Identity, Authentication, and Authorization


We're about to move to a single directory structure where I work.  By July we should have unique IDs for all 22,000 workers and be able to access them from a single directory tree.  No small accomplishment, but one that is too long coming.  (We're using Novell's NDS and DirXML, for the curious.) 

The real challenge will be to ensure that new applications are written to take advantage of this new structure and prioritizing which old applications need to be rewritten.  Oh, and did I mention educating the workers? 

I have a hard time believing that there are IT professionals out there who don't see the value in this, but they're there.  In this age of connectedness and data sharing, I take it as an article of faith that identity, authentication, and authorization should be managed once and the results useful across the enterprise.  The advantages are there to be sure, but its the disadvantages that drive this issue. 

Chief among the disadvantages are security and privacy concerns.  When someone leaves a job their access to sensative data should terminate as well and that doesn't happen reliably when identity and authorization are handled on  an ad hoc basis.   Just as Y2K issues forced IT to clean up a variety of problems (and gave them the excuse they needed to convince the boss), HIPPA is driving this issue for government and the health care industry.