Digital Identity: Unmasking Identity Management Architecture (IMA) (英語) ペーパーバック – 2005/8/11
Kindle 端末は必要ありません。無料 Kindle アプリのいずれかをダウンロードすると、スマートフォン、タブレットPCで Kindle 本をお読みいただけます。
The rise of network-based, automated services in the past decade has definitely changed the way businesses operate, but not always for the better. Offering services, conducting transactions and moving data on the Web opens new opportunities, but many CTOs and CIOs are more concerned with the risks. Like the rulers of medieval cities, they've adopted a siege mentality, building walls to keep the bad guys out. It makes for a secure perimeter, but hampers the flow of commerce.
Fortunately, some corporations are beginning to rethink how they provide security, so that interactions with customers, employees, partners, and suppliers will be richer and more flexible. Digital Identity explains how to go about it. This book details an important concept known as "identity management architecture" (IMA): a method to provide ample protection while giving good guys access to vital information and systems. In today's service-oriented economy, digital identity is everything. IMA is a coherent, enterprise-wide set of standards, policies, certifications and management activities that enable companies like yours to manage digital identity effectively--not just as a security check, but as a way to extend services and pinpoint the needs of customers.
Author Phil Windley likens IMA to good city planning. Cities define uses and design standards to ensure that buildings and city services are consistent and workable. Within that context, individual buildings--or system architectures--function as part of the overall plan. With Windley's experience as VP of product development for Excite@Home.com and CIO of Governor Michael Leavitt's administration in Utah, he provides a rich, real-world view of the concepts, issues, and technologies behind identity management architecture.
How does digital identity increase business opportunity? Windley's favorite example is the ATM machine. With ATMs, banks can now offer around-the-clock service, serve more customers simultaneously, and do it in a variety of new locations. This fascinating book shows CIOs, other IT professionals, product managers, and programmers how security planning can support business goals and opportunities, rather than holding them at bay.
"Highly recommended" - Greg Matthews, news@UK, March 2006商品の説明をすべて表示する
Excellent for any CXO that thinks there might be something to this Identity Management.
I wish all the CXO's I have worked with in the this space had read this book, it would sure save them and me a lot of time and them a lot of money wasted on "stop-gaps" that are sure to be dead-on-delivery projects.
I work in a IM project and this book made clear a lot of gaps I had in my knowledge. Also, it helped me to understand the real importance of a good identity management infrastructure for the organization as a whole, not only for IT.
But the book clearly lacks substance when it comes to the practical implementation. While it is of some help during the planning phase of IM projects, it essentially stops where one wants to start. Conceptual approach, theoretical design, planning are one thing. Implementing is another, totally absent here. The book will not help in areas like dimensioning, practical issues and pitfalls, product evaluation, actual design and architecture, ROI, cost vs benefit and such. It is totally lacking any How To?
The book starts the traditional way: explaining what digital identity is. This is followed by about 8 chapters about the constituents of identity management, including authentication, trust, integrity, non-repudiation, and even digital rights management. Except for a very brief refresher, I think these have no place here and they should have been summarized in one single chapter. Other books treat this much better, and many readers will find this part to be a somewhat boring given it is background knowledge for any CISSP-level security person. The DRM chapter (Chapter 10), and some other parts in this area are even irrelevant, in my view.
This first part is followed by two chapters on (11) Interoperability Standards and (12) Federating Identity. Here again, the Interoperability Standards goes into unneeded technical details and misses the point. It is not giving the reader an understanding of the real issues: interoperability for what purpose? What are the issues? How can we go about them?
On the other hand, the Federating Identity chapter should probably be substantially expanded, as it is the meat of what identity management is about today. Three or four chapters should probably be devoted to this, and they should include practical examples of scenarios, architectures. It should be shown why identity federation is key, but again, the chapter does not go beyond very high-level and theoretical principles.
Finally, the book concludes with about eight chapters on architecture, governance, policies and such. While these give an idea of what is required in a well governed enterprise with an advanced maturity model, once again, these chapters lack real practical usability. In addition, this part is really not specific to identity management, but is rather a short summary of what has to be done in terms of governance, enterprise and reference architectures, and policy management.
