Identity Fabric: Breaking the Single‑Provider Myth
Key Points
- The “identity fabric” concept debunks the two‑decade‑old fantasy that a single identity provider and user directory can handle all IAM needs, arguing that this approach no longer works in today’s hybrid environments.
- In practice, organizations must manage two distinct IAM domains: consumer/CIAM (customers, partners, external users) and workforce IAM (employees, internal partners), each often requiring its own specialized system.
- Most enterprises already operate multiple IAM solutions and directories, making the idea of a one‑size‑fits‑all platform unrealistic and a key reason why many feel they’ve made little progress with identity security.
- The identity fabric framework aims to integrate and orchestrate these disparate IAM tools and data sources, providing a cohesive layer that reflects the complex, multi‑system reality of modern identity management.
Sections
- Debunking the Single‑IdP Myth - In this opening, Bob Kalka explains that the “identity fabric” concept overturns the outdated 20‑year belief that a single identity provider and directory can solve modern IAM challenges, emphasizing the need for a hybrid, multi‑system approach.
- Multi-Directory IAM Challenges - The speaker explains that most organizations juggle separate consumer and workforce identity systems, resulting in fragmented Active Directory instances across on‑prem, AWS, and Azure that must be continuously synchronized.
- Emerging Passwordless and Risk-Based IAM - The speaker outlines the surge in client interest for passwordless access via passkeys and the complexities of deploying them across platforms, while also introducing risk‑based authentication as a real‑time, behavior‑driven evolution of multi‑factor security.
- Critical Elements of Identity Fabric - The speaker outlines seven essential components of an identity fabric, emphasizing the need for an identity orchestration engine and ITDR to automate identity lifecycle management and detect threats across disparate systems.
- Key Elements of Identity Fabric - The speaker explains the final three critical components—directory synchronization, identity governance, and privileged access management—required to maintain a unified, consistent system of record and control over user access in complex, hybrid environments.
Full Transcript
# Identity Fabric: Breaking the Single‑Provider Myth **Source:** [https://www.youtube.com/watch?v=uN5rr4n1fl0](https://www.youtube.com/watch?v=uN5rr4n1fl0) **Duration:** 00:16:13 ## Summary - The “identity fabric” concept debunks the two‑decade‑old fantasy that a single identity provider and user directory can handle all IAM needs, arguing that this approach no longer works in today’s hybrid environments. - In practice, organizations must manage two distinct IAM domains: consumer/CIAM (customers, partners, external users) and workforce IAM (employees, internal partners), each often requiring its own specialized system. - Most enterprises already operate multiple IAM solutions and directories, making the idea of a one‑size‑fits‑all platform unrealistic and a key reason why many feel they’ve made little progress with identity security. - The identity fabric framework aims to integrate and orchestrate these disparate IAM tools and data sources, providing a cohesive layer that reflects the complex, multi‑system reality of modern identity management. ## Sections - [00:00:00](https://www.youtube.com/watch?v=uN5rr4n1fl0&t=0s) **Debunking the Single‑IdP Myth** - In this opening, Bob Kalka explains that the “identity fabric” concept overturns the outdated 20‑year belief that a single identity provider and directory can solve modern IAM challenges, emphasizing the need for a hybrid, multi‑system approach. - [00:03:06](https://www.youtube.com/watch?v=uN5rr4n1fl0&t=186s) **Multi-Directory IAM Challenges** - The speaker explains that most organizations juggle separate consumer and workforce identity systems, resulting in fragmented Active Directory instances across on‑prem, AWS, and Azure that must be continuously synchronized. - [00:06:24](https://www.youtube.com/watch?v=uN5rr4n1fl0&t=384s) **Emerging Passwordless and Risk-Based IAM** - The speaker outlines the surge in client interest for passwordless access via passkeys and the complexities of deploying them across platforms, while also introducing risk‑based authentication as a real‑time, behavior‑driven evolution of multi‑factor security. - [00:09:49](https://www.youtube.com/watch?v=uN5rr4n1fl0&t=589s) **Critical Elements of Identity Fabric** - The speaker outlines seven essential components of an identity fabric, emphasizing the need for an identity orchestration engine and ITDR to automate identity lifecycle management and detect threats across disparate systems. - [00:13:13](https://www.youtube.com/watch?v=uN5rr4n1fl0&t=793s) **Key Elements of Identity Fabric** - The speaker explains the final three critical components—directory synchronization, identity governance, and privileged access management—required to maintain a unified, consistent system of record and control over user access in complex, hybrid environments. ## Full Transcript
Hello, everybody.
This is Bob Kalka, global lead with IBM Security.
And our topic today is "what is the identity fabric?".
The identity fabric is a white, hot term in cybersecurity these days,
and a lot of people are asking questions,
what exactly is this concept?
What the identity fabric is, is cutting through a fantasy
that we've had in the cybersecurity community for the last 20 years, which is
there is a belief that for identity and access management, that is:
how do we manage users and their identities,
and their accounts across all the different systems and applications they need access to,
is that if you go into the typical shop today,
perspective in the philosophy is,
I know how to solve this really tough problem.
