The migration of sociability, business, entertainment, and other activities from the physical world to the virtual world of the Internet has dramatic implications on many fronts. The societal mores, legal structures, and commonly accepted business practices that govern everyday life in the physical world have evolved over thousands of years, and that evolution continues every day. But now we’re in the process of translating those structures to the Internet, creating a new place where people can interact. That “place” is radically different from the physical world, one where networked applications combine with ubiquitous connectivity to free transactions, communications, and other activities from physical constraints, thus, creating an entirely new set of requirements.
When it comes to enabling a truly virtual world that can accommodate the breadth and depth of human endeavor, nothing is more important than identity. On the Internet, movement is instantaneous. People, applications, transactions, and data can cross many types of borders via many different paths. At the same time, the security issues associated with a very public and virtual space have become painfully clear as spam, phishing attacks, fraud, and identity theft have become all too common.
Digital identity is the keystone that will ensure that the Internet infrastructure is strong enough to meet basic expectations for not just service and functionality, but security, privacy, and reliability. That fact is becoming more and more obvious to more and more people every day. But as the Zen master once said, knowing the path and walking the path are two very different things.
How we create, use, store, and verify identity in the Internet context is a complex question, one that transcends both the public and private sectors, and every conceivable business. It raises a large number of thorny issues for society and individuals (not the least of which is privacy), corporations (including the regulation of core operations), and governments (laws, regulations, international treaties). The manner in which these issues are resolved will have a long-term impact on all segments of society and will determine what forms of digital identity will first augment, and then (at least potentially) replace the “official” and “trusted” manifestations of identity on which the physical world relies today. That change will take years, extending past the end of the current decade, involving societal, cultural, business, and political efforts.
How much control individuals will be able to take—or will want to take—over their digital identity is the subject of intense debate, for example. Pessimists predict that the intersection of government and commerce will create a surveillance state, one that will make privacy an artifact of the past. Optimists predict the liberation of the individual from both corporate and government control through the use of identity technologies that will put the individual in charge, inverting the traditional relationship between “consumers” and “service providers.” That debate will continue for the foreseeable future as unfolding events pull us in both directions.
Today, much of the activity around digital identity is business-focused. The pressure to compete in a networked world while simultaneously reducing costs is driving companies to integrate business processes and information technology on an increasing scale. Many enterprises are creating inward- and outward-facing systems that tie employees, customers, partners, suppliers, contractors, and other constituents into their business processes, for example. Instead of thinking about individual applications, enterprise IT architects must consider end-to-end business processes that span many boundaries, and how they can integrate the components of IT to support them. These trends are causing wholesale change in IT architectures, moving them to what we at Burton Group call “the virtual enterprise.”
The move to the virtual enterprise brings with it new security risks. These risks, along with the rapidly increasing number of regulations, both in North America and the European Union, are driving the need for new security models. Simply put, the traditional exclusionary security model—perimeter-based systems focused on keeping bad people out of the network—are not sufficient to protect the virtual enterprise. Today, businesses must augment exclusionary security with an inclusionary security model, one capable of explicitly determining, through policy, who can access the applications and data that support core business processes.
Such inclusionary models are unattainable without identity management. Identity must become persistent through the continuum of any given business process, spanning not just multiple applications, but also multiple organizations. Only then can identity provide the predicates for corporate governance, security, regulatory compliance, risk and liability management, and other core business functions.
For most enterprises, identity management is not easy. In fact, most enterprises’ identity management processes are poor, a fact that internal and external audits make painfully clear. Historically, enterprises have treated the symptoms of the identity management problem with point solutions. But Internet-scale identity management requires an integrated set of infrastructure services that enable a holistic approach to defining and managing identity. This sophisticated array of tools includes directory services, rules-based user provisioning, delegated administration, and self-service administration for passwords or other attributes. General-purpose, strong authentication systems, along with good credential management, are also core components of better identity management. Beyond authentication, enterprises must link applications to access management systems across a variety of operating systems, applications, and web-based single sign-on (SSO) products, making policy management yet another important part of the system.
Effective identity management also requires a new approach to systems integration and interoperability. Previous efforts to solve the identity problem (such as X.509-based, public-key infrastructure) attempted to achieve interoperability through symmetry and homogeneity. But federation has recently emerged as a new and more effective approach to enabling interoperability between security domains. Emerging federation standards rely heavily on the loosely coupled web services architecture, which in turn relies heavily on the eXtensible Markup Language (XML). Both the web services framework and interoperable identity are evolving along similar architectural lines for obvious reasons. While the web services framework enables the virtual enterprise, identity management secures it. So it’s quite necessary for them to share architectural underpinnings.
The web services framework has, in essence, begun to create a standard software “communications bus” in support of service-oriented architecture. Applications and services can “plug in” to the bus and begin communicating using standard tools. The emergence of this “bus” has profound implications for identity exchange. Just as application and transactional data will flow across that bus, identity data will flow over that bus. And within service-oriented architectures, identity will become a core service.
The combination of web services and federated identity management has enormous potential; however, we have only just begun a long but inevitable transition to such a full-scale identity management infrastructure. And technology alone will not enable it. Regulations, laws, policies, and other mechanisms must evolve—both nationally and internationally—to create the context and boundaries for the acceptable use and management of identity. Likewise, business models for federating identity—including liability, risk management, and workable governance models—must evolve.
The evolution will be painful at times, occurring in fits and starts. Today, we’re several years and many breakthroughs away from the combination of standards, technologies, legal frameworks, and business models necessary to create a fully interoperable identity framework. While we’re in the early days, however, it’s clear that the era of digital identity management has arrived, and tools and techniques are emerging that will help companies address the issue. There are clear and strong links between identity management and enterprise business objectives in many industries. The market forces that will drive us inexorably forward to resolve these complex problems are active, causing real and significant movement.
Given these realities, today’s IT managers must start creating an identity management infrastructure that meets their business objectives. And that makes books such as this one all the more important. Through his work in both the public and private sectors, Phil Windley has a perspective on the issues of IT architecture and identity management that can come only through experience. Phil has lived the problem and is dedicated to finding a solution: one that works not just for one company, but for all companies. Phil has poured much of his experience into this book, which provides a great starting point for anyone needing to understand both the issues and technologies behind effective identity management.
It’s that starting point that is often the most important in any attempt to drive significant change, either in an organization or a technical architecture. The people and companies who take what Phil has to offer in this book, learn from it, and use it to start the process of change will be better prepared for the future. This book can be the first step toward a general-purpose identity management infrastructure that will enable new applications, services, or business models while reducing costs.
As an increasing number of enterprises take that path, digital identity management will emerge as a pervasive infrastructure, within, between, and across organizational structures. The technologies and standards, as well as the law and policy that evolve to regulate corporate use of identity information will both influence and be influenced by the larger personal identity infrastructure to come. Enterprise identity management and the larger societal move toward digital identity for customer, governmental, and other activities will inevitably intersect, changing the way we live and work in the process. I look forward to working with Phil and a host of other participants in the creation of that infrastructure.
Jamie Lewis CEO and Research Chair Burton Group February 2005