Business Driven Identity Management

This article appeared as my column for Connect Magazine in Novemeber 2003.

I recently had the opportunity to sit with a group of CIOs and others involved in managing information technology and discuss digital identity. What struck me was how much of the conversation was about security and liability rather than identity and opportunity.

In his book, "The Age of Access," Jeremy Rifkin argues that economic shifts over the last several decades have given rise to a regime where anonymous transactions are nearly impossible. In a service-based economy, digital identity matters; I have to know who you are in order to sell you access to my service. Since these services are increasingly delivered over digital networks, businesses need reliable, secure, and private means for creating, storing, transferring, and using digital identities. Understanding how your organization will manage and use digital identity is a crucial part of your business strategy.

In addition to identifying customers so that you can sell them services, business have an increasing need to identify employees, systems, resources, and services in a systematic way to create business agility and ensure the security of business assets.

In the past people have thought of security as an edge game. Given a firewall and access control to the network, we can do a reasonable job securing a business. However, the economic shifts spoken of above have driven the need to integrate systems, not only internally, but with trading partners and customers as well. This has been fueled by XML and the creation of standards for exchanging data and the increasing trend to decentralized computing embodied in Web services. This trend has a huge ramification for business security: we can no longer treat the edges of the network as a secure perimeter.

When integration is driven by business, rather than IT needs, security policies need to talk about documents, data, actions, people, and corporations instead of machines and networks. This security model is infinitely more complex than the old "secure perimeter" model. But even if you define your policy, how do you ensure that it is properly implemented across dozens or even hundreds of systems and at the same time control access to fields of a database or paragraphs of a document?

Digital identity can be discussed in the context of a set of concepts that provide a framework for addressing these issues:

  • Integrity and non-repudiation
  • Confidentiality
  • Authentication and authorization
  • Identity provisioning
  • Authorization policy representation and management

The most significant challenge in each of these areas is interoperability. The goal is to build an enterprise wide identity system, even one that federates outside the enterprise.

To that end, there are a number of standards bodies working to build a common foundation in these areas. Standards allow vendors to build products that will work in a wide variety of circumstances and frees IT shops from building custom solutions for each integration project. Here are a few standards that address the concepts from the last paragraph and will help make business-driven identity management possible:

  • XML Signature defines how organizations can sign XML documents in a standardized way.
  • XML Encryption defines how XML documents can be encrypted to maintain confidentiality. This is especially important when we can't rely on a secure perimeter.
  • SAML (Security Assertion Mark-up Language) is a standard for exchanging authentication and authorization information. When the enterprise is federating identity internally and externally, this is a key technology.
  • SPML (Security Provisioning Mark-up Language) is a language for managing identity provisioning. Automating the addition of users and authorizations to individual systems is critical to the success of a business-driven identity management strategy.
  • XACML (eXtensible Access Control Mark-up Language) creates a standard way for access control policies to be expressed and exchanged. An organization can use XACML to describe its authentication and authorization policies in business terms and XACML aware application would automatically apply that policy to their transactions.

    These standards are in various stages of use or development. My weblog contains more information about each of them.

    Creating a Digital Identity Strategy

    None of these protocols will do you any good without a good digital identity strategy. A digital identity strategy is a long-term plan that models how identity information will be used by your business, taking into account the key stakeholders in identity: your partners, customers, and employees. There are several important steps:

    1. Creating an enterprise information architecture (EIA) to determine the business context for your strategy,
    2. Determining which standards your organization will need to support,
    3. Developing a authentication and authorization policy consistent with the EIA,
    4. Planning and implementing enterprise directory services and other infrastructure necessary to support your policies, and
    5. Publishing a privacy policy based on the authentication and authorization policy along with relevant laws and stakeholder expectations.

    Enterprises who implement an identity management strategy stand to reap significant benefits. Among these are a consistent and systematic approach to customers, improved security for corporate applications and information, lower user administration costs, and better compliance with internal and external policies.

    Digital identity has the potential to be an asset to your business and one of your most crucial pieces of infrastructure. Having good identity systems enables other strategic relationships with stakeholders. Building a workable digital identity strategy is considerable work, but if you neglect it, rather than being an asset, issues of identity will be a constant source of worry and a roadblock to your strategic initiatives.

    Phillip J. Windley, the former CIO of Utah, is an information technology writer, speaker, and consultant. Windley is writing a book on digital identity and writes a weblog on enterprise computing at Contact him at

    Last Modified: Friday, 31-Dec-2004 21:31:10 UTC