I'm going to choose one identity provider and one user directory,
and I'm going to focus all my investment on that.
And for the last 20 years organizations have been focused on that strategy.
And yet when you talk to these clients, you find
that they feel like they haven't made much progress in the last 20 years.
And the reason for that
is that the approach of addressing identity and access management
through one identity provider and one user directory
is a complete fantasy because of the hybrid reality of what we face today.
So let me show you what I mean by that.
When we talk about managing users and their identities and their account,
there's generally two different groups of people that we're talking about.
First of all, we're talking about all of the consumers, the users,
the folks out there that interact with us as a business.
And so we often will turn that consumer IAM
or CIAM - and a lot of people will call that.
And so once again, that's our customers, it's our partners, it's people interacting.
Then you have a second group of people
that also need to have their user accounts and identities managed.
And that's all the people that we have inside of our organization.
It's our employees, it's our partners and things like that.
And that's generally termed workforce IAM.
Now once again, the fantasy that everybody's had for the last 20 years
is that the way to manage this is pick one identity and access management tool
and one user directory to manage all of this stuff.
But let's look at what the reality is today.
The reality is, is that most organizations
will have a dedicated identity and access management system
for their consumers, for their customers and things like that.
And then once again, they will ideally go,
well, the way to do that is I'm going to have one directory,
and that becomes the way that I approach identity and access management.
Now, using the fantasy as our key,
you'd say, well, for my workforce, I'm going to use the same system, right?
Well, there are very few organizations,
and I mean on 1 or 2 handfuls maybe
that actually are able to do that.
What almost everybody struggles with is the fact
that there is at least one additional identity and access management system,
and at least one directory
that's used for our employees that's separate than the one we use for consumers.
And anyone who does this for a living is smiling right now,
because they know that this picture is very simplified,
that usually what happens is there's a lot of these user directories out there
that have to be synchronized and pulled together.
I'll give you an example.
I had a client just recently tell me
that they thought they had standardized on one directory
with Microsoft Active Directory very, very common.
But he said my problem is,
is I'm managing Active Directory on-prem.
I've got a second team managing Active Directory in AWS
and a third team managing Active Directory in Azure,
and never the twain shall meet.
And so the reality is that most organizations have a tool for consumer IAM,
a tool for workforce IAM,
but behind the scenes there's a whole lot of different sources
of user information that's being used for this.
Now you'd say, well, this alone looks like something we could least get control over.
But then when to realize how bad the picture is,
we've forgotten an entire plane of places where there's lots of these.
And that is, if you look at all of our legacy apps
and our various cloud providers,
typically you'll have built-in identity and access management
and some kind of user directory
inside of each one of our applications,
inside of each cloud service that we're using.
And so you get to this point that the reality is
that most organizations today
are managing user accounts across many, many, many different places.
But you see why the fantasy is a problem.
If you believe that that one, for example,
is where I'm going to put all my investment,
then what the organization will do is it will not recognize the rest of this.
It treats it as a sunk cost and says it's just something
that we have to deal with and manage individually.
But just think of trying to get a consistent user identity experience
when you're managing them in all these different places.
And that's what almost every organization is doing today.
Given the fact that user identities are generally the number one attack point for cyber attacks,
you realize very quickly why it's so important that we get a hold for all of this.
So this is what the identity fabric is.
The identity fabric is how do I take a user,
their identities across all of these different systems potentially,
and manage them in a consistent way.
Now to add fuel to the fire here, why this is so important,
is that there are a lot of very,
very impressive newer technologies and identity and access management
that we want to apply consistently across a user, across all of these systems that we're looking at.
So for example, there's four different technologies
that a lot of people are trying to apply around identity access management today.
For example, in the last year I have not had a single client meeting,
and I meet with clients every day
where the term "passwordless" has has not come up.
It comes up in every briefing.
What is passwordless?
Passwordless means, how do I streamline access
for someone trying to get access to a system or an application,
or whatever it happens to be - a cloud service, whatever?
How do I streamline it by using Passkeys like Fido Passkeys,
to be able to get in without entering a password?
It's more secure and yet easier to use.
It's something everybody wants to be able to do,
but if you have to apply these passkeys across all these different systems,
it's impossible to manage.
So passwordless support is one of the pieces.
Secondly, a white-hot term you're hearing a lot about: risk-based authentication.
What is that?
That is multi-factor authentication on steroids.
That is applying different levels of access for people
based on a real time, ongoing historical assessment of that
person's risks based on how they're acting.
So it's not only, is this someone who's logged into us 275 times,
this is the 276th time,
and they're in the same place with the same device configured in the same way
that you might say, well, that's fine, that's probably give me a password or something.
But if you notice that you analyze their typing rate,
and their typing rate is a lot different than it's ever been,
and their error rate in typing is a lot different that it's ever been?
You might say, you know what, I probably need another form of authentication here.
So that's an example of risk based authentication.
Being able to apply a real time, ongoing historical risk assessment
of everyone who's trying to access your systems.
