Medium-large enterprises face the problem of how to track their “digital identity assets”. It is easy to lose track of this data: identity information (about employees, customers, business partners, contacts, etc.) is often collected by different groups and organisations within an enterprise, to satisfy business objectives. Copies of (part of this) personal data can be made by employees, salesmen, etc. on their personal systems to simplify their work and avoid connectivity issues whilst travelling. Quite often, these teams and people operate in isolation. There is usually “local knowledge” of what happens but little awareness and coordination at a centralised enterprise level. This can create inconsistencies, data redundancies and uncontrolled data proliferation – without meeting security and privacy policy requirements: this has serious implications in terms of lack of data control and governance, identity thefts, etc.
I see the opportunity for researching and developing new Enterprise Identity Services that could help addressing some of these related issues. In particular:
1) Enterprise Identity Registry Service: this service, available within the enterprise (and, with some degrees, to business partners and customers), provides a centralised, enterprise-based “registry” keeping track of:
- Where identity information is stored (i.e. data repository locations, their proprieties, etc.);
- Which type of information is stored (*not* the actual information, just the kind of data);
- Purposes and reasons for storing data, along with related policies;
- Type of security and privacy capabilities of the data repository;
- Who is responsible and accountable; etc.
It is important to notice that this service *does not* store any personal data or information, just knowledge about its existence across the enterprise. Advanced version of this service will have “event monitoring” functionalities on registered data repositories (to identify potential anomalies or suspicious activities) and “alerting” capabilities;
2) IdM Risk Management Service: this service, to be used by CIOs, privacy/security officers, business people, employees - involved in the management/access/usage of personal data - leverages “decision support” capabilities to assess risks of dealing with identity information (for example when creating new identity repositories, copying information, developing applications/services accessing data, etc.) and suggest “risk mitigation” steps. This service would be based (among others) on metrics and information gathered from the “Enterprise Identity Registry”, a model of data, related policies and a knowledge-base of risks and suggested mitigation steps.
To become a valuable service for the enterprise, the “Enterprise Identity Registry” has to be populated, kept up-to-date and properly secured (otherwise, it could become itself the target of attacks …). Part of this can be achieved by educating employees (and enforcing responsibilities and accountability); part of it could be potential automated. Similarly, the “IdM Risk Management Service” needs to be updated in terms of knowledge-base, metrics and policies to make it useful and valuable.
Some of the emerging enterprise ITIL initiatives, Web 2.0, social network and collective knowledge trends can be used to achieve some of these goals and develop related solutions. I will expand on these concepts and my thoughts in future posts – as I keep researching and exploring this space, collecting requirements and assessing the actual business value and related interest.
What do you think about these types of Identity Services? Would they be of real value to your organisations and work environments? Any comment?
No comments:
Post a Comment