Business Driven Identity Management


My November column for Connect is on Business Driven Identity Management. Its nothing I haven't said here many times.

I recently had the opportunity to sit with a group of CIOs and others involved in managing information technology and discuss digital identity. What struck me was how much of the conversation was about security and liability rather than identity and opportunity.
From Connect :: Resource/Article :: November Columnist - Phil Windley
Referenced Mon Nov 24 2003 10:25:59 GMT-0700

I'm surprised how little information CIOs and IT managers get on how identity can help their business. Go to the bookstore and look for a book on identity management. Pretty slim pickins. There's plenty of books on security with their traditional "keep the bad guys out" mentality. This is important, but any CIO knows that if they listened to their security guys all the time, they'd just as well shut down the business.

When integration is driven by business, rather than IT needs, security policies need to talk about documents, data, actions, people and corporations instead of machines and networks. This security model is infinitely more complex than the old "secure perimeter" model. But even if you define your policy, how do you ensure that it is properly implemented across dozens or even hundreds of systems and at the same time control access to fields of a database or paragraphs of a document?
From Connect :: Resource/Article :: November Columnist - Phil Windley
Referenced Mon Nov 24 2003 10:22:09 GMT-0700

We need to start looking at corporate identity infrastructures as an asset that plays a important role in securing the business, but the main function of which is to enable flexible interoperability with partners and suppliers. Digital identity is not something you buy from a vendor. Digital identity requires an enterprise architecture and a well developed IT governance procedure that's sensitive to business drivers.