IdentityInsider would like to talk today about the ethics prevalent in the IAM industry – or the lack thereof.
It takes a little thinking, but upon doing so one comes to see that the field of IAM (a subset of the field of Cybersecurity) is not your typical industry. While there are sales and profits to be made, enterprises that endeavor to be providers in this space must realize that they are providing a morally-essential service. From businesses to other businesses, to customers, and to the public, the fundamental purpose of IAM is to protect against crime. We are not selling Rolexes and Rolls Royces here – we are guardians of the people and their right to privacy and security. As such, IdentityInsider has assessed the industry’s landscape and found it very wanting.
Let’s start with establishing an informal code of ethics for this industry.
We are fighting crime here. Our opponents are criminals. As such, the industry must strive to be constantly responsive to developments in the world of hacking. It must strive to pool its resources to improve the solutions that can serve and protect.
Even the ‘best’ in the industry fail dismally at this. Reports from some lesser known IAM organizations have shown us that the ‘free flow of information’ that would create an environment of healthy competition (an ethical concept in any industry – data and identity security apart) and improve solutions for consumers, is non-existent. It seems that organizations such as Okta and Centrify have configured their websites to not provide data such as Whitepapers to their competitors. Attempting to download (or even purchase their solutions) using a company email address from a competitor results in a vague system error.
Come on! We are not even talking about protecting confidential company information here! The same white sheet is available freely if you sign up with an email address that does not belong to one of these companies. Okta and Centrify (and others) know that they cannot (and should not) stop others from reading this information but have chosen to not be upfront about their refusal to participate ethically in the industry. Instead, they make competitors falsify information to get the data. It is apparent that they do not truly care about fighting cyber-crime at all costs. Instead, a derived sense of superiority and a hostile attitude seem to be their philosophies.
Overcharging the Innocent
Another awful trend is the sinful pricing of most IAM solutions. We have interviewed the industry and found that healthy profits can be made by charging microfractions of the prices prevalent in the industry. This is especially true with the advent of IAM in the Public Cloud. It is all intellectual property and selling solutions without implementation costs next to nothing (once the initial R&D costs are covered.) IdentityInsider is not saying that these companies should turn into charity organizations, but there is tremendous scope for being better citizens and having self-respect.
R&D and Offerings that Do Not Reflect Needs
Here’s another sad truth that we discovered. It seems that organizations frequently pay millions for IAM solutions that never get fully implemented. An organization may buy a solution for millions of dollars, see a 1 or 2 year implementation time, and find that only 5 applications have been integrated at the end of this period. Upon probing, we found that this occurs because vendors are selling solutions to companies that have not been built for them. They are instead engineering products that can be sold to as many customers as possible. These products are bloated in features (typically fitting the use cases only of large enterprises with big wallets) and therefore in their cost. They are also not designed for specific use cases (or in general, for smaller companies), and many (often fatal) obstacles are found in the implementation process when they try to fit a square peg into a round hole.
The (Sad) State of the IAM Landscape
A good standard to judge a vendor – particularly in an industry such as IAM that must have a strong ethical foundation– is whether they cater to the existing needs of organizations by securing them as they are, or simply try to sell generic products (sometimes seemingly cutting-edge). Unfortunately, the IAM industry is full of vendors looking for just another business opportunity. They create solutions that are responses to the trending IT landscape (eg. Public Cloud), without a care for the actual situation of potential customers. They tell you that cloud is the future (so what if it is?), and that you must migrate to it to avail their solutions.
The Lowest Common Denominator Must be Served
The biggest example of this behavior is the complete lack of Single Sign-On and Provisioning support in the industry for thick-client apps. All kinds of organizations still rely heavily on thick-client apps such as ERPs (SAP etc.) and other device specific apps (like in manufacturing). It is both too expensive, and sometimes a poor idea in terms of security to migrate. It is often safer to have a local, on-premise server and app installation than to have it on a Public Cloud. The industry has chosen to completely ignore this blatant need, claiming that ‘the cloud is the future’ and because that’s where they feel the real money is.
Wake Up IAM – You are Servants
Organizations are currently getting the short end of the stick from the IAM industry. The sharks that have taken over the vendor landscape only really seem to care about bottom lines and not about providing proper security, ease of access, and integrating admin security functions to protect people the best they can from cyber-threats.
Here at IdentityInsider we are 100% committed to this vision, urge vendors to do the same, and hope we can make the world at large more aware about the state of this industry so that they can choose their vendors with wisdom. A company that does not care about proper security does not care about you. If they do not care about you, they cannot protect you.
