Identity and Access Management (IAM)

It’s a little hackneyed to talk about how the Internet is expanding and how the potential to live, work and play on the Internet grows proportionately to this expansion, but it’s still true.  We are almost daily exposed to new, “up-and-coming” services and ways to interact with one another, the most recent of which is the loose grouping of “Web 2.0” connections.  This includes not only the burgeoning of Wikis and blogging, but also social-networking structures like MySpace, Friendster, Facebook and Second Life. The online world is coming to resemble, more-and-more, the offline world with new ways of forming associations and new opportunities for self-expression; and it seems that, positive-or-negative, there is an analog online for everything offline. And so we come to the notion of who we are as a digital persona in this brave new Web.

The evolution of the Internet has led to an impasse around the management of our identities. As services have rolled out, the hosts for these services have created many disparate user stores.In effect, we have multiple identities among domains on the Web, from eBay or Amazon accounts to IM identities, from corporate identities within our company’s’ infrastructures to identities with your bank, all the way up to and including our MySpace account and second lives. The most egregious examples exist even within a particular “trust domain” when you have multiple identities within a unique infrastructure, as is often the case when you can’t remember your username and password at a site and have to go through the process of re-registering. The end result of this is that as you move around on the Web, you are forced to authenticate multiple times in multiple ways and errors and redundancies and lapses where we can’t remember our identities creep in. Worse, we potentially can suffer identity abuse, if not outright identity theft, since keeping track of and maintaining information associated with you in each of these Identity Islands is time consuming and can introduce inconsistencies.

Along comes Identity 2.0: the promise of user-centric and user-managed digital identities and identity verification. The case has been made in a few places for an evolution from the identity island “model” above to a model that is more reflective of human real world societies. The challenge before everyone is to unify and simplify the way in which identities are governed world-wide.  No more the authoritarian, centralized domains with their independent identity stores. Instead,we users of the Internet will carry our credentials with us and will present them at our discretion when we interact with sites and services. The benefits to end users are numerable: a single identity, seamless single sign-on, and a common identity for moving among sites and domains and still being “you” in the eyes of all whom you deal with. Imagine if, as we move through the Internet, our behavior could be used to establish each of us and our “reputation” and trustworthy-ness could come with us. If you are a frequent shopper at Acme.com, wouldn’t it be nice to go to Widgets.com and be able to carry the reputation you’ve built with Acme with you?

Companies that interact with user-centric identities will initially face architectural challenges in separating the notion of identities within their domains from the entitlements that users should have. They will also face challenges in implementing authentication correctly, especially when their user populations will gradually adopt (and need to be educated on) the process of getting their unique “Internet Driver’s License.” Embracing Identity 2.0 will, however, have substantial long term benefits in terms of reduced cost of management, increased scalability, improvements in speed, better user satisfaction and richer services and affiliations via partnerships in the “entitlements management” rather than “identity management” game. Imagine if anyone who “walks” through the Web portal can be uniquely and rapidly identified and referred to when dealing with other companies—benefit programs, frequent flyer programs, “premium shopper” clubs will become the focus of Federation rather than the relatively simpler notions of single sign-on.

There are, however, substantial obstacles to implementation of a ubiquitous, reliable Identity 2.0-enabled infrastructure. First and foremost, the “architecture” of the Internet isn’t sufficiently sophisticated in a centralized, managed form for a user-centric infrastructure to emerge overnight or even in the space of the next year or so. It will have to be a gradual evolution that will have most of us getting our “internet driver’s licenses” while still having to prove to banks, companies, shopping sites and so on independently, which is why I prefer the term “evolution” to the more radical “revolution” frequently associated with Identity 2.0.  Further, the requirement in some instances for varying levels of strength of authentication mean that either the bar for Identity 2.0 will be set too low for all to adopt immediately or that there will have to be progressive levels of digital identity as we move forward.

Last but not least, there are issues around what a user-centric model means for security and privacy of the individual.  First and foremost among these are issues around identity theft and “phishing.” If you lose your identity once, it now would potentially affect you on a much wider scale.  In effect, centralization of any form can create a single-point-of-failure. Also, the ability to control privacy and to know how your reputation works among sites is critical—although this last control issue will likely evolve to mirror (if not merge with) more traditional forms of reputation and “offline” identity management such as credit ratings. In the end, we have to make this about the individual Internet user and about empowering people to manage their own identities (I’ve advocated a basic Internet Bill of Rights and an Internet Declaration of Independence, perhaps there should be an Internet Congress^* at some point – maybe in Second Life!).

The expansion of the Web that I started this post with continues; and I’ve no doubt that by the time I finish this post, I’ll find there’s a new Web 2.0 advance happening. But as we move ahead with our Brave New Worldwide Web (2.0), Identity 2.0 will happen.  I firmly believe that it’s not a question of “if” but is rather one of “when.” Put another way, it’s a question of “how long will it take to get this right and for companies and users to learn about and embrace the technologies?” It’s compelling, but there’s still a long way to go.

Notes:

1. Burton Group’s Mike Neuenschwander recently reviewed a book by John Clippinger (June 14) that’s made my “must read” list, and he discusses how the book relates “social theory to digital identity”:  I’ll post more hear once I’ve had a solid few evenings to read and digest it.
2. OpenID is a user-centric digital identity initiative that uses unique, personalized URLs instead of username/password combinations for authentication. Jeff Broberg has a great post on OID2.0.
3. Microsoft’s CardSpace is at the heart of their “Identity Metasysten,” and there is good information available on wikipedia.