In my last blog post, I complained that we’re a bit lost.   I would like to even be more specific.   In the world of Identity, there are theoretically two types of people — those whose job it is to pay attention, and those who rely on the first type of people.  I don’t mind if the second group are lost.  I worry when the first group are lost.

So, why is it that we actually deploy these systems in the first place?  And, if this world of Identity is a journey and not a destination, how do we know when we’ve seen and done enough?

Here is my definition of what a given Enterprise may wish to accomplish by spending money on Identity technology:

1. Simplification of Sign-on & Sign-on related procedures
2. Access to assets granted on basis of least privilege
3. Process-driven Account Automation
4. Delegation of Identity Data Maintenance & Workflow to the person/resource most able to enter correct, timely & knowledgeable data
5. Ability to interact with partners or outsourced services securely & efficiently
6. Accountability for all of the above through Approvals, Audit

Why do we wish to accomplish these things?

1. To make the Enterprise workforce as productive as possible.
2. To protect corporate assets against theft or abuse.

There.  That’s it, assuming I haven’t forgotten anything obvious.   The problem is, you can’t just tick off these items like some kind of grocery list.  All you can do is make a qualitative assessment of how close the processes & technologies your company has implemented from the first list bring you towards the end goals described in the second list. Every organization of every size should be making these evaluations – but the sweet spot between cost undertaken and value returned will be different. For smaller companies everything could be manual, and there is nothing wrong with that as long as the risk and overhead are tolerable.

Is this characterization just an invitation for vendors to get lazy?  It’s hard for me to imagine.  There is so much work to do in these areas, so many things that can improve, that I can’t imagine any of the vendors having time to slack off.  Besides, I think there are revolutions to come.

The really interesting question will be whether or not the big vendors will ever start enabling truly integrated provisioning and SSO support for the full range of their products.   Imagine if every web enabled product sold by Oracle had a configuration property called “trust OAM session cookie”, and if the configuration property was set, the application ceased to prompt users for credentials, and instead simply looked for a set of pre-agreed-upon header values to determine the identity of the user.   Imagine if your provisioning workflows for employee and manager self-service came built into your HR product, but only a configuration page later, you could hook the interface into your provisioning system.   Imagine if all of the application-specific roles in all of your stack applications were consistent and complimentary, both at the fine-grained application level and at the enterprise middleware level. That is the potential, if not the reality, of a stack offering.  Integral adherence to an identity vision, instead of bolted-on adherence.    Sigh, what a lovely thought.

I wouldn’t put money on it though.  Too bad.