Identity as a Service and the Future of Active Directory

In April, I had a chance to sit down and catch up with my friend and fellow directory services MVP Gil Kirkpatrick, Quest Software’s chief architect for Active Directory and Identity Management products. He was in the United States for Quest’s TEC (The Expert’s Conference) from his home base in Australia. For many years, Gil has been doing a lot of deep thinking about identity management and its changing role in the IT landscape. In the following interview, he brings valuable perspective to the sometimes frantic hype surrounding cloud computing.

The Interview

Gil brings up a vital point in this interview: It's time for you, the AD administrator, to start thinking of yourself—in a broad sense—as an identity management person. In addition to the increased amount of identity integration occurring between AD and other databases (e.g., HR) within a company, cloud computing might force you to be involved in account management issues with the Software as a Service (SaaS) applications that your company’s employees are surely using. If you aren’t involved with it personally, someone else surely will be. I also like Gil's pragmatic "stuff" definition of identity management!

Sean Deuby: From what you're seeing at this conference and in general, how is identity evolving? What's changing?

Gil Kirkpatrick: One thing that's very clear to me is that last year, most of the people at this conference—and I would say most of the people I talk to in general—were looking at this cloud thing as, "Maybe it's going to be important, but we’re not really sure." I'd say more than half of the people here know that these externally provided applications and services are going to become part of their day-to-day life, and sooner than they expected. So, I think they've gotten past the denial aspect, and now they're in the sheer horror of, "What do we do next?!" That's a big change.

The whole cloud thing has thrown a wrench into the way we've been approaching identity management and access control, and has really turned all that upside down. I said in my opening session that people really don't care about identity management. It was, "Lessons Learned from 10 Years of Tech"—none of which really had anything to do with technology. But one of lessons was, "We're not really in the AD business; we're in the identity management business," and the only people who care about identity management are the people who are in the identity management business. Nobody cares. What they care about is, "Can I get to my stuff, can I keep others from getting to my stuff, can I know who got to my stuff, and can I not type my password in so many times?" That's what people actually care about, and that's the problem we ultimately have to solve.

We were beginning to solve that inside the firewall, so we got past the password thing, and we had ways to make sure that you could get to your stuff and others couldn't, and we could keep track of who got to your stuff, but they didn’t work very well and weren't well managed inside the enterprise. Well, now we just threw the whole deck of cards in the air, and we have to do that all over again—except now we don't have control over the applications and resources that people need access to. So that's made a bit of a dog's breakfast out of the whole thing.

Sean: Just as you think you're getting your arms around it, the scope changes.

Gil: Yeah, the scope and even the nature of the problem have changed. The change is primarily that people are beginning to recognize that cloud computing really is happening. And it's not, "I'm probably not going to do that in my company," which was the attitude for the last couple of years. I think people understand that that's just the way things are. It's going to be in a state of chaos for the next several years.

Sean: If you were an IT professional in an enterprise in any number of different roles, where are the places to be and the places not to be?

Gil: If I were making my life as an AD admin, I would say that's probably not the place to be. Being a specialist in an on-premises technology without expanding your skill set to accommodate cloud technologies and other outside technologies—I think that will be a non-growth industry. On the other hand, there's value to being the one remaining expert in a particular technology, like COBOL programming ($200,000 a year!). So there's something to be said for that: If you're the best of the best and everybody else leaves, you have value. But that's not where I'd want to be.

I think the clue here is that you need to expand your skill set to understand the cloud environment, know what that means for identities, and be able to develop strategies and technologies that allow your company to effectively take advantage of cloud-based applications and services.

Sean: Do you feel that there will be a migration of the AD identity store off-premises?

Gil: To some degree, it's already happened. If you have employees who are signing up for external services—like going to Salesforce.com or something like that—they have what is effectively your AD identity information now in the Salesforce database.

Sean: It functions as an identity provider as well as a service provider.

Gil: Right. So, I'm not sure about the wholesale movement—just taking AD and dropping it somewhere in the cloud. I'm not sure I see that. I think the idea of outsourcing your identity management to a cloud provider makes sense for a lot of organizations, and there are some companies that are beginning to do that. Okta is one, Symplified is another.

Sean: PingConnect is another. We can’t quite call them federation as a service—that's a little too narrow a description, because these services do more than federation. They do screen scrapes and password-vaulting for SaaS apps that don’t support federation, so it;s best thought of as Identity as a Service (IDaaS).

Gil: I can see that happening. One thing I'm struggling to understand is: Who ultimately wants to be responsible for the identity information that a corporation uses to make its authentication and authorization decisions? There's this notion of reputation of trust that factors into that, because what does a company really know about its employees? It knows whatever they filled out on the employment form. And how well vetted is that? Well, it depends on the company. In some cases, a company looks at your driver's license and that's it; other companies do background checks and everything else. I can imagine that there will be situations in which companies will happily accept identity information provided by an outsider such as VeriSign.

Sean: Right, this is the discussion of what is the quality of different identity providers—Facebook versus Google versus VeriSign … or PayPal.

Gil: Envision this scenario. I go work at a new company, and I come in and talk to the HR people, and they ask, "What's your Facebook ID?" And you provide that. And they say, "This is your role in the organization, and these are the things that you need to be able to do. Do you have a laptop? Put this certificate on it, and go to it." And that would serve as sufficient authentication for whatever applications that guy has access to, both inside the firewall that the company is still managing and cloud-based applications that are more publicly oriented—things like Salesforce. That might be the ideal level for a lot of organizations, because they've totally divested themselves of the identity-management problem, other than associating a body with a Facebook ID. That might be sufficient for a lot of people.

Other organizations are going to have to manage their identities the way they do now. Financial, medical—places where licensing is important. I think that's further down the road, to tell you the truth. I think companies are going to continue to manage their own identity information for five to six years at least. But I can imagine smaller organizations saying, "I'll just subscribe to some cloud vendor that charges me a $1 per identity per year and live with it that way."

At this time, I think the idea of having your identity store in the cloud rather than on premises is heretical to most companies; there are simply too many security questions and too little history with cloud services for this scenario to be popular. In the future, I think that as more companies consider this idea, the relative quality (or, more specifically, the authenticity) of the identities and identity store will become crucial, and require some standard of identity verification similar to what VeriSign and PayPal require today.

Would you want to use an identity provider that doesn’t require some accredited means of identification to create your account? I know of at least one incident in India in which one person applied for and was accepted at a job, but another person showed up and started working as the first person. Your identity store is only as good as its roots to the real world. What are your thoughts about having your identity stored in the cloud?

Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.