Bernhard Findeiss
Wednesday April 30th, 2008

What is “identity management”, and why should we care about it?

One topic, which has gathered a lot of attention in the IT world, is “Identity Management” (or “IdM”).
What is this topic, and why should everyone know about it (especially everyone surfing the web)?Firstly, I want to point out that identity management is not a single topic for itself, but consists of a number of sub-topics which at first sight don’t seem to have that much to do with each other.

But I think, it is quite important to consider the sub-topics in order to get to a common basis for conversation. Many people in this area concentrate on only one of these sub-topics, yet all of them call it “identity management”.

A classification was introduced during the EU-sponsored FIDIS project. It defined 3 classes of IdM-system:

Type 1: Account Management

This kind of Identity Management is mostly done by companies. Account Management covers all aspects of the employment lifecycle, from initialisation at recruitment, through changes in access rights when promoted, demoted, or transferred to another department, to deletion on leaving the company.
The main objective here is to provide all workers with all the access rights they need to carry out their work (such as email, internet, file access etc.), but also to revoke some of them whenever that is required.

This kind of administration is usually carried out centrally by specially commissioned persons (administrators). Self-service by users themselves is exceptional. Account management focuses on the reliable identification of persons (“authentication”), and the secure assignment of access rights to each person (“authorization”), not on privacy.

Type 2: Profiling of user data by an organization

Type-2-identity management is all about inferring a person’s behaviour, likes, and dislikes from a potentially massive amount of data. As with type-1-identity management, this is also carried out by an organisation. Here too, the focus is more on the reliable assignment of profile information to a person than on privacy.

Unlike type-1-identity management, however, profiling does not focus on the assignment of access rights but rather on gathering knowledge about a person (or a group of persons) by analysing available data.

Possible data sources for profiling can include publicly available information from the internet (which people inevitably leave behind in the course of time), but also systems solely built for the purpose of data collection.
Examples of such systems are, for example, the German “Payback”-System, (which traces people’s buying behaviour by giving them bonus points for each transaction), and the Amazon.com homepage, where you receive recommendations for new products based on previous buying habits. Credit card companies use profiling to detect card misuse (which is characterised by a different usage profile).

Today, there exist a number of specialized search engines, which use publicly available information from the internet to compile a profile of a person. If you want to try it out yourself, just surf over to www.yasni.de (if you are looking for a German), or www.spock.com , which focuses more on US citizens.

Type 3: IMS for user-controlled context-dependent role and pseudonym management

This,awkwardly named type of identity management is the kind of identity management, which all of us use if we want to control the kind and the amount of information we leave behind when we surf the web. In this way, a later profiling of your person can be prevented, hindered, or at least be influenced by your wishes.

This type of identity management therefore focuses mainly on the administration of your own private data, and of your own privacy in general.

This type of identity management will, in my opinion, draw much more attention in the future. People are starting to post even the most private matters on the web. So IMS can pay off today, for example if you don’t want to be asked, during your next job interview, about an embarrassing Youtube-video.

Already there are a number of companies whose business is to benefit their customers (for a certain amount of money) by correcting such “errors”. If you consider just how lavishly especially teenagers treat their private data (on pages such as Myspace, Youtube, Twitter etc.), this business model seems to have some potential for the future.

So far, I have given a brief overview of the three types of identity management introduced by the FIDIS project.

Based on this classification, we plan to publish a number of articles, treating such exciting topics as identity federation, context-based authentication or identity management with service-oriented architectures.

Kommentar verfassen

*