Oracle’s Nishant Kaushik writes:
So does user-centricity have a place in the enterprise? I’m not sure. Opening up the enterprise to external identity providers may force the adoption of user-centric technologies, but it won’t mean that once I am "in" the enterprise and have given them access to some data, I can still control how that data is used (or would even want to). Modern enterprises are too complex for me to be involved. I’d settle for some involvement when my employer federates with someone. For everything else, just make it work.
To discuss where in an enterprise context user-centric identity applies, let’s use my new concentric circles diagram and look at it from outside in:
- In Tier 4, with potential customers, an enterprise most certainly has to apply user-centric identity management. If it does not, it is sure to be branded as a privacy violator and tracker of honest people sooner or later. (Remember the Doubleclick fiasco some years ago?) That’s just like in the real world: companies cannot demand that prospects entering the store first show their birth certificate.
- In Tier 3, actual customers actively practice user-centric identity management whether or not the enterprise likes that: how many web forms have you filled out with e-mail addresses such as foo@bar.com and residence in Afghanistan? (Because it was the first country in the drop-down list?) The enterprise might not give me the option of saying "answer refused", as technology-enabled user-centric identity management would, but customers sure have the option of providing wrong information; anecdotal sources says there’s lots of it.
- In Tier 2, affiliates are likely all over the map. But notice that few companies that are affiliates of another make extensive identity information available to their business partner. For example, why would a car parts dealer tell the birth date of their employee to Toyota? This might not be the exact use case (the employee refusing to hand out information, rather than his employer instead of the employee), but the result is the same.
- Tier 1 is difficult to characterize because the company and its close business partners may have a variety of different data sharing needs and policies; so I’m going to skip discussing this. But:
- There is definitely a need for user-centricity in Tier 0, the enterprise’s own internal systems. (Perhaps that’s the main Tier that Nishant had in mind in his post; I’m guessing. He does say that he cares a lot about his identity information with the enterprise’s preferred 401k providers and travel agents and other parties "federated in" which might mean Tier 1 and 2)
Within the walls of the enterprise, isn’t the assumption correct, as he writes, that:
Most employees hand over a bunch of their personal identity information to HR on the day they are hired, at which point it becomes enterprise data. The employee no longer knows what is happening with that data and how it is being used. Sure, the use of self-service tools gives these employees the ability to manage that information and keep it up to date, but that is simply a maintenance feature that eliminates unnecessary administrative overhead. It does not give the user any control over how that data is used.
Spot the problem? It’s about where he draws the line what is and isn’t identity data. If all we are considering to be identity data is the "bunch of their personal identity information [that is] … hand[ed] over … to HR" then that might indeed be correct. But what about the following types:
- My cell phone number. I don’t tend to hand that to HR, but perhaps to a few coworkers and my boss for emergencies. By selecting to whom I give it, I clearly am in control over this piece of identity information. (Side note: sadly, in most enterprises, no technology is availabe to support this process. Which means that my coworker is going to call the wrong cell phone number with an emergency at 2am because I recently changed providers and forgot to tell him.)
- My genetic markup. Sure, in an enterprise identity context, we usually don’t consider it because it is virtually never handed over to the employer, but if genetic code isn’t identity data, I don’t know what is. I don’t know much about bio technology companies, but I won’t be surprised if some genetic data is relevant from an employee safety perspective to the employer in some circumstances.
- My AOL Instant Messenger address. Corporate directories (such as those populated with data from HR) often contain the IM handles for the official corporate instant messaging system. However, more often than not, employees use a tool to communicate with each other that they are also using to communicate with their husband from work. Some promiscous people might find a way of putting their AIM handle into the corporate directory, but most will really not want to do that (even as many of their co-workers know what it is). Clearly user choice and control is at work here.
- What about presence? Presence information, mostly from instant messaging applications, has become critical for many organizations and/or departments. Is it identity information? I sure think so. "He is currently at his desk" seems to express a similar kind of thing as "after 5pm, he resides at 123 Cherry Lane". In a way, presence is probably the most frequently changed — by the user himself — piece of identity information readily available in many enterprises. The fact that many IM clients allow you to define who may or may not see your presence status very much confirms that. The fact that it does not fit into an enterprise directory certainly does not.
- Address of mom’s house. That’s pretty obvious.
- What about the location data in my company-provided, GPS-enabeled cell phone? On my day off?
So, the essence of what I’m saying here is this: if you simply define the identity information that you can’t or don’t want to handle as out of scope (or define that only what HR captures is identity information), then of course, you can define away the issue of user-centric identity in the enterprise and happy live thereafter. Except that your users won’t and even the business people won’t because somebody might have to get a hold of me at 2am who I did not share my cell phone number with because he’s the replacement for Charlie who is sick. See the problem?
There is this quote that 80% of mission-critical information in the enterprise exists in people’s heads and on paper and in unofficial data stores, as opposed to the data that’s in the official enterprise systems. Might there be a possibility that something similar is true for identity information? And that the boundary is pretty much exactly where company-centric and user-centric identity data meets?