This is the second post in my series:
“I think it’s pretty clear that the Internet as a whole has not had a strong notion of identity. And identity means, ‘Who am I?’ Fundamentally, what Facebook has done has built a way to figure out who people are.” – Eric Schmidt (CEO of Google)
Identity Management, at it’s most basic, is the process of managing all aspects of a persons identity. I love the quote from Eric Schmidt. It highlights possibly the greatest flaw that the explosion of the internet has exposed. It’s not just Facebook jumping onto the identity bandwagon though. We have accounts across many sites and applications, none of which are linked. The success of Facebook has ensured that almost everyone has an account there, legitimising it’s claim (if it were to make it) to be the source of truth for all identities.
Traditionally, identity management provides the initial building block for an organisation to manage accounts. We see true identity management as the provisioning, de-provisioning and ongoing synchronisation of accounts from a source or sources of truth to specific target applications and directories. In this series, I will outline what this
means, what the difference is between the corporate and Facebook identities, and why identity management is so important in helping organisations adopt cloud services.
So why do we need Identity Management. The aim of Identity Management is manyfold but effectively comes back to providing the three A’s:
- Authentication. Or the ability to be permitted to connect to an application.
- Access: The method required to access the application whether password, mobile device or retina scan.
- Authorisation: What level of Access the Identity has in the application.
By focusing on these capabilities, Identity Management:
- delivers greater security for corporate data and user information
- simplifies and speeds up the on boarding process within an organisation
- maintains consistency of identity information across all systems
- can manage application authorisation levels to new and automate changes when an Identities details change.
A large number of Internet based organisations provide Identity as a Service capability using the web based protocols released in recent years. These services utilise calls contained within the web based protocols like SCIM, OAuth, OpenID Connect (OIDC) or SAML while a traditional Identity Management system will utilise RESTful, RESTlike or SOAP based connections to make the appropriate calls to the application to create, change or remove an account.
Whether using the web based protocols or an Identity Management engine, the basic requirements are the same. At is core fundamental, Identity Management will manage the Identities through a complex design and configuration applying specific policies to provision, de-provision and ensure changes are synchronised for identities in target applications from the source of truth. While the web protocols are making this a much faster process they typically only provide basic provisioning, de-provisioning and synchronisation. The task of assigning authorisation levels and managing Access is carried by third party components or within the application itself. By managing our identities in a secure store and controlling the distribution of those identities through Identity Management, we can ensure that we maintain the security of the single identity and disconnect any compromised application very quickly.
Next in this series I will discuss the specific components of the Identity Management solution starting at the source of truth.