Identity management gear: Tried-and-true or roll your own?

The foundation for security and enterprise management

Another Catalyst Conference is over and done with and, as usual, Mike Neuenschwander, Burton Group vice president and research director managed to raise my hackles (see “The seven flaws of identity”). Mike’s a very bright guy, and one of the most knowledgeable people in or out of the industry on identity topics, but he does tend to hyperbole to make his points. This year, it was his references to federation that raised a few eyebrows.

His bullet points?

* You won’t need most of the stuff in a federation product.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Another Catalyst Conference is over and done with and, as usual, Mike Neuenschwander, Burton Group vice president and research director managed to raise my hackles (see “The seven flaws of identity”). Mike’s a very bright guy, and one of the most knowledgeable people in or out of the industry on identity topics, but he does tend to hyperbole to make his points. This year, it was his references to federation that raised a few eyebrows.

His bullet points?

* You won’t need most of the stuff in a federation product.

* Stick with browser POST architecture, ignore or disable everything else.

* Find some cheap, easy-to-deploy “spokes” or build your own.

* Or just build your own service.

Now I don’t know about your company’s policies, but most places I’ve worked would rather buy a tried-and-true solution than spend months – even years – trying to roll their own. Yes, in-house constructed software is needed, but generally only when what you need isn’t commercially available.

I understand, I think, what Mike was trying to say – federation projects do take on complexities that often aren’t necessary, so simplification should be the order of the day. But doing it yourself doesn’t promote simplification. Rather, it promotes sloppy thinking and insecure systems. You wouldn’t install alpha or beta software in a production system, would you? But that’s what your in-house constructed federation code would be.

Burton Chairman Jamie Lewis made a number of important points that we all need to ponder and incorporate into our own planning:

* Mobile phones and other devices already outnumber personal computers and will continue to expand the margin while identity management of those devices is still in its infancy.

* Computer science is not the only relevant field; social science has a lot to teach us about trust, and how to build it.

* The battle to protect identity information for our generation is over, and we lost. The only real question is whether we can save things for future generations.

The last point is, to me, the most profound – echoing as it does Scott McNealy’s famous line: “You have zero privacy anyway, get over it.” A lot of people are spending a lot of time these days trying to bake in absolute privacy to identity tools, and impeding progress while they do so. We have to make a “best effort,” of course, but we need to move the technology forward without waiting on perfection – which likely will never come.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.