Friday, May 25, 2007

Tenets of Identity Management

A little while ago I finished a white paper I titled "Tenets of Identity Management". I've recorded a 3-part podcast on to go along with the white paper. Part #1 of the "Tenets of Identity Management" podcast has just posted on the Quest web site. I invite you to take a look at the white paper or the podcasts as they post. I'll let you know when the next parts of the podcast post.

Here's the first tenet...

1. Identity Management—Everyone defines it differently

The first thing you should recognize—if you haven’t already—is that the term “identity management” is very overloaded. If you ask 10 people to define identity management, you will get more than 12 definitions—guaranteed. One of your most critical tasks is to clearly define what identity management means to your company within the context of what you are trying to accomplish.

After you have defined identity management in the context of your company, you must get “buy in” from your colleagues, and more importantly, your sponsors, and management. Rest assured, someone will believe that single sign-on, password synchronization, or provisioning of office furniture will be part of your project if you don’t define and announce it!

Here’s an example from an identity management vendor: “Oracle Identity Management allows enterprises to manage end-to-end lifecycle of user identities across all enterprise resources both within and beyond the firewall. You can now deploy applications faster, apply the most granular protection to enterprise resources, automatically eliminate latent access privileges, and much more.”[1]

What worries me about this definition is the “and much more” phrase. Rest assured that one of your senior executives will decide what that means and you will soon be traveling the corporate road to perdition[2].

In the spirit of fair play, here’s another example: “Novell® Identity Manager is an identity management solution that automates user provisioning and password management throughout the user lifecycle—delivering first-day access to new users, modifying or rescinding access as necessary across all systems, and synchronizing multiple passwords into a single, strong password.”[3]

Notice any differences? Oracle’s definition implies that they can handle “resources both within and beyond the firewall”. Novell’s definition doesn’t seem to address identity management beyond the firewall but it synchronizes multiple passwords into a “single, strong password”. If you look further, you’ll see that the definitions that BMC, Computer Associates, IBM, and Microsoft use are all different in subtle and not-so-subtle ways.
You have identified a problem in your company and you have concluded that the problem is related to what the industry is calling “identity management”. You must clearly define in your project documents exactly what identity management means within the scope of your problem and proposed solution. If nothing else, it will help to prevent scope “creep” and will serve to ensure success once you’ve completed your work.

[1] Dec. 9, 2006 -
[2] Perdition–a state of punishment which goes on forever.
[3] Dec. 9, 2006 -

Technorati Tags:

No comments: