The concept of identity management in the physical world is strongly linked to context and relationships. When computers and the services they support seek to interoperate, the incorporation of identities becomes important. In the future, most applications will take advantage of identity information for security, billing, and recognition of friends, family, and consumers as well as for conducting activities in our daily lives that extend past commerce and touch political and social interactions. The architects of the world will struggle to unify and make consistent the accuracy of identity information. This is primarily a result of several opposing factors:
The pervasiveness of information systems that have stored their own identities in a proprietary manner.
The sheer sloppiness of data in an organization and the lack of anything that remotely resembles a data architecture. In many Fortune 500 companies, customer information can be found in at least 20 databases, none of which agree.
Individuals' desire to make any information about them private.
The ability of criminal-minded individuals to either misrepresent themselves and/or use identity information to gain advantage or escape accountability.
Part of the problems in creating a ubiquitous identity-management approach is tied to governmental regulations and friendly neighborhood ambulance chasers (e.g. lawyers). Today, no legal precedent states who is responsible for errors, omissions, quality control and assurance, redundancies, and dispute resolution.
Many systems have been created (some are still being created this way) that introduced their own notions of a user, password, and authorization scheme. Other applications within an organization, such as a payroll system, maintained detailed, accurate information about users, was just records. One of the evolutions in information technology encouraged architects to think about process and not data. While this provided some benefit, today we are left with databases that applications simply manipulate.
Storing information in a database is simple. The industry understands rules of normalization (not always practiced), but bridging authenticated identity real-time is not yet fully realized. The ideal situation would be, in real time, to authorize or deny access to a user, to treat a referred customer as a welcome guest instead of a stranger, or even to globally revoke all access immediately to fired employees (Sun has mastered this). These are some of the potential issues an identity management architecture can solve.
Identity management permits creating flexible definitions for people and things, such as classes or groups, that permit attaching policies or drawing conclusions. Many of us have moved physically from one place to another and taken items with us. Likewise, in a digital sense, electronic users will want to take information with them.
The infrastructure components that constitute identity management include a data store (usually a directory or relational database) and processes that read and update the data, such as authentication and authorization that provide access control to a resource. A directory such as LDAP is a significant component in identity management but is not the last stop. The directory can provide a central place to store credentials but still allow authentication and authorization policies to be embedded in an application. The ideal scenario is to externalize these rules so that they can be executed anywhere, including in an application or by a centralized security service.
An identity management solution allows an architect to simply plug in a separate authentication layer without having to reinvent the wheel. This allows each application to have its own authentication rules without having to create its own authentication mechanisms. Identity management allows authentication systems to interact in a federated manner. This approach also becomes the first step in enabling single sign-on. The ability to be authenticated once and have a different authorization service for each resource ensures that personal information is not being passed. This process also allows the ability to specify explicitly what data can be passed from one resource to another, adding another level of security.
Web services will enable many people and systems to be discoverable and knowable. These entities' visibility will increase; they will not simply disappear into cyberspace, as they do today. The actions and interactions of people and systems will persist, and architects will be called on to categorize, visualize, and filter knowledge, not simply store it. Individuals will control their identities in the same manner as they control their finances, most likely using third parties in the same manner a bank holds money. This relationship will extend to their software.