December 6, 2012
At the defrag conference recently, I took part in a few sessions that looks at the broader role of identity in a world were more and more people use cloud-based tools. One of the sessions was led by Pat Patterson, Principal Developer Evangelist at Salesforce. In his session, Patterson drew a picture of the history of applications, and the corresponding rise of identity. The history wen something like this:
Initially corporate IT built the applications the business needed but then third party vendors go into the game and started building apps. Over time these then consolidated into suite. This cycle keep recurring with continuous innovation and then consolidation – products consolidate into suites. The same cycle occurs in the cloud with SaaS products consolidating over time into cloud suites. All the while however IT departments continued to write applications, bolstered recently by the rise of PaaS. So given all of this complex IT structure, the need for a central identity service came along.
In Patterson’s view, neither Microsoft nor Google have really managed to build robust and future-looking identity management – Microsoft because it didn’t support SAML 2.0 and Google because it only supported SAML in one direction,that of log-in to Google itself. Patterson believes that this is a story about standards and that the critical ones with real traction in this space are SAML and OAUTH.
Anyway – all of this as background was interesting – especially given the presentations by Ian Glazer, identity analyst at Gartner and Kim Cameron from Microsoft.
In particular Glazer had an interesting take (for someone who makes his living talking identity). His talk was entitled “Killing Identity Management to Save It” and it was interesting to reflect on the talk given my strong feeling that the enterprise of the future is much more fluid than enterprises today. This fluidity – both in terms of what constitutes an enterprise user, and also in terms of the portfolio of services enterprises use raises some massive challenges to those grappling with the task of identity management.
Which made for a very interesting conversation on the drive to Boulder for dinner one night during the event – when the discussion of Salesforce’s recently announced identity offering was opined upon. For those who don’t recall, the somewhat nebulous announcement by Salesforce said that the:
New Salesforce Identity will deliver “Facebook-like identity for the enterprise,” a single, social, trusted identity service to access and centrally manage every cloud app.
There are two issues the announcement, and the discussions at defrag, bought up.
Is the Future of Identity On-Premise or in the Cloud?
Identity Management – arguably the crown jewels of the enterprise. Many seasoned IT folks would scoff at the idea of that being farmed out to the cloud. But just look at the way enterprises work – the fact is the vast majority of enterprise users are using both internal and external services. Social identities, cloud services, mobile devices and the rise of APIs mean that the formerly rigid boundaries between the enterprise and the outside world are becoming ever more porous. Add to this the fact that so many enterprise end users aren’t actually employees and you have a service ripe for disruption.
How can an identity service which is general sited on-premise, cope well in such a diverse world? As Glazer said in his report 2013 Planning Guide: Identity and Privacy:
Identity being built into business services rather than a separate entity is the natural maturation of identity. The enterprise can’t own and can’t dictate all the ways identity is coming into and going out of its network.
What does Salesforce identity Mean for Cloud Identity Providers?
Bear in mind that we still don’t know what the final Salesforce identity product will look like. True it’s an amalgamation of some individual pieces they already has but the total package, how it’s sold and how it’s messaged, is unknown. I’m going out on a limb by assuming that Salesforce will do the right thing, and that their identity as a service offering will be sold as a standalone product so that enterprises wishing to use it as their central identity hub will be able to do so, regardless of whether or not they are users of other Salesforce products. It’s a reasonably bet since a) Salesforce has already signaled that identity will span all their products, not just the classic lines but also things like Force.com and Heroku and b) S3elling the product this way would give Salesforce the opportunity to take up a role as the central hub and gatekeeper of personal identity in this new cloudy world.
Ian Glazer, Gartner analyst on identity covered the move in a blog post after the announcement when he said that:
federation and user provisioning aren’t futuristic or anything special to crow about. But the crucial thing to note is that salesforce.com isn’t thinking about identity in isolation, and isn’t deploying identity in isolation. Salesforce.com isn’t offering identity by itself but instead offering identity within the context of PaaS, delivered, managed, and licensed as such
Identity goes from being a boring, but admittedly important, side function of corporate it to becoming a thread woven through all of the business applications an enterprise use – SaaS, PaaS and (one assumes) IaaS, a kind of move that is analogous to what Salesforce is trying to achieve with Chatter – weave a social fabric throughout an organizations assets. As Glazer said, “Identity just happens! This is the future of identity services. Identity gets delivered in the context of something the business and IT as a whole cares about”.
So what does it mean for the smaller federations and SSO providers? Well it’s hard to imagine a scenario where corporate IT would argue that the provision of identity services in the cloud should occur from a third party, and not from a large vendor. One assumes that the likes of Okta predicated their foundation on a scenario of acquisition by a company like Salesforce. By introducing their own service, it’s hard to see anything else that a quick and sever cutting-off of oxygen to these competitors.
It’s not over, as they say, till the fat lady sings and we’re yet to see how Salesforce executes upon the opportunity. But it certainly looks like an existential play in the world of cloud (and beyond) identity management.