Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Future Directions in Identity Lifecycle Management: Introduction (20070710)
Late last month I presented at the Burton Group Catalyst conference in the "future of identity" segment on the topic "Your Identity Session: Future Directions in Identity Lifecycle Management". The slides of the talk can be found on the Informed Control resources page in PDF.
Traditionally, the process of managing digital identity lifecycles for individuals within enterprise identity management deployments has had the following assumptions:
- The operations performed on an identity start with the creation of the identity (Provisioning) of a user when an individual joins an organization, continue with one or more Updates, and finally the disabling or removal of the identity (Deprovisioning) when that individual leaves the organization.
In practice, the amount of control the organization has over the data typically decreases over time, as the quality of the data typically decreases (the provisioning system's "view" of the individual as a user identity diverges from the individual's own view, e.g., as job functions or groups change).
- Each identity is managed independently of each other: activities targeting one user have no effect on other users.
While collections of users might be classified into 'groups' or other categories for access control management, these operations typically do not affect the representation of an individual user.
- The protocol connections over which lifecycle operations are carried are within the enterprise firewall, and ideally, the organization has surrounded the repositories and access control decision points with layers of increased protection.
Idealized state
In the talk I identified three trends that could influence how identity management software for the enterprise manage identity lifecycles:
- Increasing number of points where identity information crosses the firewall
- Identity decisions move closer to the user
- Identity management data incorporates interpersonal identity