Characteristic:
"a distinguishing trait, quality, or property"

When a new baby is born, what are the characteristics everyone wants to know?
Gender, length, weight and hair color. At least these stats are what my wife
always asks, even if I didn’t bother to ask.

It is apparent that each person is born with or develops a wide range of characteristics.
It is interesting to note that:

• Some characteristics never change (e.g. DNA, Fingerprints)
• Some charateristics change naturally (e.g. Height, Weight)
• Some characteristics may be modified often (e.g. hair color)
• Some charateristics are voluntarily added (e.g. tattoos)
• Some charateristics are easily measured (e.g. weight) while others are difficult
  to measure (e.g spiritual health)

I’m sure that many methods to categorize human characteristics have been developed
over the years. Here is my somewhat uneducated set of categories with examples
of attributes in each category:

Inherent characteristics (we’re born this way)

• Gender
• DNA
• Fingerprint
• Footprint
• Age

Body features (my kids really kid me about my big nose)

• Height
• Weight
• Hand geometry
• Eye color
• Hair pattern
• Shape

Identifiable characteristics

• Birthmarks
• Scars
• Wrinkles
• Hair patterns

Transitory modifications (changes tend to return to a natural
state)

• Hair color
• Hair length
• Fingernail/toe nail length

Persistent modifications (changes tend to remain in place)

• Tattoos
• Surgical changes
• Piercings

Psychological characteristics

• Personality
• Temperment
• Intelligence

Sensory characteristics

• Sight
• Smell
• Touch
• Taste
• Hearing
• Faith

Health characteristics

• Physical
• Mental
• Emotional
• Social
• Spiritual

Auditory characteristics

• Pitch
• Power
• Clarity

I’ve probably missed some important characteristics. A person is a complex
being. And I’m just an Identity guy.

[Back to the Identity Map]

Tags: Identity
Digital Identity
Identity Management
Identity Map

Core:
"The basic or most important part; the essence"

One of the biggest surprises to me in raising our six children is that each
child is unique. Kids just come that way. Each Dixon child entered this world
possessing a unique Core Identity – the essence of who he or she is.
Then, as each child grew, other differentiating attributes became apparent.

We have one daughter who plans meals for her family a month in advance, while
her brother is so disorganized that I’m sure he’d lose his head if it wasn’t
attached. We have social butterflies and mathematical wizards, athletes and
couch potatoes, all growing up under the same roof. (And they’re all great!)

The bedrock premise upon which the Identity Map rests is that each person in
this world is absolutely unique. Unique fingerprints and DNA signatures are
evidence of this fact. At birth, each child enters this world as a unique person,
having inherited a unique physical body with genetic characteristics inherited
from his or her parents. Even identical twins are unique. Their DNA is the same,
but each has different fingerprints.

Some unique characteristics (e.g. DNA signature, footprint) are immediately
measureable at birth. Other observable characteristics, including size and weight,
will quickly change. Names will be given. Locations will vary. Certain relationships
(e.g. mother-daughter) are in place at birth; others will develop as the child
grows. Attributes such as knowledge, experience, roles and reputation, emerge
and expand over time. Each attribute further clarifies the uniqueness of each
individual.

Attempts to mask uniqueness fail to undermine the fact that each person is
unique. George Foreman can name each of his five sons "George," but
each son is different from his siblings. Private schools can a mandate uniform
dress standard, but each student is still inherently unique. Even when one person
tries to assume another’s identity, the thief only steals attributes representing
the core identity, not the identity itself.

Physical Identities or Digital Identities are mere symbolic representations
of Core Identities. The challenge is to make sure a Physical Identity or Digital
Identity is linked to or represents the the correct Core Identity.

[Back to the Identity Map]

Tags: Identity
Digital Identity
Identity Management
Identity Map

Over the past few months, I have been pondering about how to describe Identity
in a way that encompasses how we think about ourselves in the "natural
world" as well as how we represent ourselves in the "digital world."
I asked myself, "How would I describe my own Identity? How would I categorize
the many attributes that uniquely describe my own existence? Out of those ponderings
have emerged the "Identity Map." I offer an introduction today and
will describe the various elements of the Identity Map more completely in days
to come.

I welcome any and all comments.

Core Identity. A fundamental premise undergirding
the Identity Map is that each person is unique. This unique "Core Identity"
can be identified or described by attributes categorized into Names, Characteristics,
Relationships, Roles, Location, Experience, Knowledge and Reputation. Each attribute
adds to the fundamental uniqueness of each individual. Brief descriptions and
examples of each include:

1. 
   Names. I am known by many names. My given name is Mark.
   My surname is Dixon. My i-name is MarkDixon.My social security number is [wouldn’t
   you like to know?]. My kids call me Dad.
2. 
   Characteristics. I have some measureable characteristics
   that don’t change – my DNA signature, my fingerprints. Others change over
   time – height, weight, hair color. Does IQ change? I don’t know.
3. 
   
