The identity of things

* The importance of knowing who is doing what to which information

There was a subtle theme permeating my discussions with identity vendors at last week's RSA Conference. It didn't come up in every discussion, but it was present more often than not. The "identity of things" - stuff that isn't a person, such as devices, services, applications, etc. - surfaced for public discussion at last year's Catalyst conference when Burton Group CEO Jamie Lewis gave it prominence during his opening remarks, and was the main topic of Chris Stone's (then, Novell vice-chairman) keynote address.

After Catalyst, though, there wasn't the full-blown public discussion of this topic that I expected. Instead, we got caught up in trying to define "identity" itself. But two seemingly quite different technology drivers brought us back to the identity of things as a major discussion topic at the RSA Conference.

It's a given in the identity business that Web services are architected on an identity foundation. It's also fairly evident to all that identity is the basis of regulatory compliance. But it's becoming more apparent all the time that it's not just the "who" identity that is important, but also the "what" and the "where" (i.e., the platform that the "who" uses to do the "what").

In order to deliver Web services properly, the provider needs to know the user, the user's permissions, the user's capabilities and the user's needs. The "needs" include precise data on the service, its version and its optional components. The "capabilities" reflect the hardware platform the user will use the service on.

In order to correctly log and audit activity for regulatory purposes, the compliance service needs to know precisely who is doing what to which information and where that activity is occurring. All of this requires that we can easily, automatically and uniquely identify the services, applications, and platforms that are being used as well as the attributes of each that are necessary to make a decision (for Web services) or satisfy a policy (for regulatory compliance).

Identifying devices is an outgrowth of both manufacturing and inventory control. A manufacturing bill of materials could be considered an identity document (with a serial number as a unique identifier) containing a list of attributes (the parts specifications) for an identified "thing." Inventory control, carried to its limits, uniquely identifies not only each desk in an organization but each drawer in each desk - and possibly each pencil in each drawer.

Less tangible items, such as applications and services, don't have quite the same legacy of identity. There's versioning, but that doesn't identify a specific instance, just the general code. Each instance of a non-trivial service or application will also include parameters unique to the time, place and users involved in its execution. A full-blown identity management solution will have to understand that it's no longer just about people. While personal identity will remain important, a new superset of identity will emerge. Prakash Ramamurthy, senior vice president, products and technology at Oblix called this "entity identity" (and he said that with a straight face), and that'll do for the time being. But I expect you'll be hearing a lot more about the identity of things in the next few months whatever we decide to call it.

Learn more about this topic

Extending identity management's realm

Network World, 02/14/05

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies