Digital Transformation promises lower costs, and increased speed and efficiency. But it also leads to a mix of on-prem and cloud-based IT infrastructure, and a proliferation of identities that need to be managed in a complex environment. Organizations adopting a Zero Trust approach to…

Analyst Chat

Analyst Chat #135: Can DREAM Help Me Manage My Multi-Hybrid Infrastructure?

The IT environments have become complex, and this will not stop as more technologies such as Edge Computing start to take hold. Paul Fisher looks at the full scope of entitlements across today's multi-hybrid environments. He explains how this new market segment between the cloud,…

Webinar Recording

Multi-Cloud Permissions Management

Most businesses are adopting cloud services from multiple providers to remain flexible, agile, efficient, and competitive, but many do not have enterprise-wide control over and visibility of tens of thousands of cloud access permissions, exposing the enterprise to risk of security breaches.

Webinar Recording

Prediction #2 - The Convergence of IAM and how to Manage Complexity in a Multi Cloud, Multi Hybrid, Multi Identity World

It is the same set of drivers – first and foremost remote workforce requirements and seamless customer interaction, that make our infrastructure and service even more complex as they used to be, with multiple public and private clouds, on-site IT, all of them with identity silos. In…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00