Jamie Lewis on the future of identity management

According to Lewis, reducing sign-ons is an achievable goal and he advised to use password management to kick-start policy. He said that in the near-term, federated sign-on (especially at the Web level) is viable, but just don’t expect any turn-key solutions as they will still require customized integration. In addition, he said that the foundations for identity assurance are weak, and auditing lacks sufficient pre-built reports, processes, policies and compliance templates.  Portable identity policy is still on the drawing board, Lewis said, and there is some interest in external authorization engines. However, the languages associated with identity and privacy, such as XACML,  XRML  and EPAL, are languishing, Lewis said. In the long-term, identity management audits, and associated privacy concerns, will remain a complex problem, as vendors are slow to address it. 

Lewis then shifted gears and gave a market history lesson. He pointed out how -- as consequence of all the "big fish eating the little fish" --  the market shifted away from best-of-breed products to product suites. He expects to see the next iteration of suites over the coming 12 to 18 months, which will help simplify identity management projects.  Once enterprises get past the significant integration, standardized identity management functions (compliance, credential, user and audit management) “will seep into the platforms themselves,” said Lewis. By the end of the decade, Lewis sees identity functions shifting from the platform to a service bus, an inevitable transition demanded by businesses moving to SOA architectures.

"The emergence of standards-based, federated communication infrastructure is inevitable," Lewis said. "Security architecture and risk management need to meet identity management." However, he cautioned that achieving meaningful implementation by the end of the decade will depend on how long the vendors want to fight over building the road (standard framework) as opposed to building neat cars and trucks (more proprietary solutions). He expects open source software to have an impact in moving the industry toward a common framework.

Lewis then spoke about user-centric identity management, pulling into the discussion the threats facing a virtual society living in virtual places, such as phishing and hackers. The dichotomies of privacy versus convenience and privacy versus safety--as well as the competing interests of commercial, individual and government entities--also create countervailing pressures.  He said social responsibility in our systems must increase, and that we need to acknowledge that the Internet is missing a layer--a flexible, adaptable identity system to support a wide spectrum of needs. It will take a lot to address these issues, but getting some agreements on the laws--such as those contributed by Microsoft’s identity guru Kim Cameron--and principles will be the first step, said Lewis.

New technology approaches, such as Sxip and Microsoft’s Infocard, are an early step in what Lewis called "federating individuals"--giving users more assertive control over their identity information in commercial, social and other contexts.
 
Lewis believes that an identity management system must support multiple, valid views in their context, mirroring the real world.  "That doesn't mean everybody gets what they want, but it means we have to build a system that supports multiple views," he said. "Identity is not like stretched socks. It's highly contextual like all social interaction... An identity system that works for a financial services company won’t work for social networking." He believes that federation is the most reasonable solution so far, because it allows for organic growth of an identity system, a self-organizing value system. "We should focus on the interoperability of the infrastructure as the most important thing we can do as a community," Lewis said.
 
What will it take to reach the promised land of interoperable identity systems?  First, is getting agreement on the basic principles, or laws, and instantiating those principles in working systems. "WS-* specifications  have many positive attributes, but ultimately they move to either de facto or de jure standards status. There will be resistance among some of the constituents, particularly at the licensing level," Lewis said.  
 
Meanwhile, what should enterprises do? Lewis recommends:

- Relate the problem to core business objectives (drivers: cost containment,  operational  efficiency, business need, regulatory compliance, risk management--all which are independent of product selection).
- Clean your own identity house.
- Carefully scope the problem you’re trying to solve.
- Understand the social responsibility inherent in building and managing identity systems.
- Start architecting with the idea of federation in mind.