Event Recording

Identity Fabrics 101


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
We want to have a look at the identity fabrics. We want to dive deep into the concept of the identity fabrics, and that's, that's the reason why we call this identity fabrics one oh one. So have a look at the identity fabric in general. Here we go. We start with an overview of the overall picture to the left. We have all the identities in their different forms and and their different roles. And the aim is to lead all these identities to the applications to the right by using the infrastructure that is below. And by using services and by providing services and by integrating with the services that are on top. What would be a major highlight that you would set when explaining such an identity fabric and to drive deeper into the picture?
So I think there, there's three elements that I highlights at the center. I would highlight this capabilities to services to tools. So it's really about understanding what are the requirements, which capabilities are needed to fulfill these requirements, which services provide these capabilities, and in which tools do they finally come, which could be a cloud service or whatever. Typically something which in, in some form deployed as a service. And this structure helps in moving from the requirement to the tool instead of what unfortunately happens way to frequent saying, Oh, I have a problem. This might be the right tool. Really, it's really to go through this process and that always looks a bit different for customer. The second thing I'd like to highlight is the upper level of this graphic, which is about, yes, we and identity fabric can manage services like SaaS services, like digital services can create accounts, can manage accounts that can manage entitlements.
But there's on the left, upper left, there's the other way around. This is an important paradigm shift. We are increasingly observing with identity management. Not only managing use and accounts, but providing services to other applications to use digital services where some most easiest to implement because we are trust building them and they can reach out to end manager and say, Hey, I need a new user account here. I need to do that. I need ization providing services via APIs. The identity API layers the second element. And the third one is, it is an evolutionary thing. This becomes visible at the bottom because the identify fabric must serve what you have all the legacy in your it. And that also could mean that you, for instance, integrate what you create, what you deliver as new services, which your legacy I am, which then is the intermediary, it so to speak, gets less and less functionality. It becomes stuper so to speak, but it still may deliver the connectivity to some legacy systems. You will retire sooner or later where you don't want to invest much. And so is structure of approach from requirements, tools and a comprehensive picture across all of I image all capabilities, all services. And the center is important. The paradigm shift from not only managing inside out but also outside in providing services and the migration and transition approach. These are the three essentials here.
Absolutely. And I would want to highlight because from discussions that we have with, with, with our customers and, and with also workshops where we try to, we don't try, we use this paradigm for really arching future identity blueprints and, and identity architectures. It's very important to understand these are capabilities. These are not implementations, these are not pieces of software. So if you, for example, look at the, the capability of of access, which is to the middle and and and the left area access federation risk and context based access, that does not mean that there's only a single block that provides this. This is a capability that might be needed in different areas. Might be customer facing, it might be internet facing, it might be facing to the, to an internal organization if there is still such a thing. So a higher risk IDP plus A out outbound facing idp. This is about capabilities to be, it's about understanding what you really need when it comes to implementing your services. So this is not a a, an architecture in itself. It's a, it's a concept for describing architectures
And, and in, in, in a bit of e speak, there's an m to end relationship between capabilities and tools. So a capability can, in certain circumstances be provided by more than one tool for different audiences, for different types of identities if needed. If it's one tool that can provided even better. And there might be, on the other hand, many capabilities that are provided by a single tool and this needs to be analyzed. Ideally, the number of tools behind that is limited. We should for reuse, we look for that, but it's really understanding the different layers and the experiences. Also, it helps when we work with customers to walk through structured approach from what do they have and what do they need or to the serve capabilities to the service. And finally to identifying the right tool or set of tools they need, including a roadmap from where to start, what to do well to continuously increase sort of the, the level of capabilities and delivery of the overall Im the identity fabric.
