Laws of Identity: A conversation with Kim Cameron, Part 2

Industry luminary Kim Cameron, now a distinguished engineer with Microsoft working on identity, wrote the Seven Laws of Identity in 2005. He discusses with ZDNet why these seven "scientific" laws are revealing their insight seven years later.
Written by John Fontana, Contributor

Kim Cameron's Laws of Identity outline a hypothesis on how identity and privacy should work on the Internet. In Part 2 of an interview with ZDNet, Cameron talks about identity and the enterprise and the role he feels cloud service will - and needs - to play. (Read Part 1 and the companion story).

ZDNet: Enterprises today, what are the questions they need to ask?

Cameron: For enterprise people, the most important question is how can the cloud simplify my existence when it comes to identity. I am very interested in identity management as a service.

ZDNet: Are there new options the cloud presents for IAM?

Cameron: Yes, there is growing pressure on enterprises to simplify their identity management in order to achieve the flexibility and cost savings they need in current economic times. And so the cloud just happens to offer, if used wisely, to drastically cut the costs of identity management. On the other hand, it has to be done right, there are lots of issues around confidentiality, privacy, security and so on. But if done right, it is really transformative and I think it will completely change the industry. I see 10 years from now people will subscribe to identity management like they subscribe to telephone service today.

ZDNet: That is a bold statement.

Cameron: We have already decided I was incompetent with time-based predictions (laughs). But on the other hand, this one is a no-brainer. There are whole areas it can be done in a time and cost savings way. The problem with the types of identity questions I addressed in the laws, it is all interconnected, it is an ecology problem. One thing I learned is that ecology problems take a long time to solve. On the other hand, identity management as a service is a self-contained problem; there are no external dependencies, so I think it can move a lot faster. I would make it clear, I don't think the pre-Internet identity management problems, like meta-directory type problems around how you connect multiple legacy systems, will be outsourced, but going forward, all the other systems will be externalized.

ZDNet: All the systems?

Cameron: When I say identity management as a service, I am talking about a service for relying parties [ED- entities that accept identities validated by an identity provider]. What we traditionally call relying parties in our ecology, they won't have to worry about where things come from. The service will do that.  But the service can do a lot of other stuff, it could run your smart card infrastructure, your multi-factor authentication infrastructure, in other words it could be a general global service. I don't mean could, it will be.

ZDNet: So big changes are coming for enterprise identity?

Cameron: It can't happen the way it is happening now. It is too difficult. Once you see the cloud, it is possible there is an order of magnitude of simplification for the people subscribing to the service. They wouldn't have to deal with the operational issues, they wouldn't have to deal with 'is the identity provider up or down.' It is all done by the service.

Editorial standards