This is the first in a series of articles addressing one of the hottest topics in IT: identity management. Future articles will discuss identity management architecture; the role of standards; and the steps organisations should take for an effective identity management initiative but here I put some stakes in the ground.
Before defining identity management, it is useful to clarify what we mean by identity. According to the Oxford English Dictionary, identity is “The fact of being who or what a thing or person is.”
Identity is the set of characteristics and attributes, including names, biometric characteristics, relationships, roles and so forth, which serve to identify in a particular context. For example, the fact that someone is over 18 in the UK is sufficient to identify them in the context of purchasing alcohol, whilst their name, job role and employee number are required to identify them in the context of updating their personnel details in the human resources system at their place of employment. Identity attributes can manifest themselves in physical and digital forms, such as a driving license and an employer-issued smart card. It is important to recognise that we are talking about the digital representation of the attributes, or more correctly claims to possess the attributes, made by the subject or another subject, which serve to identify a person or thing: digital identity.
So, on that basis, we define identity management (sometimes called identity and access management) as:
The set of processes and supporting technologies which together manage the electronic definition, storage and lifecycles of digital identities and associated policies; and the application of those identities and policies to establish trust in the exchange of electronic information between multiple parties.
Identity plays a key role, amongst other factors such as business and contractual relationships, in facilitating trust. It is one aspect of the information that subjects use to assess the level of risk associated with participating in activities. For example, an online bank demands identifying information in order to assess whether it is willing to allow an individual to view the balance of an account and, potentially, additional information to perform a funds transfer between accounts, reflecting the relative risks associated with the two transactions.
Closely related to the notion of identity is that of credentials. Credentials are used to prove a subject’s claims to possess a particular identity and thus contribute to the ability of one digital subject to trust another. Credentials typically comprise one or more of “something you know” (for example, a password) – “something you have” (for example, a smart card) – and “something you are” (for example, a fingerprint). For example, in order to access an online bank account, the bank requires a series of credentials, such as a PIN code and a password, in order to be able to trust that an individual is who they claim to be.