The joys of identity management

The joys of identity management

Summary: Conversations about identity management with people whose default vendor is IBM tend to be based on different premises, and reflect different expectations, than nominally similar conversations with people whose information about identity management comes mainly from Sun.

SHARE:
TOPICS: Security
2
I think it's obvious that automated identity management is becoming increasingly important and could easily be at the top of nearly every big organization's CIO agenda for the next year or two. Unfortunately I don't know what identity management is, and my guess is most of them don't either.

One of the things contributing to this contradiction is that people seem to be forming their ideas about identity management by combining what they understand from fairly cursory reviews of their default vendor's offerings with unexamined assumptions based on their interpretation of the words used, mainly "identity" and "management".

As a result conversations about identity management with people whose default vendor is IBM tend to be based on different premises, and reflect different expectations, than nominally similar conversations with people whose information about identity management comes mainly from Sun.

Most fundamentally the IBM focus is ultimately on process management while Sun's is really about rights management -and neither one actually has much of anything to do with identity as normal people would normally understand it.

I think that's come about largely because the products aren't purpose designed - they're lashups: packaged offerings evolved on marketing commonalities between ad hoc "solutions" slapped together to meet specific customer needs.

For example, here's how one Sun document among many describes "The 4 A's of Identity Management:"

 

Authentication -Quickly verify user identities

 

  • Authenticate and authorize all user requests for secure applications and services with one integrated solution, regardless of where the requests come from or where the applications and services reside

Authorization -Control user access

  • Ensure that only authorized users may access protected resources based on specific conditions, and that they are granted access only after proper authentication
  • Provide role- and rule-based authorization for centralized policy enforcement

Administration -Manage users and assets

  • Provide a highly scalable deployment option for incorporating secure identity administration (e.g., registration, self-service, delegated administration) and fed- erated provisioning capabilities into extranet-facing applications and portals
  • Accelerate the introduction of new, revenue-generating applications and services without having to compromise on security or compliance controls

Auditing -Automatically document what happened

  • Audit identities across enterprise applications and systems
  • Eliminate manual effort and enable continuous compliance by automatically scan- ning for, identifying, and fixing policy violations
  • Provide a clear trail of access requests so auditors can identify and correct potential regulatory violations
  • Include packaged policies as a starting point to help achieve compliance faster

Look at this list and you should see first that it's full of redundancies, and second that a lot of the "what to do" more or less explicitly includes the "how to do." Thus identity management will "authenticate and authorize" users using "role and rule-based authorization for centralized policy enforcement."

Look more closely, however, and what you'll see is an effort to ensure that potential customers reading this will check off as many "required functionality" boxes as possible without inviting those customers to think about what the labels might actually mean.

Which would be fair game, except that when you get to implementing the pieces a specific customer has actually bought into, you need to make this stuff concrete -and at that point the absence of a central, consistent, motivation for the entire package means that you can make it work, but you can't make it resilient against contra-skilled support or external change.

More tomorrow.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Incomplete standards & compliance to them?

    I am not certain that anyone 'does' identity management as well as Windows Active Directory. Due to its ubiquity vendors have been forced to integrate it with their systems (UNIX, Linux, SAP, etc.). That said, it also has many holes that must be filled with third party products: two-factor authentication, Radius servers for 802.1x etc. The problem with identity management (i.e. it will remain fragmented) stems from vendors' inability to develop open standards and systems conforming to them that truly interoperate. For now, Windows AD is more a de facto standard than any other.
    asad.quraishi@...
    • Yep - but it's a 1% solution

      DOminant in its market for what it does - but utterly useless for large. complex, applications that go beyond that.
      murph_z