How we did with our identity management resolutions

The foundation for security and enterprise management

The old year has passed and a new one has dawned. Yet, we can never really discard the old year (as we can throw away the calendar) because its legacy lives on into the New Year. Still, each new year brings hope for a better life and to mark this hope we make New Year's resolutions - vows to better ourselves in some way. Last January, I offered three possible resolutions for the identity management industry - let's take a look at how well they were kept.

1.) We need to consolidate standards as well as vendors. While electronic provisioning, for example, fueled the identity management revolution it's time to move beyond that particular niche. Provisioning is now only a small part of the entire identity management spectrum and needs to be integrated as part of vendor offerings.

Consolidation has been happening, although it was slow going for much of the year. Sun and Microsoft have launched a cooperative venture in support of Web services that presages better alignment of WS-Federation and the Liberty Alliance specification. This will be helped enormously by IBM's actions both in joining Liberty as well as taking on the task of implementing (using the Liberty spec) federation for France Telecom. Industry consolidation was typified by Computer Associates' buyout of Netegrity, HP's acquisition of TruLogica and Oblix' grab of Web services vendor Confluent Software. Looks like people were listening to me on this one.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The old year has passed and a new one has dawned. Yet, we can never really discard the old year (as we can throw away the calendar) because its legacy lives on into the New Year. Still, each new year brings hope for a better life and to mark this hope we make New Year's resolutions - vows to better ourselves in some way. Last January, I offered three possible resolutions for the identity management industry - let's take a look at how well they were kept.

1.) We need to consolidate standards as well as vendors. While electronic provisioning, for example, fueled the identity management revolution it's time to move beyond that particular niche. Provisioning is now only a small part of the entire identity management spectrum and needs to be integrated as part of vendor offerings.

Consolidation has been happening, although it was slow going for much of the year. Sun and Microsoft have launched a cooperative venture in support of Web services that presages better alignment of WS-Federation and the Liberty Alliance specification. This will be helped enormously by IBM's actions both in joining Liberty as well as taking on the task of implementing (using the Liberty spec) federation for France Telecom. Industry consolidation was typified by Computer Associates' buyout of Netegrity, HP's acquisition of TruLogica and Oblix' grab of Web services vendor Confluent Software. Looks like people were listening to me on this one.

2.) Privacy needs to feature more prominently as a major factor in identity management. Too often in the past, we've relied on the difficulty of retrieving information to act as a barrier to its accessibility. Computers, online databases and vastly improved search facilities make all data easier to find for even the most casual searcher. Those with nefarious ideas and stronger motives can compile remarkably complete dossiers on just about anyone in a matter of hours - or even minutes. We need to strive to enable data owners to have the power of informed consent when revealing information while still allowing authorized access to necessary information on an "as-needed" basis. It is a tightrope to walk, or perhaps more like a minefield, but privacy needs to be considered now before the backlash is upon us.

Privacy was important this past year, but no one has yet figured out how to respect privacy while providing easy access to data. Kim Cameron's Laws of Identity (which might better be called laws FOR identity) go a long way toward defining how applications and services should act. If you haven't checked out the Microsoft identity guru's foray into standards setting, check out the laws (http://www.identityblog.com/stories/2004/12/09/thelaws.html). It's something the whole industry should do as there wasn't enough done in this area the past year. Some good strides were made in auditing data access and change, in line with regulatory requirements, but a lot more needs to be done. We get only partial credit for this one.

3.) Ordinary users need to be empowered to control and maintain their own data consistent with prudent and legal practices (you don't, for example, let users change their medical or banking records). Self-service for as much identity information as possible will go a long way towards winning the grudging acceptance of identity management by the great mass of people who, at heart, distrust computers, programmers, IT departments and vendors. Along with the empowerment, of course, we need to provide a strong education initiative to teach people how to use that power effectively and securely.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.