*Editor’s note: To read Part I of this article, click here

In the first article in this series, I highlighted a broad range of business and technology trends, which demand identity management. I discussed how these trends lead to different identity management perspectives: focussing on the management or use of identities and focussing on an organisations’ domain of control or externally. I concluded with the observation that organisations will have to bring together a well understood set of identity management capabilities in an organised fashion if they are to respond effectively to these trends, which is the subject of this article.

The significant overlap and duplication in the applicability of particular identity management capabilities to the different perspectives on identity management and the business and technology requirements which lead to those perspectives has resulted in a complex picture of identity management in many organisations today. As figure 1 shows, it is common to see multiple, siloed identity management solutions, alongside a set of fragmented identity management capabilities locked away in business applications, information repositories and other IT resources. This picture is further complicated by the fact that organisations have - and continue to - pursue identity management projects in response to short-term business requirements.

Figure 1

This picture must be redrawn. A variety of factors, on both the supply and demand side of the market, will exert a powerful influence on identity management architecture over the next 2-3 years. The ongoing supplier consolidation and the associated shift away from a best-of-breed approach and towards integrated identity management suites will push identity management capabilities into the infrastructure layer, delivered as shared services. This will be accelerated by SOA initiatives, which demand that common identity management capabilities such as authentication and authorisation can be exploited by business function and information services. Effective control of those identity management services will require the use of policies which define the identity-specific requirements of each interaction, such as how a consumer of a business function service must be authenticated or their rights to access particular information. And, because those identity services depend on identity data, the disparate repositories which contain them must be reconciled and unified.