My LinkedIn feed has been bombarded with endless commentary about the state of IAM, especially in light of last week’s announcement of Palo’s acquisition of CyberArk. “Platforms” and “Convergence” are at the heart of much of this analysis and both terms often rely on a degree of definitional vagueness. Yes, IAM convergence has been happening for years and market consolidation has re-drawn the boundaries of a many unique IAM sub-segments. But the convergence that happens within a market does not translate into convergence of technology at a product level. Two theories here help explain what I’ve seen:
Theory #1: The Single Pane of Glass Promise
This theory is often used to bolster the logic of marrying two IAM companies through M&A. A single user interface for administration > multiple interfaces, especially if the former is modern and easier to use. The problem here is that in large, complex enterprises, the people staffing different IAM functions — PAM, IGA, directory services — are functionally different personas who operate with different mental models, risk tolerances, and operational cadences. Forcing them into one interface is like making a cardiologist use the same tools as an orthopedic surgeon because they’re both doctors. Sure, they might have some shared overlap, but fundamentally their workflows don’t converge just because the domain does.
This isn’t to say that certain segments of the market (SMB, for instance) don’t benefit from lighter-weight tooling that can be administered from one central interface. Those segments also don’t need 95% of the capabilities within an enterprise-grade product. Single panes of glass can also serve as a strategic north star for product management teams assembled through M&A. I’ve been there before, and while I’ve seen the benefits for internal alignment around roadmaps, I’ve rarely seen this executed well for actual users.
Theory #2: The Unified Platform Experience Myth
This theory is closely related to the first and holds that M&A will auto-magically create a seamless unified platform experience where PAM, IGA, and directory services suddenly play nice together through shared architectural components and optimized UX. This is where PowerPoint visions collide with engineering reality.
IAM is not iOS. You can’t slap a unified interface on top of fundamentally different codebases, data models, and security paradigms and call it convergence. The main question product teams should be asking themselves is whether the business has the patience for what could be a long and complex waiting game around “unification” of disparate technologies into one cohesive stack. I’ve been through this on several occasions and have seen that assumptions on Day #1 of a platform project are wildly off base by Day # 30.
Product marketers like the word “platform” because it sounds better than “product suite” or “products.”
Platform also is one of these oft-repeated words in tech that mean everything and nothing at the same time. It is very easy to paint compelling platform visions in slide decks than to reconcile a PAM system’s break-glass access patterns with an IGA platform’s policy-driven provisioning workflows. Sometimes things should be left alone for the benefit of the customer and the vendor.
It’s All About the Data
Most of the convergence discussion misses a key point, which has been at the heart of Hydden’s vision: IAM modernization and maturity requires deeper awareness of identity data and relationships across infrastructure. The chaos and fragmentation of modern identity security implementations is caused by each control hoarding it’s own incomplete identity data.Visibility of identity data leads to fewer blind spots between existing controls, faster response times when things go wrong, and more automation in a security segment that’s always short on specialized staff. Security teams that use different IAM tools from different vendors are in a way better position when they have a singular view of identity data across all of these systems.Data is at the heart of any coherent platform vision. Consider the platform user experience for Google and Microsoft. Office365 and Google Apps has a singular authentication point, a cohesive user experience across disparate apps (Google Docs, Sheets / Microsoft Word/Excel/Powerpoint), which results in a better user experience because people can get their work done more efficiently. But this platform experience is only possible because of a singular rich data layer. Imagine if each of these apps had different authentication protocols, or if you couldn’t easily capture information from one app to another. That would suck. All the unified dashboards in the world won’t matter if your identity data remains siloed in incompatible schemas, your workflows can’t communicate context across security boundaries, and your teams are fighting against architectures that were never designed for interoperability.
Typical identity security implementation: each identity security controls individually collects it’s own data from different sources of truth, often excluding critical systems and devices