Phil Becker has written an interesting series of articles about the top 5 fallacies which appear and reappear in identity discussions, technologies and deployments. It makes for pretty interesting reading, so check it out at the Digital ID World Blogs. I wanted to comment on fallacy #3: Centralized Management Means Centralized
In his article, Phil argues that current identity management projects preach centralization of identity data in an effort to gain centralized management and control. The fluid nature of identity, and the way in which its daily management is distributed (delegated) among different entities in an enterprise, means that centralization efforts will be doomed to suffer from ineffectiveness and failure since they are in essence at odds with the realities of the business.
I agree with Phil on this point when one considers centralization of identity data for operational purposes. However, I will draw a distinction between centralization and aggregation of identity data. Centralization tries to promote a reference model, fundamentally changing the operation of distributed enterprise. Aggregration is not as invasive, and is more an ETL operation aimed at creating a centralized view of the enterprise.
Aggregation of data is necessary when considered for specific type of management applications that need centralized infrastructure. Two big use cases very popular right now are driven by compliance needs – attestation (aka recertification), which I have touched upon in previous posts, and enterprise-wide SoD (separation of duties) enforcement.
A complex application like attestation cannot succeed in a virtualized environment. There are technical reasons for this – the ability to pull up the distributed data when needed in a form is not practical, no matter how advanced virtualization gets. There are also business reasons for this – attestation requires temporal integrity of the data, which cannot be guaranteed in a distributed environment. So data aggregation will occur. Enterprise-wide SoD, which crosses a lot of the boundaries that the distributed environment has, also requires some measure of aggregation in order to be practically achievable.
Phil says “The shift from a directory-centric view of identity management to a
provisioning-centric view of identity management is the first step down
this road”. Provisioning systems provide a single, standardized mechanism by which the flow of identity data into the enterprise starts.