Industry executives and experts share their predictions for 2025. Read them in this 17th annual VMblog.com series exclusive.
By Gerry Gebel, VP of Products and Standards
at Strata Identity
In 2025, enterprises will face transformative
challenges and opportunities in managing identity security, resilience, and
governance. From the rise of multi-IDP (identity provider) architectures to the
adoption of event-driven identity management, organizations will increasingly
be required to balance innovation with operational complexity.
The growing importance of identity continuity
and application governance will underscore the need for robust strategies that
can adapt to dynamic environments, such as multi-cloud ecosystems and hybrid
infrastructures. These predictions highlight the trends reshaping identity and
access management (IAM), offering actionable insights for enterprises to stay
ahead in securing their digital ecosystems.
1. Managing Multi-IDP Architectures Becomes the New Normal
- Prediction: Large enterprises will
increasingly adopt multiple Identity Providers (IDPs) to optimize flexibility,
enhance security and resilience, and choose best-in-class services for
individual use cases. This shift toward multi-IDP environments will mitigate
vendor lock-in and align with evolving infrastructure needs.
- Implications: Managing identity
across multiple IDPs will require enterprises to invest in interoperable
identity orchestration tools for streamlined access control and policy
enforcement. This is particularly critical in M&A scenarios, where acquisitions
result in diverse IDP landscapes. Identity orchestration will emerge as the key
enabler for integration and governance of these heterogeneous stacks.
2. Wider Adoption of Event-Based
Identity Management
- Prediction: Event-based IAM systems will see
broad adoption, offering dynamic, real-time security controls that adapt to
run-time events and contextual data, such as high-risk transactions, changes in
location and device status, and more. A key development in 2025 will be the
standardization of the CAEP (Continuous Access Evaluation Protocol) profile.
- Implications: Enterprises must transition from
static IAM models to event-driven architectures. Organizations will need to
plan on how to adopt CAEP and publish event data. This will require integrating
senders and receivers of event data and implementing orchestrators capable of
taking action on event signals, such as revoking sessions, enforcing step-up
authentication, etc.
3. Identity Continuity Becomes
Business Critical
- Prediction: As multi-cloud and hybrid
environments proliferate, ensuring identity continuity will become a critical
component of disaster recovery plans. Enterprises will prioritize the ability
to switch between IDPs during outages to maintain business operations
seamlessly.
- Implications: Recent large-scale outages in
SaaS-based services have underscored the need for resilient identity systems.
To minimize risks, enterprises will need to invest in multi-layered failover
strategies, backup IDP infrastructures, and rigorous testing. This will require
taking responsibility for resilience rather than solely relying on the
assurances of IDP vendors for business continuity.
Back up and recovery are not the only option any more - continuity for IAM
infrastructure will take center stage.
4. Increased Focus on Application
Governance
- Prediction: Application ecosystems will grow
in complexity, driving enterprises to adopt application fabrics for unified
governance and compliance. Continuous discovery and monitoring will become
cornerstones of effective identity management.
- Implications: Implementing an application
fabric will streamline identity orchestration and governance by centralizing
policies and reducing manual configurations. However, integrating legacy
systems and coordination between IT and business units will remain challenging.
Discovery capabilities that span applications, users, access and authorization
policies, etc., for both cloud-based and on-premise applications, will be
required to meet the needs of application owners that lack this visibility.
##
ABOUT THE
AUTHOR
Gerry Gebel is VP of Products and Standards at
Strata Identity and a recognized leader in cloud identity and access management
with more than 20 years of experience in requirements definition, architecture
development and strategic planning for identity management projects with
Fortune 500 corporations. Gerry leads the effort with the Cloud Native
Computing Foundation (CNCF) to develop Identity Query Language (IDQL), a policy
orchestration standard, and the Hexa open-source project. He also co-chairs the
OpenID Foundation AuthZEN working group where he works to standardize
authorization systems. He was a senior executive with Axiomatics and a VP with
research firm Burton Group (acquired by Gartner). Gerry started his career in
the technology group at Manhattan Bank (now part of JP Morgan Chase).