There have been a number of changes in the Identity Management space recently, through from the renaming of InfoCard to CardSpace http://msdn.microsoft.com/winfx/reference/infocard/default.aspx, through to the most recent acquisition of RSA by EMC (more on this once the dust has settled) http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001534, but still there seems to be a great disconnect between Identity Management in the technology space, and the way we deal with identities in the real world.

In the real world we live in communities (mostly) and these communities are built up around relationships between people and the privacy, trust, secrecy, accountability, reputation of the individuals involved, yet in the technological world, whilst these communities are developing, this is not happening, and has no real sign of it.

Why is it, that 13 years on from trying to set up real trust models in the form of Trusted Third Parties, we are still in the position which Peter Steiner outlined by with the cartoon, of "On the Internet, nobody knows you're a dog."

We need to bear in mind however, that we are still in a position, where in the real world, nobody knows either. Take for example the latest bank manager who ebezzled £21 million over 5 years, and during that time was nominated as Manager of the Year! http://www.moneyweek.com/file/14565/bank-manager-jailed-for-10-years.html

We need to get the industry's which we deal with on a day to day basis to stop thinking about Identity Management purely in technical terms as a way of decreasing the numbers of user repositories that they have, and the numbers of logons that their users have, and think about it more in real world terms. The solutions exist for this, people just seem to be missing the point, and dragging things back into the technological pit.

Having spent the last couple of weeks travelling around and speaking with a lot of customers, I find myself in a bit of a dilemma when it comes to Federation. A quick harp back to my initial entry on terminology, what is Federation? In very simple terms Federation is a way of sharing identity information about a person between two or more organisations. Ultimately this is something which is beneficial to the person who owns the identity (through experience), and also beneficial to the organisations (financially, usually), in much the same way as BSM.

If we just think about it, in our normal day to day lives we would be able to manage without some form of federation. I mean that there are trust relationships which we have with one organisation or body which is trusted by another. I know I couldn’t manage without my passport, a standard document which is approved and given to us by an issuing body, and which other immigration services are able to understand and therefore allow us.

The underlying principle being used here is trust. Trust that I have come from the country I am saying I have come from, and trust between the two countries. The same principle is used in our technological world, which allows us to come from one organisation who is able to tell a partner organisation who I am and that it’s OK to trust me.

All sounds good so far, so where’s the dilemma. The dilemma lies in that small little word “trust”. Easy to say, hard to both earn and define. Trust is something that often does not go hand in hand with financial gains and losses. The underlying backbone of Federation is the trust policies which are set between organisations. Yes the technology exists but, if we remember back to the heady days of 1999/2000 PKI existed as a great technology which would solve all our security issues, but the trust between organisations slowed down the uptake, but 5 or 6 years.

I would like to think that we have all learned a lot from this, and that early adopters of any technology always exist, and can benefit massively from the new business which can come from this, it only takes one bad experience to leave the trust policies in tatters.

My overall feeling in Federation is that we have a technology in our hands that has been driven out of the ultimate necessity for companies to have new ways to drive more business, and that we from the technological world need to help those in the legal/business world to successfully deploy these. We all learned lessons 5 or 6 years ago, it would be foolish to forget these!

Hi there, as the first entry in this Identity Management focused blog, I’d like to introduce myself and share a little on what content and thoughts you can expect me to be delivering over the coming months. Who am I, and what am I doing writing a blog?

My name is Phil Allen and I am a Senior Consultant with the EMEA Identity Management team at BMC Software. I started my work in IT in support where I learned that customers are the most important people we deal with on a daily basis (a point which I feel is often overlooked) and I then moved into direct customer facing roles working with customers to identify their needs and help them meet their business needs. Having worked for the last 8 years helping customers adopt what has more recently become know as the  Identity Management, I hope to share my experiences of the issues and the solutions of this ever changing arena.

 Why a blog? At first I thought this was an easy answer, express my views, share my thoughts, voice my concerns, but then I thought further and deeper. Being a person who has always expressed my views, I am a firm believer that if you think something should be said then say it. So the overall reason for starting this is to provide a forum through which open discussions and thoughts can start.

 Terminology. As a starting point, in the Identity Management market, one of the real bug bears customers have to deal with on a daily basis is around terminology. As IdM has developed so has conflicting, confusing terminology, which has served only to alienate providers of solutions from their customers and to frighten people into thinking that they need to be a nuclear physicist in order to secure / enable their business. Would an organisation like Single Sign On, Simplified Sign On, Reduced Sign On, Password Synchronisation, Automated Log on etc. We are all responsible in providing clarity over the solutions which are provided, and to using real life terminology. Although this is a market which has been around for 10 years or so in one guise or another the market is still developing and changing on a regular basis with new acquisitions and restructures all of which bring their own terminology. I feel we are at the stage in the market where we need some clarity around terminology, and so the consumers of the technology can understand which components they need to suit their business requirements. When does Access Control relate to the enforcement of access, and when does it relate to the correct role management of an identity thus leading to the user’s account being created with the correct access rights?

I see there being a simplification of the vocabulary which we use being forced upon solution providers both by the customers who we work with and also from our colleagues who are entering into the market place. Identity Management can really be seen as: central management and enforcement of access control for business critical applications both for internal and external users; automation, to ensure these controls are in place at the separate applications in place; and audit of the entire solution. This has the overall effect to reducing costs in the business, improving the experience of the IT infrastructure for both end users and administrators, and reducing risk in the business by preventing users gaining access to systems they either no longer need access to, or should never have had access to in the first place. 

I trust this first entry provided some food for thought, and a little insight into future content. I am aware that this will be read by those who have been in the industry for a while as well as those new to Identity Management, and I will try to cover both of these poles. I look forward to receiving your comments/thoughts.