Identity Management as Kitchens and driving on the New Jersey Turnpike

Those of you who have been following me for years are aware of my preference for Identity Management Programs over one-off Projects.  The fact is, one might consider that a proper program goes something like this:

1. Set up the Directory/IDP
2. Define Roles
3. Set up Access Management (SSO/MFA)
4. Set up LCM processes
5. Implement Fine-grained authorization
6. Implement Self-Sovereign Identity and digital wallets

Of course, this list and its order depend on the needs and culture of the organization being served. In the long term, it is virtually impossible to do just some of this. It’s like upgrading or updating your kitchen. Now the Dining Room looks off, which makes the Den look dated, and then the carpeting, and then, of course, the bedrooms. All because one part of the house was improved.

My thinking has always been that you can’t really grant access until you have some sort of Identity store in place, which is usually the Directory Service for the Workforce and an IDP when it comes to CIAM.

Furthermore, steps two and three are somewhat interchangeable, but if you need to organize your identities, it’s likely due to an Access Management requirement, so you may want to complete this task sooner rather than later.

LCM needs are required regardless of use case, but of course take different forms. For the Workforce, this is more about how an employee progresses through their corporate career. On the CIAM side, this might involve subscriptions, optional services, and the ability to unsubscribe and be forgotten.

Refining all these processes and connecting them to additional applications will likely require some form of fine-grained authorization to ensure that all users can access only what they are intended to.

Once all of this is in place and working, we can begin to think about utilizing this information for digital wallets and establishing the foundations of Self-Sovereign identity using wallets. This will ensure that, in any given Identity-based transaction, only the minimum required attributes are shared.    

As far as the Identity Program goes, it’s like driving on the New Jersey Turnpike; the construction and work never seem to end. As soon as we finish one round of repairs and upgrades, it’s probably time to start over again.