   Relationships. I have relationships with people, institutions
   and things. I am father to my children, brother to my siblings, husband to
   my wife. I am an employee of Sun Microsystems and an alumnus of Brigham Young
   University. I own a Nikon camera. I love Chinese food. I can’t stand professional
   wrestling.
4. 
   
   Roles. The functions I perform in life are roles: Father,
   husband, Sun Identity Practice Lead, Identity blogger, Church volunteer, registered
   voter.
5. 
   
   Location. When I used to travel every week, I’d tell people
   I claimed home addresses in Mesa, Arizona and United seat 2B. These are descriptors
   of physical locations, relative to different known reference points. However,
   my current location (latitude, longitude, elevation) will vary, depending
   on where I am physically located at any moment in time.
6. Experience. I have experienced many things in the 52+ years
   of my earthly existence. I have been stabbed by a pitchfork, run for a touchdown,
   flown around the world and milked a cow (many times). Each experience adds
   uniqueness to my core identity.
7. Knowledge. During my existence, I have amassed much knowledge,
   some of it shared by many, some of it unique. Both you and I probably know
   the Pythagorean Theorem. You probably don’t know the names of my kids. I hope
   you don’t know my blog password.
8. 
   Reputation. Other people and institutions say things about
   me, some of it good, some of it bad. The credit bureaus say I have a good
   credit rating. The DMV say I’m a so-so insurance risk because I’ve had a couple
   of tickets in the past three years – but they also say I hold a valid drivers
   license. BYU says I hold a BSEE degree. My wife likes me (and that is what
   really counts).

Physical Identity refers to tangible items that represent
identity attributes. Common physical identity items include birth certificates,
drivers licenses, graduations certificates, etc. Each of these symbolically
represents one or more attributes from the categories listed above. Creation
or destruction of a Physical Identity doesn’t alter the core identity attributes
it represents. If my drivers license gets trashed, I still exist. For 4 bucks,
I can get a new one.

Digital Identity refers to symbolic digital representation
of identity attributes. These are normally very small subsets of the entire
Identity. Common digitally-represented items include user ID, password, name,
address, telephone number. Digital identities can be stored, transferred, used
for access system, or stolen (ouch!).

Blended Identity refers to physical items that contain
identity attributes. Smart cards or credit cards with magnetic stripes are examples
of physical identities that contain digital identities.

So, there it is – the Identity Map. I hope this framework proves to be valuable
for discussing the various facets of Identity. Stay tuned for more.

Tags: Identity
Digital Identity
Identity Management
Identity Map

Congratulations,
Sara Gates, on your
entry into the blogosphere! We look forward to your wit, wisdom and valuable
insight into the world of Identity Management.

Tags: Identity
Digital Identity
Identity Management
Sara Gates

It
has been said that a guitar is easy to play and hard to play well.

Implementing Identity Management systems is something like that. It is relatively
easy to give a great demonstration but much harder to configure and deploy a
production system. Why? Identity Managements systems have many moving parts
that must work in harmony. Many identities, many managed systems, many data
sources and repositories and many applications that require both access and
protection.

Enterprises that implement such systems have many stakeholders, often with
conflicting interests and motivations. For example, the marketing department
is motivated to make it as easy as possible for millions of customers to do
business with the enterprise, while the security department wants to make sure
that no bad guys get in.

Just like coaxing beautiful and intricate melodies and harmonies out of a guitar
requires the expert touch of a master’s hand, getting all the moving parts of
an Identity Management system working in harmony with all the stakeholders in
an enterprise can require the skill and experience of a master implementor.
And what does that require? Much like the guitarist: knowledge, passion, skill,
practice, dedication and motivation.

It’s not easy, but the results can be extraordinary.

Tags: Identity Digital
Identity Identity
Management Guitar

Some
people talk. Others do. Martin
Gee, founder and CTO of IC Synergy
is a doer. He has led some of Sun Microsystems‘
most successful Portal
Server and Access
Manager projects and is in midst of some highly significant federation projects
with well-known US Government customers.

Amidst all of this real-world activity, Martin has begun to teach an impressive
course about SAML to Sun
customers. Again, many people talk about SAML. Martin does something about it.
He knows how to make this stuff jump up and dance, and is willing to teach it
to others.

Part 1 of the IC Synergy SAML course covers SAML concepts. It and provides
a general understanding of the technology for attendees, and provides a foundation
for developers and other specialists who will go on to undertake a development
project in Part 2.

Part 2 provides hands-on practical training, leading to the development of
an actual SAML project chosen by each participant. Each participant will develop
a real SAML project, in an intensive, highly supportive, practical learning
environment, providing participants with a take-away of real practical value.

Interested in SAML? I highly recommend you get to know Martin Gee.

Tags: Identity
Digital Identity
Identity Management
SAML
IC Synergy
Sun Microsystems
Access Manager
Portal Server
Martin Gee

The first Sun white paper I read before I became a Sun employee in October
2004 was entitled "The
Identity Grid: Powering the Real Time Enterprise." It presented an
articulate case for the importance of Identity Management in the modern enterprise
and gave a good overview of the critical components of an Identity Management
architecture.

Simply stated, "The Identity Grid is an organizing principle for integrating
and exchanging “people data,” or identity data, and making the data
broadly available across the enterprise. Because identity data is integral to
every relationship an enterprise is engaged in — be it with customers,
partners, or employees — identity data is in the critical path of successful
electronic business."

Produced by Waveset in 2003, prior to its acquisition by Sun, this whitepaper
presents a cohesive framework for discussing several aspects of Identity Management:

Interestingly enough, the Identity Grid Framework pictured above offers a convenient
grouping for the Sun Java System Identity Management Products:

Management Services

• Identity Manager
• Identity Manager Service Provider Edition
• Identity Auditor

Transaction Services

• Access Manager
• Federation Manager

Data Stores

• Directory Server Enterprise Edition

After my recent reading, I wouild like to suggest some updates that make this
Identity Grid concept even more relevant.

1. Add "Auditors" as a user type and "Auditing/Remediation"
as a Management Service type. Regulatory compliance is probably the number one
business driver for Identity Management implementations. Auditors must be able
to set audit policies and controls, audit compliance with those policies and
controls and remediate non-compliant conditions.

2. Change "Employee" to "Employee/Contractor." This may
be a nit, but modern enterprises all use many contractors. The distinction at
a high level might be subtle, but within the bowels of an Identity Management
system, contractors often are treated far differently than employees.

3. Add "Applications" as a user type and "Web Services"
as a user interface type. This recognizes that system users are often software
programs, not people. These applications must be identity enabled to operated
within Service Oriented Architectures.

4. Add "Federation Services" as a Transaction Services type. Federation
Services are increasingly essential for enabling interaction among trading partners.

5. Changes "Data Stores" to "Data Services." In harmony
with Management Services and Transaction Services titles, this recognizes that
Identity Management functionality is progressively delivered as sets of services,
not just independent applications.

6. Add "Virtual Directory Services" as a Data Services type. It is
increasingly evident that data access should be virtualized, wherein a data
services layer separates applications from the physical data storage contructs.

So there you have it … my suggestions for a second version of the Identity
Grid. I’d welcome your input and critique.

Tags: Identity
Digital Identity
Identity Management
Identity Grid
Sun Microsystems
Waveset

Today,
we have a list of the benefits our customers expect from their Identity Management
Systems, based on the same set of RFPs used for the previous two days’ posts:

• Improved quality of service to our clients.
• New users gain faster access to the resources needed to perform their jobs,
  meet their changing needs and keep them satisfied and productive.
• All users gain better service by the reduction or elimination of errors
• Faster processing of requests
• Automation speeds the processing of requests, freeing security administrators
  to spend time on other important activities.
• Provisioning of client accounts takes minutes rather than days to build.
• Streamlined operations.
• Flexible, rule-driven provisioning approach allows routine, yet complex,
  provisioning processes to be automated, improving efficiency and reducing
  the possibility of errors.
• Information Security support and operating costs are greatly reduced with
  automation, delegation, and self-service features.
• Implementation of the common processes across multiple accounts will standardize
  and simplify procedures, reducing mistakes and cost.
• Enable growth with reduced need to increase the size and expertise of the
  account administrative staff.
• Improved enterprise security with complete visibility into user access
  privileges.
• Improved ability to automatically detect and react to potential risks.
• Consistent application and enforcement of security rules.
• Reduced security costs through task automation.
• Audit and reporting capabilities.
• Tighter security controls.
• Eliminated or reduced duplicate user IDs.
• Account clean-up or deletion validation across all platforms & applications
  based on single action.

In a nutshell: Improved service, increased productivity, reduced errors, increased
efficiency, improved security, reduced risk, regulatory compliance and growth
enablement.

