In today’s interconnected world, we’re being forced to re-think what identity means and to adopt entirely new models for managing it. One thing’s for sure: it’s no longer confined to inside the walls of the enterprise. The lines between internal and external data ownership are blurring. In this, our third post in the series, we’ll delve a bit deeper into what these external identities look like to help us understand the implications for IT.
Let’s start by reviewing the old model. Traditionally, all identity data was internal – each application or service stored and managed all the user information it needed – completely self contained.
But “self-contained” is really just a nice way of saying “silo.” We encounter these identity silos all the time. A large corporation may have dozens, the result of mergers and acquisitions or through the independent initiatives of multiple lines of business. We see it among business partners in value chains – retail partners, ISVs, distributors, etc. We see it in government where various departments – DMV, tax collector, police department, social services, etc. – all separately collect and manage overlapping data on the same set of users.
For companies, these identity silos are costly to build and maintain – the duplication of capabilities and data is highly inefficient, and synchronizing changes across silos is difficult or impossible. They limit visibility and insight. It’s difficult to recognize an individual customer across services, for example – what looks like 10 different users is often the same person.
New cloud-based identity and access management (IAM) models have emerged to address these issues, powered in large part by two key technologies: virtual directories and identity hubs.
Virtual directories, such as Oracle Virtual Directory (OVD), are designed to provide a single, centralized authentication point for multiple services. They unify multiple directories, providing a real-time consolidated view of a person’s identity record regardless of where it’s stored. Because they typically come with adapters for most major directories and databases including those from Oracle, Sun, IBM, Microsoft and Novell, they can be remarkably easy to deploy.
The actual user accounts are still decentralized – created and maintained in the original authentication sources, not in the virtual directory. But to an application or service that’s part of the network, it appears that there’s one centralized source for authentication, removing a ton of complexity from the application, breaking down silos, and allowing you to recognize an individual across all your services.
The identity hub completes the picture. It serves as a broker between the application and the various authoritative sources of identity attributes in both enterprise and federated scenarios. It provides a single authoritative view of user data in what is generally a decentralized environment where user data is scattered among multiple repositories.
More importantly, that view changes depending on who is accessing it. Each application (or business unit, department, division, or customer) has a view that’s limited to only the information that’s deemed appropriate. That’s determined by the owner of the information, which can be another division within the same company, an external partner, or even an individual customer.
By combining the identity hub with a governance framework for identity federation via the cloud, you can easily share these views with partners who provide services, while ensuring the appropriate (and only the appropriate) information is securely delivered to each service provider by you, the identity provider. Simeio’s Cloud Services, for example, uses Oracle Access Manager 11g R2 to gather the requested attributes within the identity hub and build an encrypted claim in a form tailored for the consuming service.
Once you or your partners can access this information on demand, it may no longer be necessary to own or even store any portion of a user’s identity – certainly not their password, which would instantly get you out of the business of password management, including support desks and reset mechanisms.
In this new model, identity is no longer something isolated in individual applications and maintained in a single organization. Information becomes fluid, on-demand, real-time, relevant to business units, and – most important – transportable to other businesses or clients, which reduces complexity and speed to market, and opens the door to entirely new business models and revenue streams. We’ll have more on this in our fourth and final chapter.