It seems like a simple question with a simple answer: You are in charge of your identity. But in the context of a typical modern workplace in a large corporation with hundreds or thousands of employees, your identity is defined by your email password, login ID and registration keys. Identity is intimately tied with your ability to access the company's systems.
In this context, identity management requires professional expertise. You’re no longer in charge of your own identity. The people who give you access to the system create an identity for you.
The problem is that the people who are supposed to manage your access often don’t have identity management tools, like a system that could track all of your identities in one place. Sometimes, they just don’t have the incentive to keep up-to-date records. And sometimes, these people or processes just don’t exist.
By the day you start your job at your new desk, you hopefully have been given access so you can start using your computer. Who gave you that access? Your boss? The director of human resources? A nameless IT guy? As you log in to your computer for the first time, these sorts of questions may seem kind of meaningless to you, but they affect the organization’s security policy and procedure.
Access issues don't end with your access to your desktop. How about the key card you use to get into the building and use the elevator? Or the password you’re using to access your work email? Or the identity you use to make requests so you’ll have the tools you need to do your job? And if changes to your identity you use for access need to be made for any reason, who will make them?
Very likely, there is not just one person in charge of managing your identities, but several, probably in different departments and geographical locations. Who is in charge of ensuring your access is being tracked with up-to-date tools? Do they even have a system to track you? And which one of them will have the responsibility to ensure your access to all the points of entry is revoked when you move on to greener pastures (or when you get canned and start planning your revenge from the moment you leave)?
There are organizations that have processes in place. Many don’t. So the question is not just who should manage your identity or how they should do it. For organizations, there is also the question of whether poorly-managed identity will give you (or someone posing as you) access to supposedly secured systems long after you’re gone. For companies concerned about access and security, the road to real security starts with understanding identity.
Vaclav Vincalek June 5th, 2008 10:26:36 AM