I am always confused by the term identity as a service. So I thought I will open up a discussion on what it could mean or what it can bring as a change to the current identity ecosystems. Well, look at the current ecosystems...
They are either
Closed - corporate users, partners or customers
Or Open - web 2.0 based week credential sharing for collaboration/blogging community
Or federal - government related (mostly non-web still...)
So Identity can be shared across these ecosystems if we have Identity as a service???
But when I search in the internet for identity as a service, people talk about it with respect to the applications that consume these identities... so, all it might need is a way to interact with the systems in these different types of ecosystems. That is nothing new... it's just about interoperability and common framework. This will eventually lead to more and more specifications. Why are all the leaders in Provisioning and web access management using these words then??? Because they address the larger portion of closed ecosystem... they are happy with doing identity services for the corporates... extending maximum to partners... or to some vendor...
Now what I expected when I began my search for identity as a service was that identity would be a service for organizations, communities like blogs and federal to share identity for the benifit and ease of use for the end user. Like Kim Cameron's famous laws of identity.
It should be acquired by having proper validations... so that the issuer knows that the person applying for it actually exists... (unlike the popular mail providers like google and yahoo, where the person at the other end is not even a person, but a machine :) )
Hmm… I am thinking more in the lines of digital identities again which will lead to another username password in some directory or database… let me stop here…
we can look at actual identities… People acquire it one time and use it till expiry. passports... ration cards... PAN Cards... The beauty of real world identity is that you choose which identity to use... You may want passport to be your age proof, but would want to show address proof from only your driver's license ...
How do we mimic this in the e-world? Where do we start identity creation? If you see off late people are resorting to aspects like national skills registry for validation of your work experience... (Strictly India)... I think registries like that is where the core is when it comes to practicality....
Or let us look at one more aspect... this is very much in lines with Mr. Nilekani's UID thoughts, look at the subscriber base for mobile phones... can't they be tapped as a user base for mobile is becoming essence of your existence in the world these days... What do we need in this case? There are PINs available for mobile SIM Cards... is there a way to tap into this as a credential? A framework through which you can ask a user to use his mobile number and PIN to authenticate.
Ofcourse, this will be a simple authentication, first factor may be...
Club it with your banking credentials as a second factor. Internet banking gateways maybe exposing some methods in future to just do authentication using web services??? You are covering some good number of the worldwide netizens in this case too... and since bank will always try to have the safest way of transacting, it is surely a very strong Second level authentication...
Now for the usage of the acquired identity...
User should be able to use the identity according to his own choices... like not showing passport to get a satellite tv connection... you flash your driver's license then... so maybe a user should be given a choice on what credential he would need to use...
Same factors that I discussed above... telecom PINs for a week authentication... banking for a stronger credential... it could be you’re verified by visa... hmm... too much of pondering...
Monday, February 22, 2010
Tuesday, January 19, 2010
How IDAM can help group companies
Group companies environment
These are organizations which work in a structure where there is a central corporate parent company and lot of subsudiaries running as individual companies. While a lot of infrastructure is shared between these entities, a lot of people and ragulations related disconnected can be observed in such places. I have been involved in a lot of infrastructure companies offlate. Some of my thoughts around it as as follows:
Typical challenges in a group-of-companies environment
The organizations which work in a group companies face the following typical identity related challenges. I am trying to list down some of the challenges it has seen in different customers which follow similar governance model.
•Lack of centralized risk framework: The risk framework is evolved as per individual needs of the companies contributing to the group.
•Disparate technology environment: The technology and products chosen by different groups are controlled by businesses rather than the corporate structure. This is more of a requirement than a challenge as the companies need independence in software and infrastructure selection due to the technology dependence on the businesses they carry out.
•Different regulatory adherences for different groups due to law of the land: When ISO 20007 is a requirement for some of the operations, some may mandate SOX compliance and some other business may need to adhere to other regional regulatory or compliance norms depending on the region of operation or line of business like JSOX for Japan or HIPAA for medical business.
•Need to quickly respond to identity related needs: The identity needs may vary from new organization creation and designation of a new company and bulk transfer of employees from one unit to another due to reorganizations.
An Identity Services Approach
Based on the above mentioned challenges and the trends of identity management products, Let us try to look at an approach in which the IDAM solution can be showcased as a service for all group companies. I am trying to explain the approach in 3 different angles, which are:
•Governance approach
•Operational approach
•Technology approach
IDAM Governance Approach - A framework structure to follow
The IDAM Governance approach calls for mandatory participation from Business level Auditors/Owners, Centralized IT Security / risk management team and corporate applications like HRMS applications. This aids the risk and governance structure by providing the right controls to the overall governance structure. It aids the Business owners and auditors to get better visibility to their environment by providing reports and attestation/certification of access levels on a scheduled basis. The IDAM system also provides corporate applications like HRMS with a single point of integration to accesses. The following governance structure relates to the above mentioned points.
