4

Identity Management – Who Am I?

Share this content:
LinkedIn
Facebook
RSS

This is the second post in my series:

The basic principles of Identity Management and Cloud adoption

 

eric-schmidt“I  think it’s pretty clear that the Internet as a whole has not had a strong notion of identity. And identity means, ‘Who am I?’ Fundamentally, what Facebook has done has built a way to figure out who people are.” – Eric Schmidt (CEO of Google)

 

Identity Management,  at it’s most basic,  is the process of managing all aspects of a persons identity. I love the quote from Eric Schmidt.  It highlights possibly the greatest flaw that the explosion of the internet has exposed.  It’s not just Facebook jumping onto the identity bandwagon though.  We have accounts across many sites and applications,  none of which are linked.  The success of Facebook has ensured that almost everyone has an account there, legitimising it’s claim (if it were to make it) to be the source of truth for all identities.

 

The Basics

facebookTraditionally,  identity management provides the initial building block for an organisation to manage accounts. We see true identity management as the provisioning,  de-provisioning and ongoing synchronisation of accounts from a source or sources of truth to specific target applications and directories.  In this series, I will outline what this
means,  what the difference is between the corporate and Facebook identities,   and why identity management is so important in helping organisations adopt cloud services.

 

So why do we need Identity Management. The aim of Identity Management is manyfold but effectively comes back to providing the three A’s:

  • Authentication. Or the ability to be permitted to connect to an application.
  • Access: The method required to access the application whether password, mobile device or retina scan.
  • Authorisation: What level of Access the Identity has in the application.

By focusing on these capabilities, Identity Management:

  • delivers greater security for corporate data and user information
  • simplifies and speeds up the on boarding process within an organisation
  • maintains consistency of identity information across all systems
  • can manage application authorisation levels to new and automate changes when an Identities details change.

A large number of Internet based organisations provide Identity as a Service capability using the web based protocols released in recent years. These services utilise calls contained within the web based protocols like SCIM, OAuth, OpenID Connect (OIDC) or SAML while a traditional Identity Management system will utilise RESTful, RESTlike or SOAP based connections to make the appropriate calls to the application to create, change or remove an account.

Whether using the web based protocols or an Identity Management engine, the basic requirements are the same. At is core fundamental, Identity Management will manage the Identities through a complex design and configuration applying specific policies to provision, de-provision and ensure changes are synchronised for identities in target applications from the source of truth. While the web protocols are making this a much faster  process they typically only provide basic provisioning, de-provisioning and synchronisation. The task of assigning authorisation levels and managing Access is carried by third party components or within the application itself. By managing our identities in a secure store and controlling the distribution of those identities through Identity Management, we can ensure that we maintain the security of the single identity and disconnect any compromised application very quickly.

Next in this series I will discuss the specific components of the Identity Management solution starting at the source of truth.

Ref: http://www.brainyquote.com/quotes/keywords/who_am_i_2.html

Martin Klein

4 Comments

  1. Facebook – “the source of truth for all identities”. Seriously? Facebook provides very little (no) confidence around the origination and integrity of an identity.

    • Thanks David,
      Facebook has over 1.79 billion monthly active users with approximately 12% of these estimated to be duplicates or fake. Even with the worst case scenario of 12% this would be the largest store of Identity Data.

      As for the data quality, you are absolutely correct with respect to the data integrity from Facebook. However, the data is sufficient to provide an INITIAL source of truth if not THE source of Truth.

  2. Basically, Facebook is definitely out of our control. Even with an enforced IDAAS solution, once connected to facebook any trial to mitigate risks will be lost.
    On the other hand, facebook is far to be the first concern of the majority of enterprises and even if IDaaS makes sense for the ‘pure’ cloud based applications (office 365 – SalesForce etc.) often the main critical assets of an mid-size enterprise resides on premise. So at this point in time I believe that the ability to manage on premises applications is more critical and that the niche players of IDaaS are not covering the full scope of needs. In some cases, on top of that, IDaaS solutions are also mainly based on an ABAC approach instead of an RBAC one, which imply an competitive advantage of granularity but a loss of control capacity. In conclusion the choice relies more on the existing state of an enterprise than in the willingness to be early adopter of new technology.

Leave a Reply

Your email address will not be published. Required fields are marked *