The Identity Management Mess
You know whenever I think about Identity Management, I always think of a big political and technology mess. I'm sure many others do too. For if there wasn't an Identity Management mess, we wouldn't have products and technologies like Identity Integration Server (Microsoft), Java System Identity Manager (Sun), WS-Federation, SiteMinder (Netegrity), COREid (Oblix), and many more.
Why has it come to this? Well I think it comes from the general chaos of software development. Every time we write a new piece of software, we always seem to introduce a new primary key (please excuse my SQL lingo) to identify a unique identity. From there, the beginning of our ID management nightmare begins. The nightmare only get more intense when we need to link/sync/etc. identities from one system with another. This is why products and technologies listed above are created to help sort the whole thing out, but make no mistake that using an off the shelf product or technology is only part of the answer. This is because, by the time an organization thought it was important enough to invest in an identity management solution, the mess has already gotten out of control.
The mess that I refer to isn't just the numerous systems that contain identities (not all of them unique either) or even the varies platforms, protocols, and API's needed to access that information. I'm referring to the number of organizations and politics that "own" pieces of the data. Day to day business decisions, boundaries, and politics seems to be the biggest barrier to getting an identity management solution executed. And it's not just because some people can't let go of their control of the data (but it IS a big part of it), but it's also because there isn't anyone (or team) with the organization that know where all the data is or who owns the data (and why they own it).
Now, even once you fight through all of the political and business issues, there still is the large task of choosing the right technology strategy to implement. Each technology has it's pro's and con's, but they have something in common: System Integrators. This is due to the fact that you can't just drop an Identity Management product in on day one and link all of your back-end systems, and perhaps external data (e.g. outsourced payroll systems), with little to know integration. Sure, an organization may have some talented developers and engineers, but do you really want to focus them on fixing your Identity Management problem when they could be developing new solutions to drive business? Ya, I didn't think so. So this is where an SI with the expertise to connect your system together. But even this is just another small baby step.
In order to best leverage your investment, all new third party products that are purchased should integrate into your environment by the time the service is put into production. This will remove, or at least greatly decrease, the integration/migration woes when connecting with your now existing Identity Management (IdM) solution. But this is not likely to happen. Why? By the time the IdM solution is in place, it has become an important part of the core back end system processing. Which also means that we have now centralized the IdM solution. To be as kind as possible, we've just made a new king or committee that "Safe-Guards" the system. Hence, we've just created a new bureaucracy.
So now, a local IT person deploys a new software package (off the shelf product, custom software, etc.), it becomes popular, and when it reaches to the point where it now needs to integrate with the IdM solution, it's now time to place another call to your System Integrator. Even when an organization has an IdM solution, there will always be applications that are created and deployed without the IdM in mind.
There are a few things that could have made this scenario a bit easier.
- What if the product shipped with a "plug-in" to a given IdM Product? That sounds great if there was only one IdM product on the planet (I know my friend at Microsoft are hard at work on this one :) ). But with so many vendors, I think Software Product companies are staying away from investing in this right now.
- Perhaps another Industry Standard? Perhaps this could be a solution, but
- Keep your favorite Systems Integrator (eQuest) on speed dial. This is today's Status Quo, but without the above options really being implemented throughout the industry TODAY, this is really the only option available.
So, if you're starting to see that your organization might have an Identity Management issue, you probably already have one. (Another shameless plug coming) When you call your System Integration , like eQuest Technologies (there it was), you should keep in mind that you'll need to have many of your business issues worked out prior to picking the right technology. This can either be done before or with your SI.
Conrad's stream of conscious is now over (lucky you!). More later...
Conrad Agramont, Senior Architect, eQuest Technologies, conrada@eqinc.com