Phillip J. Windley - Digital Identity

To my parents, Rolla and Ranae Windley, for giving me the freedom to explore.

The migration of sociability, business, entertainment, and other activities from the physical world to the virtual world of the Internet has dramatic implications on many fronts. The societal mores, legal structures, and commonly accepted business practices that govern everyday life in the physical world have evolved over thousands of years, and that evolution continues every day. But now we're in the process of translating those structures to the Internet, creating a new place where people can interact. That "place" is radically different from the physical world, one where networked applications combine with ubiquitous connectivity to free transactions, communications, and other activities from physical constraints, thus, creating an entirely new set of requirements.

When it comes to enabling a truly virtual world that can accommodate the breadth and depth of human endeavor, nothing is more important than identity. On the Internet, movement is instantaneous. People, applications, transactions, and data can cross many types of borders via many different paths. At the same time, the security issues associated with a very public and virtual space have become painfully clear as spam, phishing attacks, fraud, and identity theft have become all too common.

Digital identity is the keystone that will ensure that the Internet infrastructure is strong enough to meet basic expectations for not just service and functionality, but security, privacy, and reliability. That fact is becoming more and more obvious to more and more people every day. But as the Zen master once said, knowing the path and walking the path are two very different things.

How we create, use, store, and verify identity in the Internet context is a complex question, one that transcends both the public and private sectors, and every conceivable business. It raises a large number of thorny issues for society and individuals (not the least of which is privacy), corporations (including the regulation of core operations), and governments (laws, regulations, international treaties). The manner in which these issues are resolved will have a long-term impact on all segments of society and will determine what forms of digital identity will first augment, and then (at least potentially) replace the "official" and "trusted" manifestations of identity on which the physical world relies today. That change will take years, extending past the end of the current decade, involving societal, cultural, business, and political efforts.

How much control individuals will be able to takeor will want to takeover their digital identity is the subject of intense debate, for example. Pessimists predict that the intersection of government and commerce will create a surveillance state, one that will make privacy an artifact of the past. Optimists predict the liberation of the individual from both corporate and government control through the use of identity technologies that will put the individual in charge, inverting the traditional relationship between "consumers" and "service providers." That debate will continue for the foreseeable future as unfolding events pull us in both directions.

Today, much of the activity around digital identity is business-focused. The pressure to compete in a networked world while simultaneously reducing costs is driving companies to integrate business processes and information technology on an increasing scale. Many enterprises are creating inward- and outward-facing systems that tie employees, customers, partners, suppliers, contractors, and other constituents into their business processes, for example. Instead of thinking about individual applications, enterprise IT architects must consider end-to-end business processes that span many boundaries, and how they can integrate the components of IT to support them. These trends are causing wholesale change in IT architectures, moving them to what we at Burton Group call "the virtual enterprise."

The move to the virtual enterprise brings with it new security risks. These risks, along with the rapidly increasing number of regulations, both in North America and the European Union, are driving the need for new security models. Simply put, the traditional exclusionary security modelperimeter-based systems focused on keeping bad people out of the networkare not sufficient to protect the virtual enterprise. Today, businesses must augment exclusionary security with an inclusionary security model, one capable of explicitly determining, through policy, who can access the applications and data that support core business processes.

Such inclusionary models are unattainable without identity management. Identity must become persistent through the continuum of any given business process, spanning not just multiple applications, but also multiple organizations. Only then can identity provide the predicates for corporate governance, security, regulatory compliance, risk and liability management, and other core business functions.

For most enterprises, identity management is not easy. In fact, most enterprises' identity management processes are poor, a fact that internal and external audits make painfully clear. Historically, enterprises have treated the symptoms of the identity management problem with point solutions. But Internet-scale identity management requires an integrated set of infrastructure services that enable a holistic approach to defining and managing identity. This sophisticated array of tools includes directory services, rules-based user provisioning, delegated administration, and self-service administration for passwords or other attributes. General-purpose, strong authentication systems, along with good credential management, are also core components of better identity management. Beyond authentication, enterprises must link applications to access management systems across a variety of operating systems, applications, and web-based single sign-on (SSO) products, making policy management yet another important part of the system.

Effective identity management also requires a new approach to systems integration and interoperability. Previous efforts to solve the identity problem (such as X.509-based, public-key infrastructure) attempted to achieve interoperability through symmetry and homogeneity. But federation has recently emerged as a new and more effective approach to enabling interoperability between security domains. Emerging federation standards rely heavily on the loosely coupled web services architecture, which in turn relies heavily on the eXtensible Markup Language (XML). Both the web services framework and interoperable identity are evolving along similar architectural lines for obvious reasons. While the web services framework enables the virtual enterprise, identity management secures it. So it's quite necessary for them to share architectural underpinnings.

The web services framework has, in essence, begun to create a standard software "communications bus" in support of service-oriented architecture. Applications and services can "plug in" to the bus and begin communicating using standard tools. The emergence of this "bus" has profound implications for identity exchange. Just as application and transactional data will flow across that bus, identity data will flow over that bus. And within service-oriented architectures, identity will become a core service.

The combination of web services and federated identity management has enormous potential; however, we have only just begun a long but inevitable transition to such a full-scale identity management infrastructure. And technology alone will not enable it. Regulations, laws, policies, and other mechanisms must evolveboth nationally and internationallyto create the context and boundaries for the acceptable use and management of identity. Likewise, business models for federating identityincluding liability, risk management, and workable governance modelsmust evolve.