Andre over at Ping Identity has clearly been doing some heavy thinking. First, he connects internet-scale security and the continuing death of the firewall. Then, he raises the point that there are more identities outside the enterprise than within. The implication is that those external (Internet-based) identities are of real value to the enterprise; they are partners and customers. These external identities need to be “secured and tracked.” Two questions come to mind. First, do both populations require the same kind of identity management and services? At issue here is context. The context of a customer or partner is different from an employee. Yes, they may need similar identity services, but the manner in which they consume those services is context driven. This may lead to different sets of identity services, which must be centrally orchestrated and audited. Second, is the application tier really the best place to tackle these problems? I think the two different populations require different approaches. Companies needs to tackle inside identities from the network layer up. Why? Because people on the inside have greater access to the soft fleshy underbelly of the business. Even the most well intended employee can inadvertently cause damage once he’s on the enterprise network. Meanwhile, outside identities should be dealt with at the application tier as that is their access path to corporate systems.