Wednesday, January 04, 2006

Enterprise Identity - Discussion

After James kicked off the discussion on Enterprise Identity, there has been a [cro] lot[Pat Patterson] of[Johannes Ernst] input[Radovan] on the various subject of Enterprise Identity.
I thought that I should also chime in, since some of the thoughts that James has expressed are similar to that I have expressed earlier on provisioning and repository consolidation and wanted to respond to some of points raised.
So, lets take the points one at a time
  • Workflow and MOM/ESB - The basic idea behind this is that most enterprise have workflow system and what they need is a connectors to a few identity repositories. Well, I know of a similar implementation that I was part of and we wanted to do all the way so that we will have a bunch of workflow engines and connectors in each geographical areas each of these connected to each other using MOM (the existing ESB was built over MOM). Now the project failed due to a lot of project management issues (I know how it sounds) and Vendor was brought in to review the design. They told us that we were not using their product like they intended it to be used and got a big rap on that. It is at that point that I realized that the existing provisioning products are like the ERP suites that tried to do all the things by themselves and we will have to wait for next few versions for these vendors to realize that they need to do what they are good at i.e. creating connectors and allow workflow to integrate with their products. Another big issue that I have with the vendors with product design that has no concept of connectors for Groupware, ESB, Email systems which is not exactly a resource.
    Going back to Radovan's contention that where is the workflow engine, I agree that most of the existing Identity Management system were mostly built on Lotus Notes like document based groupware system which can not be called a great workflow engine. BUT the rise of Business Process Management (and existing ticketing systems to some extend) are a good choice for most of the request based Identity Management workflows and provide good architecture for integration with third party systems including identity management systems.
  • Repository Consolidation - I may be preaching to the choir here but just to reiterate when ever a new application is coming on-board the centralized identity access management infrastructure, it has a few options based on what the team managing that infrastructure is ready to provide
    • Use consolidated Repository - This typically represents the enterprise LDAP which can be leaveraged by the applications for authentication and authorization purpose. An important aspect of this is how easy it will be for application to come onboard i.e. will the Repository management team provide adequate interfaces to allow the applications to leaverage the consolidated respository to its maximum (i.e. easy user, group and user to group mapping management with both web based and web service based interfaces).
    • Use consolidated Authentication point - Most of the times, architects are not willing to give access to repository stores or consolidation of repositories is not possible, authentication can be made available in form of Web SSO, Security Token Service (SAML), etc which can be leaveraged to get the work done. Again as before unless there is appropriate and easy application on-boarding, off-boarding and BAU management process is in place, application would not like to integrate with such systems. Or as I heard one application architect told me that "it should be as easy as dropping a jar file and changing a few configuration" (which I guess is a utopia that all cross-concern services want to be at)
    • Use consolidated Administration point - This should be the last option for the applications that fulfill specific criterias like third party, legacy, high volume/performance application (as pointed out by Radovan).
  • Microsoft - After looking at Windows Workflow Foundation, the first thing in my head was more around, web interface to windows workflow design + MIIS = Provisioning Product. I am sure a lot of Window shop would really look forward to similar product instead of going out and purchasing product from other vendors.
  • Policy Directory (assuming that is what James meant) vs Policy Service - I am a bit confused here and I think we may have to go back to same discussion about the Authentication such that may be at the moment an Authorization Service makes sense and later on people can start thinking about Policy Directory. This I think makes more sense because of the basic fact that authentication (even though it was theoretically easier task) has taken us so long, I am not sure when we will really understand the most of the issues around authorization (which I think is much larger nut to crack given its shear size and reach into the application - who wants to make the decision whether something is a business logic or authorization decision)
  • Enterprise DRM/Data Privacy - This is an important thing that I want to throw back at James since he raised the DRM and would like to know everybodies thoughts on the subject. Basically so far Enterprises have solved the issue of Data access using a wide variety of integration systems like ESB, simple ftp, etc and all the bunch of laws requires you to make sure that you know who is accessing the data and doing what with it. Now how do you build a system that allows you to create a right management system which can ensure and track this requirement. How are enterprises solving this issue?

1 comment:

James McGovern said...

Figured I would take the opportunity to answer the last question: "how do you build a system that allows you to create a right management system which can ensure and track this requirement. How are enterprises solving this issue?"

The answer is that 99.9% of all enterprises really aren't solving this issue. The main thing really isn't really about building the system but in tagging the data such that it is rights enabled. There are many emerging technologies that enterprises can consider. For example, Internet Explorer will in the future support Rights Managed HTML where an enterprise could even control the ability for a user to not print a screen (Yes, they could still point a digital camera at the monitor). Likewise, this same rights management capability will be incorporated in MS Outlook clients so that two parties can secure communicate yet prevent the "forward" button that traditionally allows others to see it.

Two problems though emerge in the above story. First, even savage believers in open source such as myself cannot figure out how to be open and do DRM at the same time. The notion of complying with the various privacy laws and figuring out better ways is resonating more with me than being free (in terms of freedom). The second problem is that none of these technologies support federation.

To be more accurate, enterprises today due have the ability DRM within a federation for certain things. They for example could protect all statements sent electronically to customers by creating them in Adobe PDF and applying DRM capability on top of it. This though results in a massive provisioning effort that its attractive in the large.

You really need to enable trackback so as to continue this discussion. Go to and enable for your site...