Identity leprosy or identity zombies?

Jackson, in discussing the demise retrenchment of HP’s identity business, had this little gem:

We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity “stuff” is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind.

Bits falling of, eh? I’ve never heard of someone losing their core directory services because someone forgot to add XACML support. I’ve also never heard off someone loosing an ear because their provisioning system didn’t support SPML v2. Enterprise identity “stuff” is more like a zombie. It lurks in the dark corners of your enterprise. It staggers out at you at inopportune moments. Two other aspects of this ridiculous image that are valid:

  1. The identity zombie is incredibly hard to kill.
  2. The identity zombie needs BRAINS!

“They stab with their steely knives…” Once deployed, even in rudimentary forms, enterprise identity systems are amazing difficult to uproot, to kill. Homegrown systems are notoriously tough to maintain as well as replace. Even worse were those early attempts at vendor provided solutions. Before IBM/Tivoli bought Access360, it had Tivoli User Administrator. TUA… one of the banes of my existence. The thing wouldn’t die. The customers who got it running were actually in love the rotting smelly thing. They kept it on a steady diet of scripts (BRAINS!) that served as connector definitions and entitlements all rolled into one. It just ran and ran and ran. From what I heard, early BMC Control/SA customers are much the same.

Think this problem is limit to the “old timers” in the identity market. Nope. Good luck replacing that SiteMinder deployment. Enjoy uprooting your original iPlanet directory implementation.


We all know zombies feed on brains. Common knowledge. Let’s consider for a sec that the enterprise identity “stuff” that Jackson refers to is a friendly, but slightly misguided, zombie. The rising aspects of the identity market are the brains that is so badly craves: enterprise role management, entitlement management, fine grained access control, etc. Feed our enterprise identity zombie with a healthy does of policy that has business-readable language as to role of the person and their subsequent entitlements and you’ll have an enterprise-class, unkillable (in the good way), identity infrastructure.

Further, you do not have venture into the newer territories of identity land to feed your identity zombie. Enterprise identity implementations have sufficiently progressed to the point that your more mature services providers can feed your zombie all the brains it needs based on their own experience, methodologies, and techniques: no emerging technologies needed.

Do enterprise identity technologies need a bit of a refresh? Sure. But that doesn’t mean they need a complete rip and replace with user-centric or other newer identity “stuff.” Absolutely not. What it does mean is that we are seeing a rise in the value of identity brains, entitlement and access management in business and organizational terms.

Attack of the YAMS: Thoughts on the Role Management Panel at Digital ID World

I was thinking about the role management panel at Digital ID World in New York this weekend. My first reaction to the panel discussion, which consisted of BearingPoint, Prodigen, Bridgestream, and Thor, was that roles are finally growing up. The idea that roles require lifecycle management just as identities do is, at first, a little shocking but then makes a great deal of sense. Working in the enterprise provisioning market for years, I got used to hearing how hard it was to complete a role deployment. At the same time you had Burton Group and others professing the value of roles. Customers were fighting both the difficulties in deploying identity management solutions as well as the difficulties in understand and leveraging roles. As the industry provided better automation for the provisioning problem, we saw deployment times go down. But, roles were still tough to deal with. We are now seeing tools to help truly automated the role lifecycle management problem.

One of the points that was agreed upon by the panel members was that business roles are separate from IT roles. Who I am in a company is very different than my privilege sets in target systems. Some provisioning products attempt to make this distinction. By elevating roles to a discipline that truly needs its own tooling, we will be able to manage that distinction far better than we can today. I do wonder if potential customers will still look at roles as too difficult and not address them appropriately. “Roles are hard. See… they have to have tools to deal with them,” I can hear a potential buyer say. To this, I often respond with a wink, “IT would be simple if we didn’t have end-users.”

My concern with role lifecycle management is not with the concept itself. I think this is a space that was long in coming. My concern is role lifecycle management is yet another “Management” or YAM. Our industry is full of YAMs. We’ve got the access YAM, provisioning YAM, strong authentication YAM, network security YAM, federation YAM. As we look forward to 2006, I think we are going to see pushback against YAMs. Customers are growing weary of yet another policy tool, yet another reporting tool, and another YAM. I think that some of the false hope in the past market consolidation and the IdM suite vendors was that they would cut down on the YAMs. The dream of a single tool that translated business goals and regulations into their various IdM components: access, privacy, provisioning, etc, has yet to be realized. I worry that the number of YAMs keeps increasing without unfiying language and tooling. I worry that the industry is over-specializing without having generalist tools to link these specializations together.

It’s good to see these vendors working together to tackle the role lifecycle management problem from different sides. In their own way, they are fighting the YAMs. We need more impromptu collaborations between solution vendors, deployment specialists, and visionaries. We need less YAMs.

With Thanksgiving fast upon us, I leave you with a yam recipe that will leave your guests in a food coma. If we can’t help fight YAMs in our products, we can at least fight yams one fork at a time!

Technorati Tags: