In medieval times, strong walls and moats surrounded great cities. Guards were posted at the gates of the city, and everyone coming or going was inspected and questioned about their purpose for entering or leaving the city. At the same time, cities were where the markets were held. You can imagine the crush at the gates on market day with peasants bringing their goods into the city from outside and visitors clamoring to get to market. After market was over, the process was reversed. With our modern eyes, we can see what an impediment to commerce the walls were, yet at the time, city residents were thankful for their security.
The walls were not broken down by enlightened thinking about of how markets should work, but rather a weapon for which the walls were no match: the trebuchet (see Figure 1-1). A trebuchet is a gravity-powered catapult that is vastly superior to its torsion-powered cousins. The trebuchet revolutionized medieval siege warfare and eventually spelled the end for city walls. The result not only forced an alternative strategy for security, but also had the pleasant side effect of increasing commerce.
I recently had the opportunity to sit with a group of CIOs and discuss digital identity. What struck me was how much of the conversation was about security and liability rather than identity and opportunity. They had a siege mentality and their security planning showed it.
Modern corporations are the walled cities of our time—sitting behind firewalls and defending themselves from attack. What these CIOs and others can’t see is that their security implementations are restricting their company’s opportunities in the same way that ancient walls restricted commerce in their day. Fortunately, commercial enlightenment, rather than a weapon that cannot be withstood, is awakening a desire in corporations to rethink how we provide security so that our interactions with customers, employees, partners, and suppliers are richer and more flexible.
The economic shifts that have occurred over the last decade have changed how businesses operate and the expectations of customers. One of the most dramatic shifts has been the rise of network-based, automated services. In many cases, we’re “spending more and owning less,” in the words of Jeremy Rifkin. When I fly, I almost always purchase tickets online, but more than that, almost all of my needs as a customer of the airline are self-serviced, using online web applications. I can check flight schedules, be notified by SMS if my plane is running late, check my frequent flyer account balance, and even redeem upgrade points and change my seat online. The changes underlying these trends have profound implications for businesses and customers alike.
For businesses, a service-oriented economy means that they must adjust to entirely new ways of relating to their customers. The World Wide Web changed the way companies market their products. But more importantly, the products themselves have changed. Perhaps the most significant change is that there is no longer a human in the loop to create a trust relationship with the customer, make up for process deficiencies, and represent the company. When two businesses merge, they often find that they have very different approaches to knowing their customer and that this makes leveraging the combined operation almost impossible.
For customers, the changes are equally dramatic. Where they used to purchase things from people at physical locations, they now purchase or use services delivered to them electronically on their computer, PDA, and even their phone. The usual trust marks that customers have relied on in the past are either missing or easily forged. As the number and breadth of services that people use grows, they find that they are inundated with requests to identify themselves and to divulge information they consider private.
In addition to their customers, businesses have relationships with partners, suppliers, and employees. Networks have changed those relationships as well. Just as with the business-customer relationship, these relationships are increasingly moving to the electronic world and being mediated by automated processes rather than people.
At the heart of this service-oriented economy are network-based, automated transactions. Automated transactions are fundamentally different than the transactions that occur in the physical world. When I stop by the convenience store to buy a snack, I can exchange cash for peanuts. Unless the clerk happens to know me, the transaction is anonymous. In contrast, in the service-oriented economy, anonymous transactions are rare, because delivering service automatically almost always implies that you have to know something about who’s receiving the service—if not their names, then at least their preferences or other attributes. This identifying information is usually transferred digitally, across the network. In a service-oriented economy, digital identity matters.
Of course when we talk about the service-oriented economy, we’re not just talking about e-commerce. Note that my example with the convenience store involved a small cash purchase. But imagine the same scenario, except this time I use a debit card, credit card, or check. In any of those cases, I’ve invoked a network-based financial service as part of the overall transaction. Network-based services are as pervasive in transactions that occur in the physical world as they are in online interactions.
In an automated, network-based service, I have to know who you are in order to sell you access to my service. Since these services are increasingly delivered over digital networks, businesses need reliable, secure, and private means for creating, storing, transferring, and using digital identities. Network-based, automated services are not just delivered to customers—employees, partners, and suppliers also interact with the enterprise via services. In many cases, anonymous service is impossible or undesirable, and as a consequence, digital identities must be assigned and managed.
In addition to identifying customers to sell them services, business have an increasing need to identify employees, systems, resources, and services in a systematic way to create business agility and ensure the security of business assets.
Digital identity is the lynch pin in each of the activities we have just discussed, along with a wide variety of other activities important to business. Consequently, how your organization manages digital identities will have a great impact on whether you are constantly fighting problems brought on by a lack of attention to managing identity, or whether you are exploiting opportunity enabled by a flexible and rational digital identity infrastructure.
The common ATM machine is a great example of how digital identity enables new business opportunities. Before ATMs were invented, a bank’s customers took care of their banking needs by presenting pieces of paper to a human teller. The papers included instructions to the bank (e.g., deposit slips), cash, checks, and other financial instruments. Unless the teller personally knew the customer, the customer usually also presented some kind of identity credential, such as a driver’s license. The teller was able to verify the identity of the customer and the validity of the various pieces of paper.
The ATM was possible only because banks created a means of identifying their customers digitally. We’re all familiar by now with the debit card and PIN that ATMs require from us before service. The card carries identity information and the PIN tells the bank that the person presenting the identity is entitled to use it. With the advent of a digital identity infrastructure, banks no longer needed a human in the loop to verify the customer’s identity.
