Identity Management End-to-End (Part II of IV)

*Editor’s note: To read Part I of this article, click here

.



In the first article in this series, I highlighted a broad range of business and technology trends, which demand identity management. I discussed how these trends lead to different identity management perspectives: focussing on the management or use of identities and focussing on an organisations’ domain of control or externally. I concluded with the observation that organisations will have to bring together a well understood set of identity management capabilities in an organised fashion if they are to respond effectively to these trends, which is the subject of this article.

The significant overlap and duplication in the applicability of particular identity management capabilities to the different perspectives on identity management and the business and technology requirements which lead to those perspectives has resulted in a complex picture of identity management in many organisations today. As figure 1 shows, it is common to see multiple, siloed identity management solutions, alongside a set of fragmented identity management capabilities locked away in business applications, information repositories and other IT resources. This picture is further complicated by the fact that organisations have - and continue to - pursue identity management projects in response to short-term business requirements.

Figure 1

This picture must be redrawn. A variety of factors, on both the supply and demand side of the market, will exert a powerful influence on identity management architecture over the next 2-3 years. The ongoing supplier consolidation and the associated shift away from a best-of-breed approach and towards integrated identity management suites will push identity management capabilities into the infrastructure layer, delivered as shared services. This will be accelerated by SOA initiatives, which demand that common identity management capabilities such as authentication and authorisation can be exploited by business function and information services. Effective control of those identity management services will require the use of policies which define the identity-specific requirements of each interaction, such as how a consumer of a business function service must be authenticated or their rights to access particular information. And, because those identity services depend on identity data, the disparate repositories which contain them must be reconciled and unified.

Customer concerns about identity theft and the increased emphasis that is being placed on risk management amongst organisations will require graduated models for authentication and authorisation which more accurately reflect the risks of all parties in a transaction. Regulatory compliance will also exert its influence here, as well as emphasising the importance of role-based approaches to the definition and enforcement of entitlements.

All of these changes depend on the treatment of identity as a “first-class citizen”, rather than secondary to resources, as does the increasing usage of and competitive differentiation that can be derived from online service provision. As the individual moves to the centre of the hub of services they access – services moreover which will increasingly depend on collaboration between service providers – so federation amongst those service providers, which reflect the needs of the individual, will become increasingly important.

These factors are going to force organisations to rethink their approach to identity management architecture. The recognition that identity management must be delivered as a set of horizontal, resource-agnostic capabilities, as opposed to the vertical, resource-specific, fragmented silos shown in figure 1 must be at the centre of their thought processes. The result of this rethink will be identity management solutions that adhere to 7 core tenets:

  • Identity-centric – they need to transition from an architectural approach which is resource-centric to one which is identity-centric
  • Context-specific authentication – authentication mechanisms must reflect the levels of risk and the granularity of the resources associated with that risk, without over-burdening the individual, and should apply to both parties in an interaction
  • Integrated identity data silos – hybrid identity data integration approaches that combine the benefits of metadirectory and virtual directory technologies, allied with tooling to assist with data reconciliation
  • Policy-based and service-oriented – there is a need to authorise access to business functions and information at the level of each service using policy-based approaches to the definition and enforcement of access control requirements
  • Federated – a federated approach is required for the mediation of the relationships at the heart of identity management, which in turn depends on managing and brokering the trust that underpins those relationships
  • Shared identity services – identity management capabilities must be delivered as distributed infrastructure services, which exploit existing serives and are defined according to clear contracts which are enforced through policies
  • Roles as first class identity assets - roles must be modelled at the intersection of identities, entitlements and organisational structures and managed as part of the broader identity management lifecycle.

The upshot of this change in architecture thinking will be a redrawing of figure 1 to something which more closely resembles figure 2.

This architecture blueprint has a number of characteristics which are essential if it is to provide an identity management foundation for the long term, capable of supporting the broad array of business requirements in an incremental fashion.

It is based on a clear separation of identity management concerns, with identity management capabilities delivered as a set of distributed infrastructure services, underpinned by a federated identity data repository.

Resources access these services through policy-based mediation, which also serves to control the monitoring and audit functions required to mitigate risk and enforce and demonstrate compliance.

Identity data is managed throughout its lifecycle, from core data maintenance through to provisioning and de-provisioning, by a set of processes implemented using automated workflow and process management technologies, to increase efficiency, enforce consistency and facilitate integration of identity management and business processes.

Open standard protocols and data formats bridge the gaps between the layers to facilitate interoperability between the architectural components and the broader IT infrastructure. These standards initiatives, their relative maturity and adoption some thoughts on their evolution will be the subject of the next article.

About the Author

Neil Macehiter is a co-founder of and Research Director at Macehiter Ward-Dutton, a specialist IT advisory firm which focuses exclusively on issues concerning IT-business alignment – including IT architecture, integration, management, organisation and culture. Neil specialises in enterprise architecture/SOA, web services, virtualisation and identity management. Immediately prior to forming Macehiter Ward-Dutton, he was Ovum’s Research Director for enterprise architecture topics, leading a team of analysts covering software development, deployment and management issues. Before that he spent fourteen years in a range of consulting and sales support roles for a number of the largest IT suppliers, including Oracle and Sun Microsystems, and latterly in product and corporate strategy for a number of European start-ups, including Autonomy and Zeus Technology. Neil has acted as an advisor to leading vendors, including IBM, Oracle, Microsoft and Sun Microsystems; and to large IT user organisations, including the Australian Government’s Centrelink department, the Netherlands’ Government’s Belastingdienst agency, The UK Government’s Department of Work and Pensions and The Government of Hong Kong. Neil is a regular speaker at conferences throughout Europe and is regularly quoted in mainstream and IT specialist media, including the BBC, Computer Weekly, The FT, The Times and IT Week. Neil earned an MA in Natural Sciences from Cambridge University in 1985.

More by Neil Macehiter

About Macehiter Ward-Dutton

Macehiter Ward-Dutton is a specialist IT advisory firm which combines industry research and analysis with tailored consulting services, and is focused exclusively on issues surrounding IT-business alignment.

The company was formed in February 2005 by two top-level analysts formerly of Ovum: Neil Ward-Dutton and Neil Macehiter.