Having read the book, I'm kind of disappointed. Facing a real project on identity management, the reader will surely think. Good, and now, what do we do? Possibly, it may make happy the high-level manager only seeking to understand what identity management is about, with no intention to get involved in the project.
This other reader, Prasad Reddy, summarizes it very well: "The book absolutely fails and falls short on explaining the identity management standards and technologies related to single sign-on, federation, provisioning and assurance. From a real-world IDMS deployment perspective the book is truly misleading !". Why so many gave it 4 or 5 stars is unclear. I'd hesitate between 2 and 3.
Useless, no, but I will still have to look out for something more useable in real life.
Just as it is difficult to maintain and manage identities in the real world, it is difficult to maintain and manage digital identities. As the digital economy is becoming more ubiquitous, the need for a single federated identity is becoming more critical. In Digital Identity, Phillip Windley details the steps needed to develop an identity management architecture (IMA).
Identity management has become a pressing need in the past few years. This has come about because networks and systems are no longer geared around a single infrastructure, and businesses have become increasingly virtual and decentralized. In previous years, there were simply internal users. Today, systems have internal users, along with external users such as consultants, contractors, third-parties, customers, collaborators, and many more. Such requirements necessitate a well-designed and planned IMA.
So what is this thing called IMA? Windley defines an IMA as the coherent, enterprise-wide set of standards, policies, certifications, and management activities that enable an organization to effectively manage digital identities.
IMA is also known as federated identity. The book notes that the real challenge in developing a federated identity infrastructure is dealing with the various different hardware and software platforms where user accounts reside, and working with different organizations and departments, including the ever-increasing amount of outsourcing. When all of that is put together, a single federated identity is not easy to come by if there is not an IMA in place.
The beauty of an IMA is that it allows an organization to securely link and exchange identity information across partner, supplier, and customer organizations, while having a single architecture. This makes identity management seamless.
The first 11 chapters of Digital Identity do a good job of introducing the underlying concepts of an IMA, including security, trust, authentication, access control, and names and directories. Without an effective security infrastructure in place, any IMA deployed will not be fully effective.
One oddity, though, is that in Chapter 6, the author defines cryptography as the science of making the cost of discovery of hidden information greater than the value of the information itself. This is the author's own characterization of cryptography and while interesting, is not how it is used in mainstream security.
Chapter 12 starts to get into the internals of federated identities. This and the rest of the chapters do not deal with the deep technical details of an IMA, rather it shows how to design and deploy the IMA in a context of a corporate environment under a single set of policies and procedures. Windley emphasizes that an IMA is not so much a technical issue, but rather a business issue that must be deployed in a business context.
This idea of a business context is manifest in Chapter 18, which deals with identity policies. The book creates what it calls an IMA policy stack, which is the interoperability framework for the IMA. The stack includes all of the elements necessary for the IMA, and comprises an identity management architecture, framework, and set of standards. The standards include all protocols and applications, from SSL, XML, LDAP, DNS, and much more. The framework includes policy issues such as naming, passwords, encryption, provisioning, and more. Finally, the architecture details the specific high-level controls (procurement, contracts, licensing, etc.) around the IMA.
The book itself is worth it solely for the information in this chapter. Anyone attempting to deploy an IMA without first getting a handle on the issues details in Chapter 18 will find that their IMA will likely be seriously deficient.
The only negatives to the book are a few too many editing mistakes that should have been caught during the editing process. Also, the author frequently discusses his own trials and tribulations of using an IMA during his short stint as CIO of the State of Utah and with previous employers. Depending on the readers' specific tastes, some my find the heavy use of the first-person anecdotes to be a negative.
Overall, Digital Identity provides the reader with a good introduction to the various areas necessary to develop a productive identity management infrastructure. Anyone planning to deploy an IMA or any sort of federated identity solution in a corporate environment will find Digital Identity a valuable reference.