Over the past few years, the identity security industry has been buzzing with terms like “convergence.” These days, it feels like everyone offers a “unified” cybersecurity platform. It’s as if we all woke up one day in 2021 and realized that solving our identity security problems with a siloed array of “best-in-breed” point solutions could leave gaps in coverage or create confusion with overlapping functionalities. When OneLogin joined the One Identity family, it’s fair to say that we may have even played a big role in starting this whole conversation. We had our own shiny new Unified Identity Platform, and we recognized that this could help us solve problems that were previously overlooked in the era of point-solution “coopetition.”
One unfortunate side effect of this industry-wide awakening is that by creating new marketing buzzwords and converged solution branding, we all found ourselves speaking slightly different languages about what might have essentially been the same thing. For our audience, the very IT security professionals we aim to help, this can add more noise to a cacophony of voices. It is against this background that I would like to introduce a new buzzword to the vocabulary of converged identity solutions: XIAM.
What is XIAM?
If you are anything like me, you may have just done an internet search on the term “XIAM.” Then, puzzled with the dearth of responses, maybe you refined the search to “XIAM identity,” or “XIAM identity management.” At this point, you may be wondering if the author of this article doesn’t know how to spell “CIAM.” ‘X’ is right next to ‘C’ on the keyboard, after all.
XIAM, which we have taken to pronouncing “zi-yam,” is a term I first encountered in 2022 when one of our customers was asking for a solution to a distinct but common identity security problem. They described it as “External Identity and Access Management,” which yielded the acronym. The problem they relayed instantly resonated as one that many companies may also have, but the structures in place regarding how we tend to buy, sell and market IAM solutions made it difficult to identify a solution.
This challenge is often found in hub-and-spoke organizations, where the spokes are at least partially composed of third-party businesses. These third-party organizations need secure, governed access to the hub’s internal resources while maintaining some degree of autonomy in the management of their own user populations. For example, a franchise restaurant business might have hundreds of independently owned restaurants that rely on the central franchise’s applications. Another example could be a heavy equipment manufacturer, where dozens of suppliers, vendors and third-party contractors need limited access to one or more of the manufacturer’s business systems.
The limitations of traditional solutions
As someone with a deep identity governance and administration (IGA) background, my first impression was that we could solve most – if not all – of this problem with a traditional IGA solution alone. Once I began to truly consider all the requirements of this solution, it quickly became clear that an IGA solution alone wouldn’t cut it. Fortunately, we had an access management tool in our catalogue with CIAM features that could help bridge some of these gaps.
What became crystal clear was that IAM practitioners have adopted a very siloed view of solutions, not just between IGA and access management, but also between workforce identity and customer identity. This is largely due to a sort of IT balkanization, where the buyer for a workforce identity solution is very different from the buyer of a CIAM solution, even within the same company. We often find this B2B hub-and-spoke type of arrangement falls in between: it’s workforce, but someone else’s workforce, whom you do not manage. These entities are not always, or even often, customers at the end of the spokes. So, it’s not IGA, workforce IAM or CIAM. It’s XIAM.
Examples of XIAM in action
Here are some examples of scenarios where a XIAM solution would be beneficial:
- Independent insurance agents need access to get quotes, issue policies, make payments and manage their customers’ accounts with the insurance provider.
- Every year, thousands graduate from the university and become alumni, but few become active. Managing thousands of new licenses every year is cost-prohibitive. Dynamically detecting who becomes active gives a predictable and controllable cost model. Plus, we need a way to temporarily handle the surge of alumni logging in to buy tickets when our team makes it to the Cotton Bowl.
- Our home improvement store hired a new window sales manager who opened a new online account with a window manufacturer rather than using the existing one. Account history and continuity of the orphaned account is lost.
- Flooring installers often share the flooring manufacturer’s account password with jobsite workers so they can pick up materials and update the order status at the jobsite without the manager having to ride along. This is a violation of account sharing policies and a security risk.
- The new shipping contractor’s employees should be prohibited from accessing the factory loading dock until they have logged in to the safety training application and completed the training.
- Insurance agents need to log into our quoting application through our web portal. Their office staff members each need their own account so we can certify access. There are hundreds of thousands of these office staffers out there, so agents need to be able to manage access for their teams.
- Students should register themselves into our system. They will be automatically provisioned into our student directory and have apps available to register for classes or to sign up for housing and financial aid.
- After last week’s hailstorm, our Denver area dealers need to bring in a few hundred dent technicians and give them access to the service bay, some tools, and the apps they use to submit invoices and manage their contracts. We need to make sure this access is shut down when their work is complete. We’ll probably need to turn it back on again for some of them if we get another storm.
- The radiology lab partner has their own SSO system. They should be able to get to several hospital apps without having to sign in directly to our portal.
- To meet SOX requirements, we must regularly review the access our third-party mortgage brokers have to our internal applications.
- We need to see which of our partners have the most orphaned and duplicate accounts by looking at a heat map on our dashboard. A policy should detect when an account sharing violation occurs and notify our compliance team.
- We assign a delegated administrator for each of our suppliers so they can make role adjustments, perform certifications, make access requests and approve requests for the external users in their organization.
As you consider these types of requirements, it becomes clear that many enterprises may face similar challenges, and they could all benefit from a XIAM solution.
As an identity security practitioner, I often find that I am at least as curious about human behavior as I am about technology. Viewed from this angle, it seems to me that this siloing of technology into point solutions is an artifact of our evolution into our current complex security landscape. We identified single problems that were large enough to warrant development of commercial solutions, there became a bit of gravity that drew our thinking about related problems into these isolated silos of solutions. However, some issues lie between these silos, and the solutions they require can be overlooked. This can be described as “inside-the-box” thinking.
Moving beyond “inside-the-box” thinking
These XIAM benefits cannot be achieved with IGA or CIAM alone. A XIAM solution must provide key functionality of both IGA and access management or CIAM technologies, along with seamless integration. For IGA, features like orphaned and duplicate account detection, role-based access control, access certifications and self-service access requests. A comprehensive delegation model must be available so the third-party user populations can manage their own users. A CIAM or access management solution can be applied as an aggregation layer for the many spokes in the hub-and-spoke topology, serving as the source of truth of external user populations who don’t exist in the internal HR system. The external users can be given controlled access to internal systems and applications through RBAC and SSO, including third-party SSO from their own IDP if they have one. Access management features like self-registration and just-in-time user provisioning will facilitate onboarding of external user populations. Governance functionality within the IGA tool enables proactive policy enforcement and maintains least privilege for external user populations.
Conclusion
I started this discussion with the idea of a “unified” platform for identity security, a phrase that contains classic buzzwords that may inadvertently lead us to an insufficient understanding of the intent. Creating a “unified” platform or “converged” solution for identity security problems isn’t just about developing a reformed software architecture that merges siloed solutions with a shared data layer or logical integration fabric. It’s about moving beyond “inside-the-box” thinking and recognizing that some problems exist between silos. The synergy among the solution elements can form a far better solution to the problem than trying to stitch together disparate solutions. If we apply a bit of out-of-the box thinking, then new solutions can emerge, even to solve old problems.
So, as we introduce a new term to the identity security lexicon, remember that XIAM represents a fresh, holistic approach to addressing these complex challenges. Welcome, XIAM.