IDAM Operational approach - A plan to capture your CAPEX and OPEX flow on IDAM
The IDAM Operational approach defines the different operational priorities that should be followed during implementation. The implementation should be service centric and IDAM should be first implemented for corporate and one business unit after which the base framework will be ready for showcasing the benefits of IDAM processes and policies. It also gives the comfort for new business to embark into integration with the corporate IDAM model. The centralized infrastructure can be reused for all the businesses or group companies with integration spanning from physical security to application privileges. Additionally IDAM aids in rolling out new and centralized initiatives like DRM, DLP and privileged user management or data centre security aspects like server access control and database security.
IDAM Technology approach – Basic Identity Framework
Ideally, from a technology perspective, IDAM as a deployment should have the following:
• Self Service for users like password resets, access requests etc
• Management capabilities to administrators
• Approval and workflow based user access provisioning for better ownership
• Reports and audit procedures for better visibility and control
• Access Management controls for web applications and non-web applications
The below diagram explains the different interfacing capabilities that should be present in a typical IDAM Technology stack.
A basic IDAM system should have authentication for all applications for control. It should have self service interfaces and SSO for user experience. It should have delegated administration for manageability and audit / attestation facilities for gaining visibility. The IDAM System should allow workflows and identity synchronization extensively. It should interface with different applications and should have a secure identity store and an accessible audit store.
These are organizations which work in a structure where there is a central corporate parent company and lot of subsudiaries running as individual companies. While a lot of infrastructure is shared between these entities, a lot of people and ragulations related disconnected can be observed in such places. I have been involved in a lot of infrastructure companies offlate. Some of my thoughts around it as as follows:
Typical challenges in a group-of-companies environment
The organizations which work in a group companies face the following typical identity related challenges. I am trying to list down some of the challenges it has seen in different customers which follow similar governance model.
•Lack of centralized risk framework: The risk framework is evolved as per individual needs of the companies contributing to the group.
•Disparate technology environment: The technology and products chosen by different groups are controlled by businesses rather than the corporate structure. This is more of a requirement than a challenge as the companies need independence in software and infrastructure selection due to the technology dependence on the businesses they carry out.
•Different regulatory adherences for different groups due to law of the land: When ISO 20007 is a requirement for some of the operations, some may mandate SOX compliance and some other business may need to adhere to other regional regulatory or compliance norms depending on the region of operation or line of business like JSOX for Japan or HIPAA for medical business.
•Need to quickly respond to identity related needs: The identity needs may vary from new organization creation and designation of a new company and bulk transfer of employees from one unit to another due to reorganizations.
An Identity Services Approach
Based on the above mentioned challenges and the trends of identity management products, Let us try to look at an approach in which the IDAM solution can be showcased as a service for all group companies. I am trying to explain the approach in 3 different angles, which are:
•Governance approach
•Operational approach
•Technology approach
IDAM Governance Approach - A framework structure to follow
The IDAM Governance approach calls for mandatory participation from Business level Auditors/Owners, Centralized IT Security / risk management team and corporate applications like HRMS applications. This aids the risk and governance structure by providing the right controls to the overall governance structure. It aids the Business owners and auditors to get better visibility to their environment by providing reports and attestation/certification of access levels on a scheduled basis. The IDAM system also provides corporate applications like HRMS with a single point of integration to accesses. The following governance structure relates to the above mentioned points.
IDAM Operational approach - A plan to capture your CAPEX and OPEX flow on IDAM
The IDAM Operational approach defines the different operational priorities that should be followed during implementation. The implementation should be service centric and IDAM should be first implemented for corporate and one business unit after which the base framework will be ready for showcasing the benefits of IDAM processes and policies. It also gives the comfort for new business to embark into integration with the corporate IDAM model. The centralized infrastructure can be reused for all the businesses or group companies with integration spanning from physical security to application privileges. Additionally IDAM aids in rolling out new and centralized initiatives like DRM, DLP and privileged user management or data centre security aspects like server access control and database security.
IDAM Technology approach – Basic Identity Framework
Ideally, from a technology perspective, IDAM as a deployment should have the following:
• Self Service for users like password resets, access requests etc
• Management capabilities to administrators
• Approval and workflow based user access provisioning for better ownership
• Reports and audit procedures for better visibility and control
• Access Management controls for web applications and non-web applications
The below diagram explains the different interfacing capabilities that should be present in a typical IDAM Technology stack.
A basic IDAM system should have authentication for all applications for control. It should have self service interfaces and SSO for user experience. It should have delegated administration for manageability and audit / attestation facilities for gaining visibility. The IDAM System should allow workflows and identity synchronization extensively. It should interface with different applications and should have a secure identity store and an accessible audit store.
Subscribe to:
Posts (Atom)