An IMA probably sounds like a lot of work. In fact, the very idea of policies and rules may be somewhat distasteful to you. First, recognize that an IMA isn't something that you build in one fell swoop, but is really a name for an ongoing process that helps system designers, programmers, and others in your organization build and use the digital identity infrastructure.
As you contemplate the effort involved in creating an IMA for your organization, you may have some concern that it can really work. If so, you may still believe some of the myths about digital identity and enterprise planning.
The first myth goes something like, "This is great for a smaller organization, but we're too complex for this level of planning." The truth is, the more complex you are, the more you have to rely on interoperability to get strategic value out of identity. Without interoperable systems, you'll find that even the smallest of tasks become huge projects, since they have to be fitted into the ad hoc infrastructure that has grown up over time. Fight this myth by creating a vision and piloting the IMA in a self-contained business unit.
The second myth is just the opposite: "This is great for a larger organization, but we don't have the staff or time to manage this effort." The IMA process can be adapted to even the smallest of organizations. The process can be scaled to fit most situations. In small organizations, the IMA effort is made easy by the fact that there are usually a few recognized decision makers and the group arrives at consensus fairly easily because of shared goals. You may already have a good handle on process and identity data, so start with an interoperability framework and some baseline policies. Build a reference architecture and follow it. This will provide a good foundation as your business grows.
The third myth is a variation on the second: "An IMA is great for an organization that has a tradition of planning, but we've always prided ourselves on being nimble." In fact, most organizations that can say this with a straight face do plan; they just don't recognize it as such. The prescription is largely the same as the last myth. Don't build a straightjacket. Make the governance process fit your traditions, but set standards and policies to guide system development.
The fourth myth says, "We'll spend all our time planning and none of it executing." This myth misses the point that the IMA should be built to fit the organization and its needs. Pick the places in your organization where having good identity infrastructure would make the most difference. Engage in an IMA process for that piece and then repeat on the next priority. Whatever you do, do something.
The last myth is common in many IT shops: "Interoperability is about buying (or building) the right technology." Many technologists wish this were true, and act as if it were. The result is a litany of failed projects that never meet their goals because they missed the important governance and modeling steps necessary for success. Smart CIOs and IT managers know that good IT is much more than buying the right product.
Using Digital Identity
How your organization manages digital identities will have a great impact on whether you are constantly fighting problems brought on by a lack of attention to identity management or whether you are exploiting opportunity enabled by a flexible and rational digital identity infrastructure. Building that infrastructure depends on having the right strategy. I'm confident that identity management architecture can help you develop your strategy and the right infrastructure.
Phil Windley is an Associate Professor of Computer Science at Brigham Young University.
Return to the O'Reilly Network