Thursday, December 23, 2010

The meaning of Identity?

I’ve been involved in a number of conversations lately with colleagues and the Identity Commons mailing list about the nature of identity. The fact of the matter is that as far as the Information Technology / Information Security arena is concerned, there truly is no such concept as an identity. Rather what we truly have is a collection of descriptors or “attributes” that when brought together and agreed upon by an organization or group of organizations that describes what we choose to call the identity. Why the vagueness here? Well that’s because an identity can be more than just people, but that’s another story. Regardless, once we have determined what goes into an identity, we can begin to discuss how technology can process it.

The thing that I’m hearing more and more is that just having an identity is not enough. As mentioned previously, the identity is just an agreed on set of descriptors and does not really do anything. So how do we make this happen?

Well it is rather easy when everything is within the same domain. Agreements are easy (well, easier) to make when there is only one organization involved. Once we get outside of the domain, there greater complexity due to meeting the diverse needs of each organization, including (but not limited to) audit requirements, privacy rules, establishing common protocols and, of course, determining a description of what the identity is in the first place.

It’s great that we’re linking in tightly to ERP suites as Oracle and SAP tell us we should do. Leveraging repositories for use in authentication is great as Microsoft says we should do. Federation would be fantastic if we could get folks to come to quick agreements. What we really need is more actions that are associated with what we do with these identities. From what I’m seeing / hearing, there’s not enough being done with the actual identities once we’ve constructed them based on the authoritative sources in the organization’s IT infrastructure.

I think a great example of what can be done is shown in an article in CIO magazine that I saw on Jackson Shaw’s blog the other day.

We talk about these things all the time, but it seems many organizations barely get out of the Authentication / ERP stage since that’s perceived to have more direct impact.
I disagree. Truly actionable items that result in a direct decrease in getting employees functional should be the first effort in any Identity Management project after the data has been cleaned and a definition of what an identity is.

This is an ongoing discussion that’s not going away anytime soon. Not the definition of Identity, not what to do with the Identity, or how to protect the Identity.

No comments: