Obstacles to identity management
When was at a security strategy meeting for a big bank last week, one of the big topics of discussion was identity management. It's probably fairly well known that almost no enterprise has a single directory infrastructure that they use. A typical enterprise actually has dozens of directories, most of which came packaged with various applications. Each of these applications has its own idea of what an identity is, which makes it very hard to create a single, unified directory that works for them all. It turns out that this is a fairly common obstacle to rolling out more advanced identity infrastructures, and there's no easy fix for the problem.
In addition to having its own idea of what an identity is, each application's directory also has its own set of errors that have been introduced over time. It's very expensive to correct all of these errors, but that's what you need to do to create a single, unified directory. And until every application's directory information is scrubbed, it doesn't make sense to move to a single, unified directory.
This is possible, but it's also very expensive, which means that nobody really wants to do it. The consensus at last week's meeting was, however, that until this is done, identity management technology really can't advance much. Getting funding for identity-scrubbing projects is apparently very hard, so we may not see this happen for a while.
Hi Luther,
Great article! It encapsulates many of the issues and concerns related to directory consolidation and data scrubbing. Another issue I would add is the "political factor." Each organizational silo tends to see its own directory(ies) as the most important, or the "definitive book of record."
Having been through the "scrub and consolidate exercise" dozens of times, I often recommend that organizations not even *try* to scrub out all of their directories any more. As you say, the costs, staff, and political costs generally outweigh any tangible benefit. Likewise, the virtual directory, or meta directory approaches each have their weaknesses, cost, staff, political, and sponsorship requirements.
Instead, one suggestion is to go after the "field of green." Target the newer technology initiatives within the organization. The newer technology platforms, especially anything .NET, J2EE or web services based, support highly flexible identity models. In fact, chances are good that the newer the application, the more relevant it is to how the business relates with its customers, partners, vendors, and suppliers than the legacy directories of a few years ago. Build a brand new directory, one that has no political baggage and preferably free (Sun OpenDS, Open LDAP, existing clean instances of Active Directory, etc.) In the new directory, build identity models relevant to where the organization is today, and where it is going tomorrow. Then, make it consumable to the greenfield applications and where necessary, pull attributes from other sources --but... and this is really important -- don't base the new design on anything existing, just for the sake of reuse. This will only perpetuate the existing data quality challenges.
Thanks again for a great article!
Best regards,
-Corbin
Posted by: Corbin Links | Thursday, 20 August 2009 at 04:32 PM