Thursday, September 11, 2008
Are vendors distorting the value of identity management?
Identity management is here, but it doesn't solve most of our problems. It is expensive and forces processes on large enterprises that honestly don't belong there. Identity management and the processes around it shouldn't be the responsibility of enterprises but of vendors.
Imagine what would happen if Kim Cameron, Nishant Kaushik, Pat Patterson, Jackson Shaw and others started to outline and conclude that identity management is a process for identity providers and not enterprises. Why can't an enterprise outsource the identity problem to some specialized provider while focusing more on how it can be made reliable. Wouldn't it benefit enterprises more if there were not only standards but actual implementations within existing products that supports notions of verification/vetting and indemnification?
What would happen if there were an industry standard way of measuring the amount of customization required to make identity products work? What if Gartner didn't hype vendors but instead figured out how heavily customized, extensively configured and sometimes even hacked this products are in order to adapt them to most enterprises?
What is more amusing is that most identity management software is vulnerable to common attacks. It is very sad to see security folks actually purchase insecure software. Does anyone have any evidence as to whether the product managers of these firms are familiar with OWASP? What if OWASP were to make public the vulnerabilities of the respective products or at least enable others such as Gerry Gebel, Dan Blum and Bob Blakely to see basic vulnerabilities during the interoperability challenges at the next Catalyst conference?
Anyway, enterprises should solely focus on being really good relying parties where the industry at large figures out how to create reliable identity providers. Until this happen, enterprises are forced to manage identities and are participants in the hype cycle...
Links to this post: