Identity and Access Management has long been confined to two (or maybe three) buckets: B2E (employee focused), B2C (external consumer or customer focused) and then the “other” bucket – namely for IoT, machine to machine and application or process style IAM. I understand these buckets. My clients understand these buckets. Vendors talk to stakeholders in these buckets. Enabling a new field, sector or capability set is tough. Why waste your entire marketing budget on trying to enable the market on the next new widget, when you can capture budget and mind-share from existing sectors using existing nomenclature?
However, there is a pattern that has emerged over the last 2 years (unrelated to the pandemic, but perhaps accelerated by it) that is focused on a seemingly new set of quite subtle and nuanced capabilities: that of the market delivering identity services into a sub-layer of relationships. The B2B identity market, that in turn deliveries a set of identity services either directly to consumers or to other partners.
What is B2B2X?
So here we’re really just saying that the consumer identity services are not for the immediate buyer, but for a layer down. The “X” aspect, could relate to consumers and customers, or perhaps another business in the form of supply chain relations or other business related partnerships.
Whilst B2B2X can apply to a host of different infrastructure service offerings (see Amazon and AWS as a really immediate and huge market for B2B2X, where Amazon doesn’t own the last mile “B2X” but provides the “B2B” infrastructure), the origins of the term, seemingly came from the telco space. This Forbes article is a good primer, where we get a good understanding on some of the concepts and more importantly a discussion on the “why” and the “how” this new model is developing.
So why has this started to happen to identity and how are the features lining up? I think there are some clear “meta” patterns with respect to identity that are pretty obvious: the movement to “cloud first”, identity demand coming from external facing use cases and organisational landscape becoming ever more complex, with supply chain and partner models ever more nuanced.
It seems the demand for B2B2X servicing likely has some meta patterns too. If we take telco or computer infrastructure, there are some aspects with respect to industry maturity and also how market competition is developing. B2B2X providers, need to decide whether to become the “innovators” (aka delivering directly to a customer base) or “enablers” (aka providing more generic capabilities that allow others to specialise).
How do they decide? Well I’d imagine that do be an “enabler” the market for you needs to be broad – allowing a range of downstream “last mile” specialists to build solutions atop of your platform. See AWS. How many SaaS services use AWS? Thousands I would imagine all specialists in accounting software, ecommerce, manufacturing and a host of other competing and non-competing industries. There also needs to be enough “generic” capabilities across those non-competing industries that allow the B2B2X provider to create a platform with enough economies of scale.
What Are The Capabilities?
If we look at B2B2X in general, there are some basic capabilities that seem to take hold. The ability to provision separate tenants of service, the ability to customise, generic models for scale and elasticity as well as concepts such as marketplace services or a range of ways to extend and expand a generic platform.
But what about identity capabilities? Well it seems the most obvious is some aspect of delegated administration. A way for a sub-organiser to manage communities or sub-communities of users or identity yielding services. The B2B2X provider does not want to get involved in the “last mile” requirements, so needs a way to model how those services can be managed – that is provisioned, updated, restricted, customized and enrolled. So the ability to create communities and apply a set of permissions seems imperative, as well the ability to invite users or even further sub-admins.
Another interesting area seems to be that of relationships. Not necessarily how those relationships are created, but more how they can be managed. Relational examples such as:
- “B2X” end users to other end users
- “B2X” administrators with their user community
- “B2X” administrators and their parent entities
- “B2B” administrators and their peers
A typical identity system is often quite closed – that is a business operational domain exists that is handled by administrative controls, permissions controls and associated client application to domain relationships. Anything more than that was thrown to the “federation” managers who would look to link operational boundaries via flakey trust directives.
Another subtle identity use case, really follows this relationship argument, where the end user (even be it a tenant administator) wants control of the resources associated with them. Centralised authorization policy creation doesn’t fit the B2B2X model either functionally or non-functionally. The end user as the “data owner” wants the ability to share resources with peers. Tenant admins need control the resources under their control. This downstream delegation is quite a different model to the IT guy handling policy controls.
Self–service in general will be essential – for both the “B2X” end user and the associative mid-level administrators. The ability to acquire new services, request permissions or access and deploy should all be done in a way which follows standardized workflows and automated processes.
Who Needs B2B2X Identity?
The demand for cloud based identity is paving the need for this secondary market for B2B2X. Why is cloud proliferating in the identity and access management space? IAM is complex and spending millions on software and services to make it work doesn’t necessarily make business sense. It can be hard to measure the success of identity and investing in the “run-operate” infrastructure can be difficult to justify, even if the total costs are known. By outsourcing the heavy lifting – either to SaaS providers or managed services consultancies – reduces the costs and allows the buyer to focus on their industry specialism. Once that pattern of behaviour takes hold, it is a maturity step to start to see a demand for B2B2X identity.
Typical sectors are likely to be eCommerce and retail, healthcare, insurance, media or sectors where channel distribution is required.
There will certainly be some subtle differences too between B2B2C and B2B2B demand and which sectors that applies more to.
B2B2X identity is certainly here to stay. There are a number of European and North American identity vendors looking to address the complex delegated administration, relationship management and self–service style use cases needed to make these projects work. It will likely be a smaller addressable market than standard SaaS or cloud-native identity, but the use cases will require more specialist implementations with nuanced approaches to access control and self-service, that the more baseline identity providers will not be able to fulfil.
About The Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is a CISSP, CCSP, CEH and CISA. His 2022 research diary focuses upon “Next Generation Authorization Technology” and “Identity for The Hybrid Cloud”.