Absolutely. And I think I want to highlight the I API aspect that you, that you mentioned before. Many tools on the market currently and are now exposing most or all of their functionality via APIs. But these are core functionalities, core iga, core IAM functionalities. Whenever an organization wants to provide additional capabilities and they want to have them more or less specific to them, it absolutely makes sense to, to implement them as part of the overall API framework that's available. So to extend, to augment what is already there, to add what they need as long as it is not provided by the actual services that are below that. So you really can build upon that. And even a vendor adds this to their pool of functionalities over time. And this is what happens. They extend these functionalities. You might want to, yeah, get rid of your own functionalities and move to towards standardized. So standardization APIs, secure APIs, authenticated APIs. That is really the glue between the individual components and that is what we're actually seeing in the market. Maybe moving onto a, a specific picture. We, we talk a lot with organizations that are looking for new types of identities. For some organization, this is really something new. For others, this is their core business. We want to talk about customers. How does that change the picture Martin, when we look at identity fabrics and looking at customers and consumers as identities,
It depends on, on, on how, how you, you'd want to look at, So first it will not change the overall picture, but when you don't say, Okay, what do I need for customers, then it always will be a subset of this bigger picture. So you can think about, okay, what do I need? And you always should keep in mind that's a subset and that subset should align, must align with the broader picture. So the subset is easier because there are lesser identity types, lesser services to the right hand side or targets and in the middle lesser capabilities. So lesser required services and you need to think about the tools, but you, oh, I should see this is a subset of the broader picture. But you can take the perspective and then you can say, okay, this is my broad perspective. Someone fills out that part, someone fills out the workforce, someone's iot part, we make an overlay and then we are back to the bigger picture and can understand what is, what really overlaps, what is specific, where do we need specialized tools, where can we build on a sort of the core platform for our identity fabric.
That's the way to proceed.
Absolutely. And this subset that we show here, this is not a one size fits all. The idea is also for target organizations that really want to deploy this concept of the identity fabric. That in the end they create their own version of the identity fabric, evolve that over time and have the required capabilities in the individual boxes in this picture and, and evolve that over time. So this is a, a, a specific incarnation of a subset of an identity fabric focusing on a specific use case for cm, very narrow cm, a core subset. So this is really about having a golden record, having a, a set of core functionalities. This does not look necessarily at marketing automation or outbound channels supporting them. These are backend services to the right. They might be covered there, but the functionality here is very, very narrow and limited, but really focusing on the strengths and the beauty of what CIM can provide. So the idea is really to make sure that organizations create their own identity fabric building on what they have and what they need.
Exactly. When
We, when we look at our research Martin, of course this identity fabric concept was a concept when it started out. So we you created that it and we really test drove it within the organizations, but over time the market adopted that. So we are now in a situation that vendors really have jumped on the bandwagon and used this concept for also marketing their products for, and they mentioned that also in their, in their collaterals, in their, in their product briefs, whatever they wanted to provide. But we also have a market segment that is, that can be considered to be identity fabrics. Can you explain that a bit more?
Yeah, for sure. And I think this is something we, we have seen growing and one of the interesting discussions that came up when talking about this market segment also was about how do we interpret this term of fabric in the English language fabric has has a bit of two different meanings. It can be the, the fabric as a a mesh or it can be the fabric as something that produces something. And I, I believe both meanings fit very well to what we think about in the identity fabric. It is the mesh which connects everything, which integrates everything and it's the fabric that produces the identity services. So when we look a bit deeper into what, what is this about? We, we've seen this market emerging, we did our research. So we have already published the second version of our leadership composite identity fabrics and it is looking at solutions that provide a good foundation for building the own identity fabric.
So we have in so to speak two again two interpretations of the term. The one is the technology that serves the identity fabric. That is what we look at in our leadership component, identity fabrics. And the other interpretation is the identity fabric as the implementation customer has that implementation readily built on a single tool or a single provider's offering. But it will at the core typically consist of one or two, maybe three key components that are supplemented by other specialized tools for certain capabilities that are aren't or aren't well enough served by the core products. So what do we look at? We look at comprehensive capabilities in the core areas and this is something we'll touch on a minute again, which are capabilities in some of the core areas we look at the ability to provide also comprehensive set of APIs because we discuss it, APIs are essential.
We look at a modern architecture and the architecture to my perspective is more important than the actual deployment model software. A modern architecture, if you have microservices, container based deployments cetera, it can run everywhere. If it's a public multi-tenant sa fair enough, that's a one of the deployment models that work where come to a good target operating model or it is something that can run well managed. And this is always enabled by microservices, by as of said database deployments, modern architectures. And we appreciate if there are multiple deployment models supported because customers sometimes want something or they want to gradually shift from their, their traditional on-prem to hybrid to fully public cloud world. And truly the concepts should be tar should target different types of identities. So this is in a nutshell what we expected. As said, there's the tooling that is what we look in when we compare offerings from vendors and there's what the customers makes out of it. Both are identity fabrics, the one is identity fabric tool, the others the identify fabric implementation so to speak. Maybe you look at some of the capabilities we expect to absolutely this is good support for baseline stuff in Im
Absolutely, and if you mentioned that, that there are, that needs to, they want to create or we looking into product or the status products that are really providing a good base functionality. And when we talk about base functionality, then we are talking mainly about two different areas because this is something that will be required for most if not all the identities around. So first part is, first of two is identity lifecycle and provisioning. That is the, the basics that, that are required and that are a typical part of, of IGA tools as well, right?
