Top 5 Identity Fallacies: #2 Enterprise Identity is Hierarchical

There are several fallacies which appear and reappear in identity discussion, technologies, and deployments. This is the second article in a series which examines these fallacies, why they are so easy to fall into, and what their consequences are in networked computing.

One point I want to make in this series, is that these identity fallacies don't occur and become ingrained in thinking and technology design because people are stupid. They occur because people tend to see the evolution of computing as one of incremental steps, and rarely note that it is time for a complete paradigm shift in our outlook on what is happening until well after the fact. The fallacy that enterprise identity is hierarchical has affected and retarded the development of identity technology longer and more deeply than any other identity fallacy, but it came to exist as the result of just such a "it seemed logical at the time" process.

Enterprise identity management conceptually began as enterprise software became internet enabled. Thus its initial focus was on managing access for the employees of a company and components of that company's network. In a very logical response, the designers who were called on to develop products to meet that need looked around for existing standards and methods that might be pressed into service without requiring the lengthy research efforts required to develop new ones.

In the early 1990s Novell had the insight that wide area networking requires abstracting management and authentication for that network, and they created the concept of the network directory to do so (NDS in Netware 4.x). They chose this architecture because there was an ISO standard, X.500, that described such a directory, and it appeared to provide what was needed. The architecture was very hierarchical, but that seemed fine, since what was being modeled by it was the organizational chart of an enterprise and its network - apparently hierarchical structures.

Thus began the concept of directory services, largely as we know it today. And the concept that identity was hierarchical was built into its core. As long as the scale was relatively small, and what was being managed could be crammed into a single domain, this appeared to work well. There were some problems, like the fact that every application wanted the data organized differently, and these gave birth to the directory architect who examined all applications and designed an integrated directory model that served most of them. Other problems arose, and more labor was deployed to overcome them.

These problems arose because enterprise organization isn't actually hierarchical. And it gets less so with every move towards outsourcing, contract labor, and business partnerships - the very moves toward networking business itself that are creating business advantage today. And as computing moves to more and more mobility, the concept of identity as domain-centric is also being badly eroded. Identity is an abstration that resists being anchored in this way - see phone number portability, for a simple example. So the two fundamental architectural assumptions of the X.500 style directory not only don't apply in identity management, they are diametrically opposed to the reality of what they are trying to model.

Thankfully today new technology such as virtual directories, far more flexible meta-directories, and identity federation have arisen and matured so that enterprise identity can now be designed with these hierarchical directories restricted to reasonable domains. Those directories can then become nodes within a networked identity infrastructure that allows abstraction away from the strict hierarchical nature of the directory. This has set the scene for identity data stores to move to alternate database technologies as well, and still be able to easily integrate into an enterprise identity structure.

We are only now breaking loose from the grip of the fallacy that identity is hierarchical, and it is just in time. With the rise of user-centric identity as an architectural challenge, it seems certain that domain-centric identity management will evolve rapidly into forms that far better align with the multi-dimensional, networked nature of enterprise identity. This will make it far less expensive to deploy, in both dollars and manpower. But the biggest advantage will come from its growing ability to correctly model an enterprise's computing activities which will allow better security, management, and automation of compliance and auditing functions  while simultaneously relieving the current high burden of human, manual IT involvement in essentially clerical functions.