Phil Becker, Editor of Digital ID World, and deep thinker on network identity offers some keen insights in his series The Coming Third Wave of Identity ( Parts: 1, 2, 3, 4). In the conclusion Phil points out the distinction between the management and use of identity data:
One of the more difficult things for people to gain clarity about in their understanding of identity management, is the separation of the management of identity data itself, and the actual leveraging and use of that data to accomplish various network application and data focused missions such as access control, provisioning, data protection, policy enforcement, etc.
He highlights the importance of the identity data foundation and the difficulty of getting a set of well managed data (emphasis mine):
..today the emerging identity third wave is producing more and more products that seek to leverage identity for a wide variety of purposes. But to be successful, they must rely on a well-managed network of identity data, and obtaining that is a major task in itself.
It turns out that this first step is the hardest one, as it brings to light all of a company’s processes around on-boarding and off-boarding both employees and contract personnel, along with processes around promotion, internal job changes, transfers within the organization, management changes, acquisition integration, outsourcing, etc.
He then points out that we have deluded ourselves in the past about how the problem will be solved by this or that technology:
It is this part of identity management that was long been thought to be “solved by a good directory”, but which has been seen to be a far more networked problem than that. (Although the rise of Active Directory in many companies promises a reprise of this difficult learning curve for many companies.)
So far, so good but, I have a problem with the following statement:
… resulting product evolution has been finding ways to create a well managed identity data set without radically disrupting and altering existing company processes. It is here that technologies such as identity virtualization, synchronization, delegation of management via workflow, etc. come into play.
Initially, the well managed identity data was used to feed such things (as) web access control..
I have two major challenges to this statement. Let me explain.
Since we were mistaken in thinking a few years back that “a good directory” would solve this problem, how can we say with certainty that the current set of tools will solve this problem. I submit that we are quite likely building a giant Rube Goldberg Machine that has still not solved our problem and may need to be dismantled and replaced by true solutions, yet to be determined. I will delve into this aspect in a future post but, let me just point out that the industry regularly adds new components to “the solution” as we realize that the identity machine we are building still does not solve the problem. I have not seen these additions stop. Ergo, it really isn’t solving the problem yet.
The second problem that I have is that Phil Becker is suggesting that in a significant number of cases organizations have been able “to create a well managed identity data set.” I submit that the identity data foundation at almost all organizations, no matter how much time and money they have spent on identity solutions is still riddled with problems.
Becker is not being deliberately misleading but, he is ignoring the facts on the ground. These facts are that for the vast majority of organizations, >20% of their legacy login credentials remain active even though they cannot determine who they belong to. His own conference sessions continue to underline this problem.
In the name of getting early successes on identity projects, a subset of data for the easy systems with the easiest politics, are being managed by the latest and greatest identity software. However, while all this time and money is being spent, these lost legacy login accounts remain live and are creating a growing risk as the old firewall based security is broken down by compelling needs to deal with Internet. Most importantly, the state of the art ‘identity machine’ does not even attempt to address this underlying data clean up problem.
As identity becomes a central part of the way the internet operates, enterprise identity systems become a vital component in doing business while reducing risk. The data is the foundation of any system. If one in five identity credentials cannot be trusted in your organization, then you can’t trust your identity system, which supports your compliance reports, security, and more.
Like a termite infested foundation, it needs to be fixed before you put on yet another addition. Cleaning up the underlying legacy data is far more important at this time than tweaking centralizing vs. synchronizing vs. virtualizing and the like.
Ironically, doing this would be easier and cheaper and reduce more risk than what organizations are doing now.
