DIDW 2004: Phil Becker on Management by Identity


Phil Becker opens Digital ID World 2004
In keeping with tradition, Phil Becker opened the conference and did a great job. He's honed these ideas over the last few years. Everytime I talk to him, I catch glimpses of new isights and this talk is a culmination of that. What follows are my notes of his talk.

You don't have to manage things until they're spread out. You don't have to worry about security until things are connected. Traditionally, we've been defensive about security, but defense can't win. Only offense can win. Digital identity is the common organizing paradigm for integrating, managing, and securing IT.

Why is the loss of lack of identity so disruptive? Because without identity, we have no ability to organize or control activity. Rumplestiltzskin taught us that identity is power. Identity allows relatively autonomous agents to identity each other, organizing interactions, apportions authority an d responsibility, and be held accountable. Identity is the framework for organizing.

Before the net, location was a proxy for identity. Access control was physical. There are no longer any proxies for the identity of the user. In a network, bastion perimeters are an illusion. You can't have a perimeter and be on the net. The perimeter must dynamically expand and contract to include mobile users. The perimeter must be porous and be opened up for more and more activities. Eventually, there are so many holes in the wall, that its no longer a wall.

Digital identity is more than

  • Authentication
  • Provisioning
  • Access control
  • Rights management

Digital identity is an organizing paradigm for distributed service oriented computing that allows it to dynamically adjust to the needs of each user. Identity management has been the first success story in digital identity. Identity management is about managing identity data and promulgating it properly. All about making sure identity data is reliable, current, properly synchronized, available, and easy to administer.

But identity management is just a step towards being able to manage by identity. This lets network computing become more dynamic while remaining accountable. Provision and web access control are early instances of management by identity.

The browser taught people the power of discovery and networking at the document level in real time. Web services and SOAs replicate this ability for applications and data. Grid computing, autonomous computing, and the like will have to be managed by identity.

Management by identity will allow computing to dynamically adjust to business and human processes, releasing new capabilities, productivity, and real-time application and data integration.

Identity management started out as a centralized identity store, then LDAP and x.500 moved identity management into a distributed architecture. This still wasn't good enough. We're moving to a decentralized architecture with delegated administration. That move is typified by the move to identity federation.

Identity federation is about loose coupling and scaled administration. Federation creates a framework for understanding the true nature of networked identity. Its not possible to pre-define all the ways users will want data and applications to be integrated. Business will require the ability to integrate on demand.

The portal is an early place where dynamic integration and management by identity is used. Portals perform virtual integration. The user's identity and needs, coupled with the policies of the application owners are the only organizing factors. management by identity is the only mechanism that honors the incentives of all the parties involved.

Regulatory compliance is a forcing function that drives the need to manage by identity. They all ask "who did what with which data when?" or "prove that someone did or did not do something." Doing this manually is nearly impossible. Identity centric techniques are the only ones that can keep up with the increases demand for auditability.