davenesbitt.com

I'm delivering one of the morning presentations at the OCG IDA summit next week, entitled "Building a Strategic IDA Infrastructure". The session abstract reads "Dave Nesbitt (that's me, folks) explains, from the bottom-up, how current applications deal with identities, how we can deploy identity and access management infrastructure to ease the burden of managing these identities and how we can extend our infrastructure to manage external users and deal with the challenges presented by dissolving security perimeters, external users and cloud computing, all the time being aware of the emerging paradigm of claims-based access."

My basic thesis is that the vast majority of the problems we experience with the management of identities (that we are all familiar with, so I won't repeat here) are caused by the fact that our applications are fundamentally flawed. They are flawed in that they have been written to consume identity data in a particular way. Sometimes (in the worst case) this is a completely arbitrary way, dreamt up by the application developer. Others, if we are lucky, can use standard protocols and languages such as LDAP and SQL, but still the application is likely to enforce or expect a certain schema or set of attributes. This is wrong.

To me, these applications are the equivalent of fussy children, demanding that they only eat their preferred type of food, presented to them on their favorite Thomas the Tank Engine plate and spoon fed to them with an accompanying "choo-choo, here comes the train!"

We, the identity experts, need to assume the role of parent in this relationship. We should dictate to our naughty applications they way that we will present the data that is good for them and make them eat it whether they like it or not! This nasty tasting medecine is, of course, claims. Once application developers start to understand what claims are and why they are good for us, they can present us with mature claims-aware apps and we can begin to move towards this much preferred architecure.

This is a long way off yet, of course, so the majority of my presentation will talk about the infrastructure we need to deploy now to help manage our infantile apps. Maybe one day they will grow up, but it's not going to be for a good few years yet!