Shadows of Identity

I was trying to find a way to describe the greater discipline of identity management to a coworker. Because of all the terminology collisions out there, coming up with clear description wasn’t easy. The following is a riff on Plato’s Allegory of a Cave and Kim Cameron’s 4th Law of Identity – Directed Identity.

Consider that you are standing in a large room which represents the world in which your identity can be represented. In front of you are a series of three dimensional figures called targets. These targets come in a variety of shapes and sizes. Behind you are a series of lights. When a light is switched on, it projects your shadow onto one of the targets. These targets are coated with a special substance that locks your shadow onto the surface. Because of the shape and irregularities of the targets, your shadow does not look the same on every target. Furthermore, your shadow looks more like you on some targets than others. These targets are different systems that represent your identity in one way or another. Active Directory is a fairly regular shape, thus your shadow on this target looks a lot like you. I picture the Active Directory target as a convex lens. A biometric system is an irregular shape full of nooks and crannies, thus it’s extremely hard to tell that the shadow is yours. I picture a biometric system target as a spiky blob of some sort.

First Thought: The more your shadow looks like you the more target must be guarded.

High fidelity targets, those that keep a shadow that looks more like you, have to be protected differently than those that keep a shadow that looks nothing like you. It is easier to pull the “you-ness” out of Active Directory than it is from a biometric system. If an evil force wanted reconstructed a facsimile of you, it would try and steal the targets that have these high fidelity shadows. If the shadows are representative of you, then what are the lights? The lights are contexts in which you will interact with the target. The Everyday-Use Light projects your shadow on the Active Directory target. The Super-Secret-Job-Function Light projects your shadows onto the homegrown Oracle application target, and so on. Different lights can project onto the same target. This means that your shadow on a given target may actually be a composite of multiple lights shining on you. This leads to…

Second Thought: On an individual basis, you cannot determine which lights created your shadow on a given target.

If you examine your (composite) shadow on the SAP target (SAP being one of those fairly regular shapes), you cannot be sure which of the lights helped to create the shadow. To be completely sure of how your shadow was created, the target has to tell you. Yes, you can gather a large number of people and their targets (do some math) and come up with an approximation of which lights are needed and how they create which shadows. But, this is only an approximation. So where do all these Identity Management products fit in? Provisioning tools provide the lights. They project some aspect of your identity onto targets. They know how to map your shadow onto the three dimensional surface of the target. This is parallel to the idea of unidirectional identity beacons. Meta-directories can act in two ways. First, they can act as a pocket flashlight: they can help project a piece of your shadow. Meta-directories know how to map your shadow onto targets, but they are less frequently used to project all of your “you-ness” onto every target. Second, they can be used to create a doppelganger: they attempt to reconstruct you by gathering and examining all your shadows. Virtual Directories work in much the same way, but instead of creating your doppelganger, they attempt to create a high fidelity shadow from the collection of targets. This leads to…

Third Thought: Although Provisioning (and Meta-directory) tools can map your shadow onto a target, they have a harder time working in reverse.

Most Provisioning tools work by constructing and turning on the lights. Yes, Provisioning tools can correlate your shadow to you, but they have a hard time going further than that. They struggle with (given your shadow) determining which contexts of use, which lights created the shadow.

Before this post starts sounding like dialog from Ghost in the Shell, I’ll draw this to a close. I leave you with a question that has been rolling around in my head – From an enterprise perspective which is more important: the lights, you, or the targets?

One Reply to “Shadows of Identity”

  1. The lights are most important to the enterprise. The applications/repositories/targets can (and do) change. The “you” is simply a shell which any (qualified) person can fill. But the Context/role function of the light is what gives rights and responsibilities to the “you” and security and access to the targets.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.