The promise of provisioning

The foundation for security and enterprise management

Way back in the dark ages, 10 whole years ago, I first wrote about provisioning as the "killer app" for Identity Management. Actually, I called it the killer app for directory services, since the identity management tag hadn't yet been promulgated. In a piece I wrote for Novell's Web site (now, sadly, no longer available), I touted Business Layer's eProvision Employee application and talked about what was to come. Sometimes prognosticators are wrong.

In that article I said “eProvisionware [the name giving to provisioning software. It didn’t stick.] doesn't have to stop with employees. Provisioning access for vendors and clients -- for all of your business partners -- is the next step. Eventually, your entire supply chain can be part of the e-provisioning system, allowing secure access where needed, providing resources as needed and maintaining preferences and identities for everyone involved.”

That “next step” was a long time coming. In fact, most would argue that it isn’t here yet. The move to e-provisioning for partners, clients, customers and suppliers was more difficult than we thought and was overtaken by events, specifically the big event of Sept. 11, 2001. The big identity management event, that is. The announcement of the Liberty Alliance and the advent of a new wave of identity federation as a way to connect an enterprise with its partners.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Way back in the dark ages, 10 whole years ago, I first wrote about provisioning as the "killer app" for Identity Management. Actually, I called it the killer app for directory services, since the identity management tag hadn't yet been promulgated. In a piece I wrote for Novell's Web site (now, sadly, no longer available), I touted Business Layer's eProvision Employee application and talked about what was to come. Sometimes prognosticators are wrong.

In that article I said “eProvisionware [the name giving to provisioning software. It didn’t stick.] doesn't have to stop with employees. Provisioning access for vendors and clients -- for all of your business partners -- is the next step. Eventually, your entire supply chain can be part of the e-provisioning system, allowing secure access where needed, providing resources as needed and maintaining preferences and identities for everyone involved.”

That “next step” was a long time coming. In fact, most would argue that it isn’t here yet. The move to e-provisioning for partners, clients, customers and suppliers was more difficult than we thought and was overtaken by events, specifically the big event of Sept. 11, 2001. The big identity management event, that is. The announcement of the Liberty Alliance and the advent of a new wave of identity federation as a way to connect an enterprise with its partners.

Truthfully, we still don’t have the provisioning of employees down pat. There’s still too much manual labor involved, still too many cracks for people to fall through, too many applications and services which resist efforts to be incorporated into the workflow. Some of that can be attributed to the developments within the provisioning industry – none of the organizations which provided provisioning services at the end of 2001 still exist as independent entities. Mergers and acquisitions take their toll, and “future developments” are usually some of the first casualties. Over the years of the 21st century external provisioning services remained “pie in the sky” with lots of smoke, plenty of heat but nothing to show.

Some felt that combining employee provisioning services with federated identity services might be the way to go. But the track record there isn’t good, either.

Daniel Wakeman (CIO, Educational Testing Service) in an interview with ComputerWorld magazine last month said “It's a ‘huge shortcoming’ that SaaS [Software as a Service] vendors do not embrace ‘federated identity management’ standards allowing centralized identification and validation of users via a single sign-on process…”

That comment, after being quoted by Quest’s Jackson Shaw touched off a raucus (well, “raucus” for the genteel world of identity management!) debate in the blogosphere about the pros and cons of “federated provisioning as a service” which bears repeating. Come back next time and we’ll dive right in to it.

Upcoming event: Tuesday, Feb. 24, 2009, 2-3pm EST, Aveksa will present a Webinar entitled “Does your Organization have the Right Approach to Roles Management?” With Binod Singh, President & CEO and Co-Founder, Ilantus, Phil Jones, Managing Consultant for Security & Privacy practice, IBM Global Services, and Brian Cleary, VP Products & Marketing, Aveksa. Details and registration at the Web site.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.