Identity in the modern world

Does identity matter or role and attributes management?

Humans have struggled with knowing the identity of others ever since we started communicating with people outside our own small tribe or family.  We have used documents, pass words or phrases, a known person vouching for an unknown person, a common knowledge of something or an event, or biometrics to verify who someone claims they are.  In some cases we just trust the identity they give us.  The intentions of an individual not their identity may effect ones safety or security in our personal or business life.  We often use an identity to make a judgement based on ones past knowledge of that identity around the likely hood that a given identity might do harm.  We may need to know who we are really dealing with to know who to take to court if a contract is broken, who to arrest if someone does something bad, or identify who is passing you critical information (as in battle plans or key business information)  just to name a few.  We may also want to know someone's identity when receiving critical instructions like a formula for an nuclear bomb or just to know who to give credit too for something said or accomplished.  In many cases we really do not care about identity we care about capability.  I may not care who the guy is that helps fix my car along the side of the road.  I just want to know they have the skills to fix it and not make matter worse.  When I sell my stuff on ebay I really do not care who they really are all I care is can they pay for it and how do I deliver it to them.  One can easily see that we often just care about capability not truly identity.  If I talk to many of my personal friends and ask them for an identity they might say which identity?  Do you want my Internet identity, my work identity, or the one I use on these ....  sites?  The reality is that we truly only have one identity and we have many personas/aliases  that we may project in the digital or physical world.  We may not want one group of contacts that know one persona or alias to know about another persona or alias that we have.  A great example of this might be a CIA, FBI, or police officer who is under cover.  Their true identity has never changed and it will not change.  Only the persona of who they appear to be changes.  For their job they portray themselves as someone else (they create a persona or alias) to blend in with a group of people that they do not want to know that they are a Government agents.  Being a government agent is not their identity it is a role tied to their identity that they want to hide and to do this they create a new “identity”  and create a new role with some characteristics that will let them blend in with the person or group of people that they want to get close too.   When talking about identity in the digital world we are really tying some attributes to an identity to gain access to some system or information.   These attribute might be the CEO of a company, the project developer for a critical project, or the payroll clerk to name a few.  We then tie this function to an identity or person that then has access to a given set of resources to do their job.  So I see a few critical pieces here that I have talked about before.  1. Identity vetting.  This process is the first point in which an individual creates a relationship that will tie some identity to the person.  It could be as casual as them giving you their identity and you trusting it to a full blown document gathering, background investigation, and lie detector test. 2. Tying that identity to some usable identification.  This could as simple as a user name, a digital certificate, biometric signature, or some unique identifier for the system.  3. Tying that identity to some attribute or attributes to map out what resources the identity should have access too.  4. once these steps are taken some provisioning of this information is accomplished to give access to systems or physical locations based on the attributes the identity has.  The big question in this is how do you manage those identities and their roles over disperse logical networks and physical access devices systems (PACS) ?  This is even more complex as you add in the many changing roles an identity might have and the many changes in personal or identities within a company.  Often a company will have multiple system for storing employee information like HR systems for pay role, PACS for physical access to buildings or rooms, email accounts, and the many IT systems that an individual might need access to for their job functions.  Most companies are in no hurry to replace all of these systems for one big system that can do it all.  That may be because there is no system that does it all, yet!  This then requires some glue to bring them all together and to manage an identity from cradle to grave across all these systems.  Should this be the HR system, some IT system, the PACS?  The method to solve this identity problem could be accomplished in a few ways depending on the procedures and policies of a given company.  Part of the key to this is to have one identity but allow as many roles as one identity might have or need giving only access to systems, information, and physical spaces as needed.  In the past it was often thought that an individual will have access to all physical space and have complete authority to do what they want or need within the IT space on any system they are given access too.  Between applications down loaded that did not have proper licensing to viruses and worms being brought into the company that have cost companies major money from either loss of productivity to loss of hard money in fines this practice of giving unrestricted access to systems has proven a bad security and business practice and separation of duty has been preached by many for quite some time now.   This restricted access to systems also in many cases bleeds into the physical space as well.  An example where limited access to IT system might be critical is the HR system which is usually limited to a few key people.  The role within the system is limited as well so an employee can not give themselves a promotion and/or a pay raise.  So the question in our fast paced environments is how do we keep up with all of these systems and make sure as people get promoted, changes jobs, or move within a company that old access are closed and new ones are opened up based on their new role or function within the company to keep employees productive and not jeopardize corporate assets? This is accomplished by standard interfaces between systems that lets one application coordinate between all the systems and keep a master list of all identities.  Sun has been in the identity space for many years and has been a thought leader in the identity management space.  Sun's Java Enterprise Systems Identity Manager (http://www.sun.com/software/identity/) is that glue, the central workflow, and a limited attribute central user data store for identities that can bring these systems, identities, and roles all together.  Because identity is really all about access control and audit this product not only manages all the provisioning and de-provisioning of identities based on roles it also does audit that can be checked against policies to be sure that access privileges fit within corporate policy.  Think how this could help if you are asked to produce a list of who had access to what and why? The ability to audit access and corporate policy in one place is critical when going through an audit of who had access to what information and why.  As the number of systems grow the cost of managing user accounts and the associated password management of those accounts across multiple systems will increase the more critical it becomes for automation of  administration.   Sun has seen great cost saving by tying HR records with employees and their current roles in an application like people soft to IT provisioning and de-provision across all systems within a companies IT infrastructure.   The ability for a CEO to sign off with the ability to have an audit trail on who had access to critical systems to meet the Sarbanes-Oxley Act of 2002 can be enough to want to automate user access provisioning and de-provisioning.  In the end going through the process to automate approval process for access to systems can lead to a more efficient workflow on granting user access to resources.  Then defining roles and proper access for those roles often help a company improve the speed for a user to become productive and often helps security in being able to define a well thought out set of resources a given role needs so extra access can be removed or denied because they do not support the persons role.

Posted at 03:25PM Jul 08, 2009 by Edward Clay in Personal  |  Comments[0]