By now I’ve written 6 articles on the subject of Identity Management. I’ve also joined several linkedin groups on the subject and I read a lot of security related articles about it. It’s not very surprising that my views on the subject are a bit different than most since I’m trying a novel approach. Eventually I plan to start a project based on my findings and feedback from thinkers. It’s never good to start any project without understanding first what’s already out there.
With ‘what’s out there?’ I mean two different things:
- What is the mindset of IdM people?
- What are the tools that implement this mindset?
Mindset
In an article I published last night I already mentioned that security colleagues loudly objecting against Mark Zuckerman’s recent statement that ‘people do not want Privacy’, as well as a lot of people in the IdM world may very well be wrong in their assumptions about what people want and what’s useful. The reactions on the article on security.nl on the subject are in Dutch and I’m not going to translate all of them here but some of them are very illustrative for the mindset of the security aware professionals on security.nl:
- People who make themselves public on the net are too dumb to take a crap
- Facebook: People don’t want privacy / Security Professional: People don’t want facebook!
Just to illustrate how strongly security people object to sharing information. I also glanced over a discussion on ‘Managing Identities in a Cloud’ on linkedin. Some quotes:
- enterprises see a difference in subscribing to cloud services and managing identities.
- Enterprise identities are strategic assets
- Cost benefit has to exceed the risk of information leaking
Mind you, the people reacting on the linkedin discussion probably overlap the mindset of the people reacting to Mark Zuckerberg’s statement. So dare I make a bold statement here and combine some of the above into one?
People who allow the company they work for to keep their identities as a strategic asset are too dumb to take a crap.
While said security officials will often claim that sharing information online is dangerous, said security officials are typically the people that want to be efficient inside a corporate environment and tie all your company assets together into one so that helpdesks do not get overloaded with password reset questions on all the different subsystems. They want you to share your information in one huge corporate database so they can use your information to do proper authorization management.
So yes, I’m taking a stand against the opinion of many security and IdM people that sharing information on the internet is a bad thing, with some hesitations which I’ll explain later. Why? Because the results of that mindset have brought us to the sorry state of the internet it’s currently in. Lack of a uniquely identifiable identity on the internet, as well as hoarding identities inside corporate databases, is in my opinion part of the problem and not of the solution. There used to be a saying among security officials:
Security through obscurity does not work!
Available Tools
There are many IdM tools in the market. Some of them are even open source. BMC, Novell and Identity Manager from IBM/Tivoli, along with new companies such as Access360 (which was purchased by IBM last September), Courion, Oblix and Waveset Technologies streamline the costly and cumbersome process of giving new employees identities and access rights, and changing access rights for employees who change roles in the company.
Did you notice the italics in the above paragraph? Just trying to make my point here why I am taking a stand against the going opinion. Companies nor tools should not ‘create identities’. Our identities exist, tools may try to recreate them based on second-hand data but those identities are still a mere copy of our real identity. With copies, like with double bookkeeping, things can go wrong and they often do! In the past I have worked as a consultant for a big client that kept track of things like my day of birth. the first time I worked for them they made a typo in my birthdate. The second time I worked for them they typed in my birth date to check if I already existed in their system and the system told them I didn’t, so they created yet a new identity for me.
Currently we really see two distinct processes, the provisioning and the maintenance of authorizations:
These processes get repeated and repeated throughout corporations, constantly provisioning their identity database with new or changing identities. What if we could skip the entire provisioning process and stick only to what really matters to the company, authorization to resources (or not):
Where the internet identity is established, connected through earlier described methods with offline identity attributes to an individual who determines by themself whether somebody on the internet is allowed to see any IA’s? We would reduce an enormously expensive and error-prone process to 0 ! All that would need to be done is to make IT systems “Internet Identity Aware” and when a new person joins the company we ask them ‘what’s your internet identity?’ and grant authorizations to said identity. We’re not just talking a nice little new mousetrap here, we are talking massive savings here.
There’s some rather provocative statements in this article when this article is not read in the proper context. If you’re a colleague security expert who feels irritated by some of my remarks, I invite you to read the previous articles I’ve written on the subject to understand more clearly what I’m talking about. I welcome security and IdM experts who would like to think along on the subject!
