Identity Management

The concept of identity management in the physical world is strongly linked to context and relationships. When computers and the services they support seek to interoperate, the incorporation of identities becomes important. In the future, most apps will take advantage of identity information for security, billing, and recognition of friends, family, and consumers as well as for conducting activities in our daily lives that extend past commerce and touch political and social interactions. The architects of the world will struggle to unify and make consistent the accuracy of identity information. This is primarily a result of several opposing factors:

Part of the problems in creating a ubiquitous identity-management approach is tied to governmental regulations and friendly neighborhood ambulance chasers (e.g. lawyers). Today, no legal precedent states who is responsible for errors, omissions, quality control and assurance, redundancies, and dispute resolution. Many systems have been created (some are still being created this way) that introduced their own notions of a user, password, and authorization scheme. Other apps within an organization, such as a payroll system, maintained detailed, accurate information about users, was just records. One of the evolutions in information technology encouraged architects to think about process and not data. While this provided some benefit, today we are left with databases that apps simply manipulate.

Storing information in a database is simple. The industry understands rules of normalization (not always practiced), but bridging authenticated identity real-time is not yet fully realized. The ideal situation would be, in real time, to authorize or deny access to a user, to treat a referred customer as a welcome guest instead of a stranger, or even to globally revoke all access immediately to fired employees (Sun has mastered this). These are some of the potential issues an identity management architecture can solve. Identity management permits creating flexible definitions for people and things, such as classes or groups, that permit attaching policies or drawing conclusions. Many of us have moved physically from one place to another and taken items with us. Likewise, in a digital sense, electronic users will want to take information with them.

Components of Identity Management

The infrastructure components that constitute identity management include a data store (usually a directory or relational database) and processes that read and update the data, such as authentication and authorization that provide access control to a resource. A directory such as LDAP is a significant component in identity management but is not the last stop. The directory can provide a central place to store credentials but still allow authentication and authorization policies to be embedded in an app. The ideal scenario is to externalize these rules so that they can be executed anywhere, including in an app or by a centralized security service.

An identity management solution allows an architect to simply plug in a separate authentication layer without having to reinvent the wheel. This allows each app to have its own authentication rules without having to create its own authentication mechanisms. Identity management allows authentication systems to interact in a federated manner. This approach also becomes the first step in enabling single sign-on. The ability to be authenticated once and have a different authorization service for each resource ensures that personal information is not being passed. This process also allows the ability to specify explicitly what data can be passed from one resource to another, adding another level of security.

The Next Minute

Web services will enable many people and systems to be discoverable and knowable. These entities' visibility will increase; they will not simply disappear into cyberspace, as they do today. The actions and interactions of people and systems will persist, and architects will be called on to categorize, visualize, and filter knowledge, not simply store it. Individuals will control their identities in the same manner as they control their finances, most likely using third parties in the same manner a bank holds money. This relationship will extend to their software.