From the bank’s perspective, the most obvious benefit from an ATM is to reduce the cost of employing the teller, but there are other benefits as well. I lived in Japan for two years during the 1970s and experienced ATM machines there for the first time. I’d never even heard of ATM machines before that. I had a chance to visit Japan again in 1996 and found something strange. There were still plenty of ATM machines, but they operated only when the bank was open. You you could only receive during banking hours.
Japanese banks, at least in 1996, still viewed ATMs as simply “teller replacements.” But in the U.S., something more interesting had happened: ATMs were used to extend service in ways that went beyond merely replacing the teller in the branch. ATM machines extended service in three fundamental ways:
ATM machines were open 24 hours per day, seven days a week. In fact, the first time I ever saw the phrase “24/7” was as part of a branding campaign for a small credit union in California. 24/7 was a catch phrase in the banking industry before the Internet made it popular.
ATM machines increased the number of customers a bank could service simultaneously, with multiple ATM machines being installed in many bank branches.
Because they are relatively inexpensive, ATM machines were installed outside of bank branches in convenience stores, shopping malls, theaters, and so on. These businesses usually shared in the profit from the ATM transactions.
This example shows clearly the three primary ways that information technology can extend a business. Tom Parenty[*] describes them as extensions of time, scale, and locale.
Each of these extensions is built on a foundation of digital identity. Without a digital identity infrastructure to give bank executives the ability to trust that people using the ATMs are allowed to take authorized actions, ATMs would have never been deployed.
The other side of this relationship is equally instructive. Customers feel good about participating in transactions with the bank because of trust marks that they encounter before and during the experience: the big building, the brand of the bank, the FDIC sticker, and last but not least, the teller are all part of this. The first ATMs were installed in bank lobbies to keep much of that intact. Humans frequently helped customers through their initial fear of dealing with a machine, effectively transferring the trust that customers placed in the human teller to the digital identity infrastructure and computer systems that made up the ATM system. Nowadays, of course, ATMs appear in all kinds of settings, and most people trust the debit card and PIN to adequately protect their assets.
Just as ATMs changed the way banks do business, information technology, and especially the growth of the Internet, has fueled a multitude of opportunity for business to throw off the old restrictions of time, scale, and locale. Doing so, however, requires a better understanding of digital identity than ever before.
Like medieval city planners, IT professionals and others have traditionally thought of security as an edge game. Given a firewall and access control to the network, we can do a reasonable job securing a business. However, the economic shifts spoken of previously have driven the need to integrate systems not only internally, but with trading partners and customers as well. This trend is fueled by XML and the creation of standards for exchanging data and the increasing trend to decentralized computing that is embodied in service-oriented architectures (SOAs) and web services. But this trend has ramifications for business security: we can no longer treat the edges of the network as a secure perimeter.
When integration is driven by business, rather than IT needs, security policies need to talk about documents, data, actions, people, and corporations instead of machines and networks. This new security model is infinitely more complex than the old “secure perimeter” model. But even if you can define your identity strategy, how do you ensure that it is properly implemented across dozens or even hundreds of systems, and, at the same time, control access to fields of a database or paragraphs of a document?
Understanding how your organization can make use of digital identity requires understanding concepts such as trust and privacy. Moreover, digital identity is built on a set of technologies that includes cryptography, authentication, authorization, identity provisioning, directories, digital rights management, identity federation, and interoperability standards. Later chapters in this book will discuss these concepts and technologies in detail, and show how they fit into an overall identity management strategy.
The most difficult part of getting identity management right isn’t technical. Management, policy, and even political issues are more likely to be the things that stand in the way of success. To that end, the final section of this book will describe a methodology for creating what I call an identity management architecture (IMA) that can help you overcome these challenges.
An IMA is unique to each organization. Creating an IMA for your organization requires a firm framework for governance and understanding the business context within which it will operate. To that end, the methodology in this book includes detailed ideas about how you can document, analyze and understand the business context that your identity infrastructure will have to support.
An IMA has three primary components:
The process architecture is a methodology for determining how your business accomplishes identity related tasks now and how they should be accomplished in the future. The architecture is based on an identity infrastructure maturity model that lays out how processes can be changed to make them more effective in supporting the identity needs of the business.
The data architecture is a model of the identity data in your organization. Recently, a number of news stories have highlighted organizations that lost control of identity data and were publicly embarrassed over the resulting privacy concerns. Getting a handle on where your identity data is and what processes affect it will help you avoid these problems and help you build an infrastructure that is responsive to business needs.
The technical reference architecture is how the IMA communicates implementation guidance to system architects, the people who design the systems that use identity processes and data.
Later chapters in the book will discuss each of these components in detail and help you build processes in your organization to create them. Each of these components makes use of two other important parts of an IMA:
Policies are crucial in creating identity infrastructures that work for the simple reason that it’s impossible to create technical solutions to every problem. Ultimately, the behavior of people in your organization will determine whether or not your identity infrastructure meets its operational goals.
An interoperability framework is a list of standards that your organization has chosen to support and use. Making these decisions explicit is critical to building an identity infrastructure.
Some organizations believe that they can’t be bothered to create policies and make standards decisions, but I hope that the chapters on these two important subjects will change your mind and show you how policies and standards can be liberating, rather than confining, for your business.
Digital identity is at the core of almost every modern business process. I’m confident that an IMA will help your organization, regardless of its size, use digital identity technologies to build an infrastructure that will pay dividends in every other area of your business.
[*] Parenty, Thomas J. Digital Defense: What You Should Know About Protecting Your Company’s Assets. Cambridge. Harvard Business School Press, 2003.