I've been thinking

I've been thinking a lot on what Identity Management means lately. Certainly my posts and thinking have been revolving around Provisioning. No big surprise given my background. But in reading other blogs, articles and papers I'm starting to think more about the "bigger" picture.

Certainly, we'd be nowhere without the infrastructure of IdM. Managing data held in directories and application stores are the basis of our challenges in the field. The fact is there's information about users all over the IT/Web Landscape. Finding ways of managing this information is absolutely critical.

This brings us to the topic of tools. We can think of all kinds of tools for managing identity information. Self Service Kiosks, provisioning UIs and HR applications are all ways of obtaining information. Work-flow engines, Virtual and meta-directories help to synchronize and process data, SSO applications allow us to increase the reach of our identity information. There is also the concept of managing and reducing the numbers of data repositiories using these tools as well.

This is all old news to those of us in the IdM world, however I'm getting more interested in what happens next and I've blogged on this several times before. The way I see it, there's two things that have to happen:

1. The continuing maintenance of Data. This has to happen on multiple levels.

From the perspective of the enterprise, information from all sources in the enterprise should be brought into a unified structure. I won't even touch the question of this structure's format. For the purposes of this discussion, acknowledging the store is enough. This store should be kept up to data with respect to all connected repositories, becoming the central authoritative store.

There's another perspective that I have not really addressed in the past, which is the personal perspective. For too long, I've only looked at the enterprise perspective, but given recent trending I think it's important to look at personal identity management as well. By this, I'm referring to the ability of a given person to build the components of their identity for use by the outside world. What information should be public, what information should be private with respect to other people and organizations.

• Do my friends need to know my work telephone number or will my mobile suffice?
• Do the people in my office need to know my IM handle that I use after work?

I think you get the point. I know there's a lot of people out there thinking about this and it is something I plan on learning more about in the coming months.

2. How do we know that our data, applications and access are secure?

This is another big question and touches on the topic of GRC, which I've also been blogging on recently. There's some debate on this at the moment which I'm not going to go into in detail. However whether you look at this as one discipline or three (or four if you subscribe to GRCE). For the purposes of this discussion, it does not really matter. The fact is that all organizations must manage risk and that includes risk to ones IAM data. The fact is that one's identity data is directly tied into one's access management data and therefore this needs to be watched closely.