More on the “Enterprise Identity Census” Service …

In a previous post I discussed the importance for enterprises to keep track of their “digital identity assets” and some related issues. I shared some thoughts about two “next-generation identity services” that could help improving the current situation: the “Enterprise Identity Registry” Service and the “IdM Risk Management Service”.

Here are some additional thoughts about the “Enterprise Identity Registry” Service: actually, a better name for this service could be “Enterprise Identity Census” Service or “Enterprise Identity Tracing” Service …

As anticipated, this service aims at being a secure, comprehensive “registry” of all enterprise data repositories containing digital identity information, within an enterprise. The goal of this service is to improve “identity data governance” by ensuring that the enterprise, in a centralised way, knows where collected “identity data” is stored and can reason on top of it, in terms of risks and potential threats. Registered data repositories could potentially be of any type, including RDBMS databases, LDAP directories, meta/virtual directories, files, etc.

Whilst this service does not aim at storing any personal data, it nevertheless provides “meta-information” about related data repositories and their content. For each “registered” data repository, associated metadata includes information about types of stored identity, reasons/purposes for collecting this data, owner(s) of the data repository, people that are accountable and responsible and any related policy (e.g. deletion policies, privacy obligations, etc.).

How to make this “Identity Service” relevant in an enterprise? How to ensure that it is going to be populated and kept up-to-date? I envisage a hybrid approach involving:

• Definition of enterprise policies and guidelines asking employees that manage/copy/deal with identity information to register information about related “data repositories”, for example via a web portal. Doing this might be part of “good ethical” behaviour each employee has to comply with – to deal with enterprise security and privacy guidelines;
  
• Deployment of an automated discovery solution to search the enterprise intranet for (various types) of “data repositories”, check against (already) registered locations and potentially trigger alerts. This area is particularly interesting from an R&D perspective because of the hard problems to be solved, such as how to “characterise” potential “targets” during the search, how to minimise “false positives” and the set of missed targets.
  

I keep researching on this. Your comments and thoughts are welcome …