Yes. It's the traditional IGA stuff and that is where we look at all the typical capabilities from managing users, providing connectors to all the access governance stuff,
Right? So we we, we go a bit quicker across this because I think the more important part is where we come to the, to the actual usage, the runtime aspect of identity management. That is the access management part. What, what were the aspects that you were focusing on and what is important when we look at access management within identity fabrics implementations?
Yeah, at the end, when I go back to what I said initially, the, the drop of an identity fabric is to enable seamless yet secure controlled, well governed access from everyone I've ever seen to every service. So it's about this access part, the the IGA part, life cycles provisioning are so to speak, just helper functions to do that. So you need an account to do something, but that could also be created on the fly. But the authentication, the authorization, the ability to federate to services, the flexible use onboarding, flexible registration integration to decentralized identities, all that stuff is increasingly important. And we see this shift from an sort of a deployed time identity management where we create static accounts and entitlements to a runtime identity management where we at the point of access decide who's allowed to do work, which is anyway a good approach because it allows us to take the context into account to take the behavior into account to make decisions that are not just based on, okay, while ago I said Martin can do that, but saying, okay, I have a policy that says Martin can do that if he provides the proof I as decent rise identity and if there's no sign of fraudulent use here, and that is something I can decide at around time.
And this is where we put more emphasis on for all use cases because this is relevant for workforce customers, consumer citizens, things whatsoever,
Right? So this concept of risk and context based authentication based on attributes, but also on on environmental characteristics type of day network, you're coming from device health. This is something that is more and more getting important. And we see that also within our customer organizations that this is really making its way into the organizations. It's, it's well understood it, the, the, the benefit and the, and the increase in security is well understood and that needs to be covered by these products as well. So it's really more about the, the, the access part, the the runtime part, the the look look really providing adequate scrutiny when it comes to implementing these solutions. And it's not the topic for today, but that is of course also a key component when it comes to implementing zero trust by understanding what is going on to really verifying what's going on. So maybe a final look at the market segment. So if you look at the, at the, at the results of such a leadership compass, of course in the end we are looking at, at vendors at products. We just chosen one picture to have a quick look at that. So product leaders, maybe you want to explain a bit more what's going on here?
Yeah, so, so the leadership encompasses our way to analyze the markets based on a proven standard asthma, where we talk with vendors, with customers where we collect the lot of data also via questionnaires and analyzes. And this then results in a couple of perspectives like the overall leadership, which is so to speak the ad horizontals of this graphic, but also product leadership where we look at how good are the products and their overall capabilities, innovation or market leadership perspective. So we have a couple of different perspectives, which gives quite a bit of insight. And these documents usually are some 50, 60, 70 pages long. So really a lot of death when looking at a market segment. And, and here we look at who are the, the vendors that in an overall in the product perspective are strongest. We always differentiate between the, the, the leaders. So the ones who are really outstanding, the challengers which are sort of catching up and providing usually very good set of capabilities and followers follows quite frequently are highly specialized vendors like in this graphic that are offering a sort of a, actually a bit of subset of capabilities, but something that is rarely found.
So they can be very worse, for instance, the compli to be considered as a compliment to some of the large products. And these prospects can help you. And I also want to, to make sure this is super helpful, I believe and our customers are saying it who understand the market and understand who might be the vendors to look at more detail, but never just pick the vendors by looking at such a graphic from whichever Analyst company. But use that information goes through the details and then pick a few and go into a process of selecting your, the right tools or tools you need by understanding your requirements, by understanding what you have. And then looking at the tools from a long list or short list to RFI and RFP to well sort out poc there is something where we can guide you, but he and his team do it day by day. And the research team where I'm more from provides all the background materials, the insights you need the starting point to select it. So both I think work hand in hand for ending up with the perfect that fabric.
Absolutely. And we've made a quick, right, starting with the identity fabric as a concept. We went through the concept as a whole. We then mapped that to products and to the services that are available on the market or at least part of that. And we looked at the, the product leaders, but I just can confirm with Martin what Martin said. It's really important to work with this concept to design a platform approach that is relevant to the individual organizations. And we've have, have worked with several organizations and identity fabrics look differently based on that concept that they have specific incarnations for the individual organization. Thank you Martin for showing that insight and for explaining identity fabrics in more
Detail. Thank you Matthias.