Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Monday, December 24, 2007

Identity Management 2007: A Year in Review

2007 is drawing to a close. This has been an interesting but also frustrating year for Identity Management. Here are some thoughts and highlights of what happened:
  • Consolidation of Identity Management in Enterprises: Identity Management has gone through further consolidation in enterprises. In my view, there have been no major news and proposals in this space, apart from the maturation of IdM offerings in the space of “Auditing and Compliance Management”. In this context we also assisted to a growing interest for solutions in the space of Role Discovery/Mining and Role Management;
  • Federated Identity Management: solutions in the space of Federated Identity Management have further matured, with various proposals and options both in “client-driven” and “service-driven” scenarios. This includes Liberty Alliance and Web 2.0/Identity 2.0 solutions, such as Microsoft CardSpace, OpenId, Higgins, etc. Despite this, there is still confusion in the market in terms of ways to move forward, due to (partially) competing proposals, lack of critical mass (in terms of adoption) and weak business opportunities for Identity Providers;
  • Privacy Management: this has been another interesting year for privacy and privacy management. There is no doubt that privacy and privacy management are recognised as important aspects of identity management (and have stron backing from a legislative side): however, despite the increased number (and gravity) of identity thefts and “identity accidents”, very few Identity Management suite still provide integrated privacy management/enforcement solutions/capabilities. Current focus is still on auditing and compliance checking approaches (for the law compliance reasons mentioned above) that, in my view, only partially address the privacy problem. There has been a first step towards a more systemic Identity Governance Framework, with the IGF proposal (in the context of Liberty Alliance and Openliberty) putting privacy enforcement at the center of processes involving accesses and manipulation of personal data;
  • Identity Management beyond Management of People’s Profiles: during 2007 we assisted to the first steps/attempts to extend “identity management” from traditional, centralised management of people’s identity attributes (and their rights/permissions) to include the management of device/system identities and exploring distributed/delegated approached to the management of identities. This includes work done in the context of Liberty Alliance, with the Identity Capable Platform initiative, R&D done on device based identity management, various initiatives involving Network-based Access Control (NAC) and attempts to integrate this with identity management solutions at higher level of abstractions;
  • Business-driven Identity Management: I believe that 2007 has been the turning point in realising that Identity Management is not only about self-standing technological solutions but also it must be considered in an overall business context and as such it is of concern of strategic business decisions. Apart from the existing influence of legislation and laws, we also assisted to a growing interest in revisiting Identity Management in the context of ITIL (from a service management perspective) and Risk Management (from a security management perspective). Despite being at the beginning of a long evolution process, ITIL and Risk Management will impact and reshape Identity Management, at least in an enterprise context;
  • Identity as a Service: during 2007 we also assisted to the first steps towards “Identity as a service”, driven by a growing interest, within enterprises, on SOA and web 2.0. This area is just at the beginning: it is going to be interesting to explore and contribute to its development in the coming years.
--- NOTE: my original HP blog can be found here ---

No comments: