Zero Trust Identity: Go From “Identity-As-A-Service” To “IAM-As-An-API”
I just love the theme of our upcoming Forrester Security Forum (Las Vegas in May, and Paris in June — check out Laura Koetzle's definitive blog post). Leapfrog Your Global Competition. Rethink Security; Run At The Threat. There's never been a better time to take a deep breath and rethink how security can contribute to business savvy and agility. The "Zero Trust Identity" report I'd telegraphed in my previous post on API access control is now out, and it's consonant with this theme. I found that if enterprises want to be nimble and secure in getting value out of mobile, cloud, and consumerization trends, they're going to have to get over some bad "unextended enterprise" habits, such as tight coupling to authentication functions.
App dev trends around the open Web (for which see some excellent research here) are throwing a lifeline to IAM. The trick is to think in resource-centric, unified, and Internet-scale terms. So the nutshell answer to "How should we deliver our identity provisioning, authentication, and authorization functions now?" is "Expose them through Web-style APIs and make our business apps into API clients!" This approach is a key enabler if you want to partner with other organizations, use SaaS apps, and facilitate mobile usage with the same security and auditability you've come to expect of your own infrastructure.
If you've got thoughts on this notion, I hope you'll reach out for a one-on-one chat at the Forum, and/or drop me a note in the comments or on Twitter. You can track and contribute to the Forum using the #FSF12 (Las Vegas) and #SFE12 (Paris) hashtags.