The conversation around identity has never been more urgent, yet the language we use often feels stuck in the past.
For decades, the identity domain has been focused on “access administration”, admittedly necessary but fundamentally a tactical business function. The real opportunity for identity in cybersecurity at large lies in moving identity from being an unloved, insular operational task to becoming the Source of Truth for the entire security and business ecosystem.
The biggest anchor holding the identity domain back isn’t a lack of technological innovation. It’s a failure to fully address our data problem and communicate our undeniable value.
The Hangover: Identity’s Twenty-Year Data Debt
For over twenty years, the identity community has been operating under an “enormous hangover.” We’ve failed to treat identity as a critical data challenge, which has led to every identity product, whether built or bought, to operate with a proprietary data model.
The consequences of this scattered, proprietary approach are severe:
- Hindered Modern Security: This data model chaos prevents organizations from leveraging modern solutions, like bringing their own or third-party AI models to the problem.
- Lack of Universal Standards: Identity lacks a standard, universal data model for Identity and Access Management (IAM). Opening up this data would create a better, healthier ecosystem for both vendors and customers, allowing data professionals, who actually understand data management, to help solve enterprise problems.
- Data Hoarding Mentality: The entire industry built systems that took in and stored all data, regardless of necessity. This is the same faulty mentality that gave rise to Zero Standing Privilege (ZSP). We need to challenge the impulse to hoard data and access, asking, “What do I actually need to complete this job?”
It’s time for identity security to move from the Identity Access Administration (IAA) paradigm, which is a business function, to Identity Security, a control domain.
Although the argument could be made that “identity security” is largely a marketing artifact. The real value is in recognizing identity as the critical context for security and the operational mechanism for privacy. Identity is the common denominator, the prime pathway from the analog world to its digital representation.
The Future: From Record to Unobtainium
If we are planning for the next thirty years, the most significant shift must be in how we value and utilize identity data. Future security solutions that are effective and enable productivity are built on a new model that takes information from all sources, brings it together, and adds information to create contextualized data. If identity adopts this model, it will claim its rightful place as the undisputed Source of Truth, not merely a Source of Record.
When identity achieves the status of a Source of Truth:
- The information about the identity, its privileges, and entitlements is implicitly true; it does not need quarterly certifications, cross-checking, or validation.
- Its data achieves the “oil class of value,” becoming so valuable that every other analytical system wants to consume it.
- Identity becomes the rightful hub of the enterprise in security, operations, and customer privacy, with all other functions radiating out from it.
This paradigm shift will also change the nature of the attack surface. Adversaries will shift their focus from attacking the identity itself (e.g., calling the help desk for a password reset) to attacking these foundational systems of truth to undermine their validity.
How Identity Practitioners Can Drive the Change
The success of this vision depends on one final factor, the people in identity. The identity field has not historically moved fast enough, largely due to a resistance to challenge and a lack of a unified, aspirational vision.
The identity security community can address this in three key ways:
1. Embrace Challenge as Progression: Progress stops when challenge stops. Practitioners should be encouraged to challenge the status quo and adapt solutions rather than delivering the same response to every input
2. Focus on Value Expression: Identity professionals must articulate a clear vision and concisely express the value they provide and the business goals they help reach.
3. Establish a Shared Vision and Standard: Identity needs a “lighthouse figure” or a definitive, overarching vision that unifies the industry, similar to what Bruce Schneier did for cryptography. Organizations like IDPro, which establish a foundational bar for what it means to be an identity practitioner, are essential steps.
By becoming the hub of contextualized data and elevating the craft of identity practitioners, the identity domain can finally shed its past struggles. It is time to stop thinking of identity as a sub-component of security and recognize it as the foundational element and common denominator that enables the future of security, privacy, and business enablement.
Learn more about The Saviynt Identity Cloud here!
