Identity management in a big organisation

[Dave Birch] Sounds like the identity management business is a good place to be. The market has lots of issues — privacy and compatibility issues, high initial investment, and troubles in management — that are holding it back, but even so the investments ought to generate a good return because of increased security, restricted unauthorized access to information and time saving. Thus a 7%+ CAGR is forecast 2007-2011. Within this, the hardware token authentication market will grow faster (11%) until 2009. All good news for us, but how will organisations make it pay?

Technorati Tags: business, identity, management

One suggestion to proritise amongst the four main benefits and deploy accordingly. In this example the four main benefits are given as:

• Cost Reduction.
• Improved Security.
• Achieving Compliance.
• Improving Efficiency through Automation.

This seems a reasonable list. But how does the real world work out? There was a quote about this in Government Executive from a guy who said

We’ve had the new cards for over a year, and not a single user ID or password has been eliminated. You now must have the card so you can unlock the computer so you can even GET to the programs that need user ID’s and passwords. And you must use another PIN with the card. In other words, it’s just another layer.

Who doesn’t recognise this syndrome? Instead of identity infrastructure shaping the business processes above and making like very fundamentally easier for everyone, it add complexity and inconvenience. This isn’t what we want.

When the big organisation is a government, it’s even more difficult get real change. And a government is a big ecology, with lots of stakeholders. It may be that identity isn’t unusual in that it doesn’t deliver maximum benefit until the ecology has evolved, which may take some time, but there are certainly plenty of identity-related examples to look at. In Mumbai, the state government introduced a smart driver’s licence but did not procure smart card readers for (eg) the police. So the cards are just another “layer” and there’s no cost reduction, better security, improved efficiency or anything else. The same, as an aside, is true in Malaysia where ID cards have no ecology. The police insist on drivers producing conventional driving licences because officers don’t have MyKad readers.

An identity infrastructure, I think, ought result in change throughout an organisation and enabled new ways of doing business, better processes, more efficient systems. I was reading about the idea of making a virtual data centre for banks. As James Gardner observes here

As we’re a bank, the payback for lending that money [to someone else to build the data centre[ has a much better return for us than buying servers and racks.

He goes on to note that the Internet can be as secure as a private network with encryption. This is true: I’d probably push a little further and say that a proper digital identity infrastructure would mean that the security or otherwise of the network would become irrelevant (since all of the security would be pushed off the edge of the network) so that the distinction between internet, extranet and intranet would simply become a matter of which virtual identity is communicating with which over virtual identity. Hiring someone will simply mean creating an employee virtual identity from an existing digital identity and, conversely, firing someone will mean not re-issuing their access credentials.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]