What’s next – topics to think about in Identity

If you’re somewhat like me, then you’ll most likely be using the end-of-year season to calm down relax, pause for a moment and think about next steps.

Yes – absolutely, holidays are about calming down, slowing down, spending time with friends and family and dedicating time to your loved ones. For me, in these days in between eating and family and friends meetups, there’s also a lot of “lay low” moments when I can digest technical topics or read up on them – I am usually on the sofa and reading. Why not read something you enjoy and wanted to digest for quite some time – even if it’s technical and job-related? For as long as it doesn’t get your thinking gear about the problems at work going or you get emotional or angry – there’s no harm. We work in technology – for as long as it’s exciting, I would consider it fair game ?

While I am preparing my list now – if you are an identity person or tasked to include identity-related work, I would like to suggest a number of topics for you to reflect, think and read about, if you want. I am considering these topics the major things that will be of importance in the next year or two, at least in the Microsoft Identity eco-space. And while you may not necessarily want to dissect it technically, have at least a thought or two about how these concepts integrate into your story – your personal story, your professional story – the company’s story and where that leads you.

Password-less: This is one of Microsoft’s proclaimed goals – and a mid-term journey. Passwords are one of many possible credentials that you can use to prove who you are – and we want to move to something “better”. While the concept is clear and makes sense – what does that mean for you and your organization? What “other” credential do you see? What use cases would that other credentials have to support? Is it multiple credentials (tokens, FIDO, app, …)? How do users enroll this new (secure!) credential (in a secure!) way? What is the bootstrapping process to do this? What is your debt to make passwords go away entirely (applications, interfaces, devices)? What is your strategy to move the relevant applications to Azure AD (where password-less will be easiest)? What can you do to start embarking on the password-less journey in the next quarter (Windows Hello for Business)? You want to read more, check my previous article on password-less.

Business-to-Business: If you are not using Azure AD B2B yet, think about the concept. My claims are that sooner or later you will have to support collaboration scenarios if you are an online company and use SaaS applications or Office 365. Try and familiarize yourself with the idea that not all applications you are running or you host are exclusively for your internal users – but business partners, vendors, etc. If you haven’t yet – try and familiarize yourself with how Azure AD does B2B (as opposed to some other products). Try and start thinking about application classification and data classification – and mind the application as merely a container for data, when you think about that. What is your strategy to allow external partners in? Is that a user-led process? Do users go through a central portal that gives you control over who-invites-who or is that a helpdesk or IT-driven activity? Are all applications fair game? Are some application taboo (classification?) How do you keep track of those externals (and their identity references)? Is there an internal process that you already have – and it can be adjusted for the cloud, too?

Business-to-Consumer: Talking to partners and vendors is okay and for some organizations a “must”, as the business model closely integrates with the ecosystem, partners, etc. Does your business model foresee talking and working with consumers directly? Give them a platform to interact with your business? To buy, purchase, give feedback? Talk to other consumers and exchange ideas – for you to keep track of those sentiments and feed them back into your business and work? B2C is a “problem” that is currently handled in between “business” and “developers” (this is a claim I am making – true or false?). Business may be interested in talking to consumers, developers would have to build and drive the creation of a platform that brings business and consumers closer together – that may be highly business-related and can’t be bought off-the-shelve. How does that fit your overall identity story? Is there a need to integrate these consumer-centric platforms/applications with backend systems, so two identity worlds collide? Do you feel IT should be involved, or is this best housed with Business + Devs?

Apps, apps, apps: Where are most of your applications today? Where is the business moving? Building modern workplaces and a foundation for collaboration with partners and vendors will have some impact on your application landscape. These things get easier when your applications are “natively” speaking cloud – and integrate into an Identity Provider. What is your story there? Is it relevant – or not? What are the most complicated applications and how do you grant access to these (to vendors, partners)? Is there a company-wide decision to favor “modern” applications that speak cloud natively? How is it enforced? What are the inhibitors to make this decision (no more Windows AD-integrated applications any more!). Where do you integrate your applications (which IDP?). How do you foresee accessibility to these applications change (do they all live in the cloud? On-premises? Reverse proxy? VPN)? How do you get your developers for LOB applications to adopt this mindset? Read more about how to protect your passwords.

Staying in control: How do you control this madness that the industry calls Digital Transformation? The perimeter melting away, applications everywhere, users everywhere? How well defined is your governance story for applications, data, users, devices? How do you keep your business secured, while at the same time allow productivity to happen (with little to no boundaries)? How do you make sure that the right people have the right access at the right time? Even from day 0, when they start? How do you make sure they lose access when they leave or change their job? How do you know who should have access to what? Is that an IT problem to figure out – or an IT problem to translate and support– but someone else’s problem to decide and define? Who grants access – IT, Security or resource owner? Or all of them? Do you have all the lifecycle processes in place to automate as much of this madness as possible – and get alerting when things are “out of order”?

Cloud first: When will you be able to turn your mindset and your business upside down – and see the cloud as your native place, your home story, the place you are – and on-premises a satellite that’s kept for small, simple things that you still rely on (printing!?). While this may be unbelievably far away, depending on your size, industry, etc. – think about the inhibitors that keep you on-premises. What is it, that keeps you there? Applications – how can you remediate that? Why are they on-premises and not in the cloud (protocols? Access to Domain Controllers)? Resources – such as printers? Highly confidential things that cannot go to the cloud (can’t they do – or do we lack the right controls such as the right encryption so only you can read the data, and where it’s stored becomes irrelevant?). Hardware – what hardware do you rely on that doesn’t support cloud? That can’t be managed through the cloud? This isn’t about solving all of these problems right now – but being aware. And by being aware, keeping track of these things. And to make it even more fun, read the story of a previous attempt to migrate an application to the cloud.

This was it, my list of thoughts on identity. You notice, I asked a lot of questions without answering them. However, I hope this article was somewhat thought provoking and you went away with some new thoughts, ideas and clues as to what to look into in this new year 2019.

Feel free to leave a comment about your thoughts and having that said, happy 2019.