Tags:
Identity
Digital Identity
Identity Management

Yesterday,
I listed several problems stated by customers in recent RFP’s. Here is a list
of objectives the same customers hoped to achieve by implementing an Identity
Management System:

Improve Administration

• Improve administrative overhead – Centralized account creation, suspension,
  and deletion across systems and applications
• Create a centralized view to use as a window into the digital identities
  that exist on the targeted systems.
• The proposed solution should allow out-of-the-box user administration capabilities
  on a number of common platforms and applications.
• Central, multi-system administration.
• Self managed password administration.
• Provide self service capabilities, e.g., resetting passwords

Improve Security

• Create a centralized store for provisioning processes and policies that
  govern how to conduct business securely
• Provide application developers with a seamless security infrastructure
  where security no longer needs to be coded per application
• Minimize risk
• Privacy and security compliance via role-based security for users access
  to electronic information.
• Support role-based security for our clients’ access to electronic
  information.

Reduce Complexity

• Improve information quality – Synchronization of identity information in
  various repositories/ directories
• Reduce the number of log-on credentials
• Synchronization of IDs and passwords across platforms and applications
• Simplify the ‘user provisioning’ and setup for user ids for
  various internal applications.
• Provide simple and non-technical means for managing user request options
• Provides unified login for customers and employees

Increase efficiency

• Improve Access
• Improve Service
• Reduce Cost
• Provide the ability to be self-sufficient in administering and extending
  the system.
• Correlate and clean the identity information of the targeted systems.
• Report on variances between the correlated and cleaned identities and new
  identities that are added to the system.
• Reduction of internal user account provisioning from forty-eight hours to
  minutes after approvals.
• Reduction of external client account provisioning from forty-eight hours
  to minutes after approvals.
• Rapid, reliable account termination.
• Streamlined approvals for systems access.
• Automatic provisioning for approved requests.

Improve Compliance

• Improve regulatory access/audit – Comprehensive logging and auditing of
  users’ access rights and approvers
• Provide compliance with government regulations through automation of provisioning,
  de-provisioning and reporting on current state of authorized user credentials.
• Provide audit trails for user requests

Leverage Standards

• Provide the foundation for developing a shared permission/identity infrastructure
  service – Standards-based scalability
• The architecture of the provisioning solution should be robust, secure and
  based on best industry standards.

Position for the Future

• Provide a foundation for extending Identity Management functionality
• Scalability for future growth

Enable Integration

• It should be customizable to support products from other vendors and applications
  that have been developed specifically for the current environment.
• Integrate with outside systems for event triggering, auditing and reporting.

Monday I’ll list the expected benefits. Stay tuned.

Tags:
Identity
Digital Identity
Identity Management

I
randomly selected a few recent RFPs that have come across my desk and compiled
the following list of problems stated by our customers:

Administration

• No centralized user administration process.
• Multiple teams are involved in the user administration activities.
• Increasing overhead in administration of identities
• Administrators spend a lot of time performing routine admin tasks that can
  be automated
• Different administrators often assign different IDs to the same person.
  This makes it difficult to track activity back to a single source and confuses
  the customer.

Security

• Potential security risks
• Accounts are created with unauthorized system access rights.
• Security risks occur when frustrated or overburdened admin staffs may take
  shortcuts, terminations may not be done as soon as required or permissions
  granted may be in excess of what is really needed.

Complexity

• The users of the system are located worldwide and can be customers, employees,
  temporary workers, contractors and external suppliers.
• Multiple authentication requirements for applications
• Account creation/deletion in repositories is performed by multiple groups
• Many systems and applications have different business owners, platforms,
  administrative tools, and system administrators, leading to slow performance,
  delayed or unreliable terminations and higher administration costs.
• Account creation process requires great coordination, involves many steps,
  nd involves multiple clients which must remain segregated from each other
• Support staff requires advanced training to administer accounts on so many
  varying systems.
• Employees and customers require timely access to applications and systems
  to perform their jobs.

Inefficiency

• A high number of calls are made to the support center for user provisioning
  activities including password resets.
• Terminating employee accounts is a manual process
• The process for business unit managers and application owners to sign off
  on the privileges of the users is cumbersome and time consuming.
• Proliferation of directories and identities: diverse infrastructure has
  evolved over time
• Redundant identity information
• Information inaccuracies
• Users wait longer than necessary to obtain IDs
• Managers spend time chasing a sequence of events to ensure proper approvals.
• Authorizations needed to process a request often slow the process of account
  creation or update and leads to errors and mistakes.

Compliance

• Untimely response to regulations

Strategy

• Managing for the moment, but not positioned for the future

This was not a scientific sample, but I find it interesting that in the half-dozen
RFP’s I read, compliance was not nearly so important an issue as operational
efficiency and reduction in complexity.

Stay tuned for more.

Tags:
Identity
Digital Identity
Identity Management