Last issue, we examined the difference between what are termed "user-centric" and "enterprise-centric" identity management schemes. Enterprise-centric identity management, we postulated, is really all about tying together all the activities and attributes of a single entity into a readily accessible (and reportable and auditable) form; while user-centric identity is about keeping various parts of your online life totally separated so that they aren't accessible and no report can be drawn. I ended the newsletter by asking if there was a way to unify these two seemingly disparate objectives. And I believe there is.
The user-centric objective I used was an almost direct quote from Microsoft’s Kim Cameron, the godfather of user-centric identity and the instigator of - and great cheerleader for - Microsoft’s CardSpace and the associated InfoCard area of identity management. This has always been considered as a user-centric technology.
But a number of us, including Pamela Project’s Pam Dingle and Microsoft’s Stuart Kwan think that CardSpace belongs in the enterprise. In fact, when the Information Card Foundation was announced last June, one impetus was the perceived need for a “…user-centric identity layer spanning both the enterprise and the Internet.”
So how do we have a framework that allows for both tying together all of a user’s activities (enterprise-centric) while at the same time allowing distinct separation of activities as decided by the user?
We start by defining identity as a group of “personas” (see “Defining identity, persona, role”). Any persona can be made up of a group of personas or roles. Each of those personas can be linked, or separated, as the entity identified by them wishes. One of those personas is (or, rather, could be) an “enterprise persona.” That one brings together “…all the activities and attributes of a single entity” performed for or related to that enterprise “into a readily accessible (and reportable and auditable) form.”
So there is no “user-centric” or “enterprise-centric” identity. There is just an entity with AN identity made up of various personas some of which may be controlled or limited in some way by an outside organization – not only by the enterprise but also by governments, social organizations, etc. The ability to keep these personas separate, where legally able to do so, must be a given. Each persona will have different identity needs and requirements, of course, but that’s what will drive the “identity economy” as vendors seek to satisfy those needs and requirements in accordance with the laws. The government’s laws, the enterprise’s “laws”, the fraternal and social organization’s “laws” and the Laws of Identity as laid down by Cameron.
I’m glad we’ve got that argument solved, not let’s move on to the next big thing.