You realize if you're managing identities, all these places, you're never going to get that.
So how do we apply risk based authentication consistently across this?
Identity fabric helps with that.
A third element: how about there's a lot of advanced
techniques out there such as identity proofing.
So when someone is registering to access your systems
and your applications and your various whatever, right?
Is that, can I do identity proofing callouts?
Doing that across all these systems?
Literally impossible.
And then finally, a fourth factor that we run into that a lot that people don't think of at first,
is how do you effectively do threat management against identities?
That's one of the weak spots.
Everybody's got a security operation center and a SIEM tool,
Security Information Event Management tool,
that takes input from all over the place and looks for threats. Right?
Core key part of any security operations center.
But all of the tools for doing that are IBM QRadar,
Splunk, the various tools that are out there
are not good at being able to determine identity focused threats and
because that's the primary, the first, the most common mechanism for cyber attacks,
it's kind of important that we're able to detect identity
threat vectors as they're happening in real time.
And there are ways of doing that,
but hasn't been able to be applied because people
are trying to apply it across all these different identity stacks.
All of this is exactly what the identity fabric is for.
The identity fabric is what are the things that need to exist
for us to be able to take this mess, and actually finally, after decades, get control over it.
And we have enough use cases now of clients doing this, we know it works.
So let's cover the seven things that are
absolutely critical for any identity fabric approach.
Alright so let's look at this.
So number one: number one, and this is huge,
is you have to have some kind of identity orchestration engine.
Orchestration means you can automate workflows,
you can do call outs like identity proofing engines,
and you can orchestrate an identity - creation, management, removal, etc.
their access across all the different systems that you have.
In other words, we're not pretending that
these other identity management subsystems don't exist anymore.
We're actually automating the orchestration of managing use across all of them.
That's number one.
Number two: in cybersecurity, every year we get a couple of acronyms that crop up.
And one of the hot ones this year is ITDR, that stands for Identity Threat Detection and Response.
And that's this piece.
That is the ability to detect threat vectors within the identity management stack
and actually feed it then to your SIEM, you know,
whether it's Qradar, Splunk or something else
and allow you to get threat telemetry around identity usage
that is far beyond what any SIEM tool could ever do by itself.
Okay.
Now, third: the third critical element of doing
the identity fabric is the ability to onboard legacy applications.
One of the most common problems we see is clients have lots of legacy applications
with their own homegrown identity access management stack
that are unable to use modern authentication mechanisms,
such as risk based authentication or passwordless with support with Passkeys, right?
So being able to do low-code no-code,
quick onboarding of legacy apps to use modern authentication techniques
is huge, because not only does it improve the security,
it allows the auditability the systems to be far greater.
The fourth element that we run into when we look at the identity fabric
is in fact this risk-based authentication idea.
This is how do you have this ongoing real time yet historical risk analysis,
risk assessment of every person trying to access your systems from anywhere?
At IBM or with our IBM verify portfolio,
we have done some incredible things
using literally insights from the banking sector
to apply technologies that allow you to do things like analyze typing rate
or how you move your finger on your mobile device
and stuff like that, to determine what is
a risk assessment of you in the state that you're currently in.
All right, so number five:
the fifth critical element to being able to do this is
directory Synchronization and consolidation.
You know, the directory issue was something that was huge about 25 years ago
and everybody thought, oh, I think we've solved that one.
What we found, like the example I gave you of Active Directory and three different platforms,
is the problem's even worse now in the hybrid world than it was before.
And so how do you get a consistent system of record
of who are the users who should have and do have access to your
systems without looking in dozens of different places?
So, that's a huge point here.
Number six:
the sixth of the seven critical elements for identity fabric is identity governance.
So what that means is, once we know who these users are and what access they should have,
how do we actually consistently manage that?
That's where identity governance comes in.
And the seventh and final critical element to any identity fabric
is the concept of privilege access management.
And that is for all of our privileged user accounts.
How do we effectively manage those things as consistently as we do for all these other things?
So this is what the identity fabric is.
It cuts through the fantasy that
all I need to worry about is that one strategic identity provider and one
strategic directory, because that's not reality.
It can be your reality, but you're going to be left with the same message you have already.
The identity fabric with these seven elements
is what actually allows you to take a user
and their identity or identities, and manage them consistently across this whole thing.
We're very proud at IBM because our IBM Verify Identity Access Management portfolio -
we've actually added, we've been working for years on this now.
And late last year we actually came out with all of this functionality.
And so we're very proud that our IBM Verify stack allows you to do identity orchestration
across any identity provider, not just ours.
We can do identity threat detection and response.
We can onboard legacy applications quickly.
We apply risk based authentication by
integrating literally the leading technology in the banking sector,
from our acquisition of Trusteer, into the identity stack
to provide a real time risk assessment for every user inside of the systems.
We've been doing directory syncing consolidation for 25 years.
We have world class identity,
governance capability and world class privilege account management capability.
So that's what the identity fabric is and I look forward to chatting with you about this again.
If you like this video and want to see more like it, then please like and subscribe.
Feel free to leave your thoughts in the comments section below.