Chris said:
Oh great, another "_____ management" buzzword.
It has too much traction and too much staying power to be called a
buzzword. Federated Identity Management is something of a buzzword, but
even that has been around since approx. 2002. (I don't happen to care
much about FIM because I'm not in the B2B sector) You likely haven't
heard of it because IM is largely an administrative/management issue and
is particular to large organizations.
What, exactly, do you want to make a case for? I've spent a few minutes
now looking around the Internet, and as far as I can see "identity
management" is just a fad-ish term meaning authentication.
Certainly authentication services are a central piece, but there is
more. One needn't look any further than user provisioning to see some
value. In my case I'm looking at creating some 30K users across about 10
applications (not everyone will have access to everything, but there
will be a significant number of combinations). The second phase will
involve about another 60K, but these will be limited to 2-3
applications. Given that some of the legacy apps utilize proprietary
storage and cannot be scripted, one is forced to hire a bunch of
typists, then waste additional money having users vet the data and
submit help desk requests to fix all of the errors. That's a lot of
money wasted when a scriptable, centralized approach would be much
faster, much more accurate and cheaper to maintain. Add to that number
the existing 5K users and you are into a realm where a cogent strategy
to IM is the only reasonable approach. How else does one manage the
consistency and accuracy of all the duplicated data sitting in some half
million user records stored in a dozen different formats on who knows
how many servers? Perhaps that is one of the things I'm after though,
where is the threshold beyond which centralized IM makes sense?
Literally millions of software applications do authentication
Lack of standardization is indeed part of the problem...
, and when it's a
requirement, I seriously doubt you'll have a hard time making the case
for it.
That is a truism; if it's a requirement the case has already been made.
If there's something besides authentication that you want... something
specific, perhaps, like single sign-on between systems or
challenge/response authentication schemes (both of which I found
described as "identity management", for example), then it might help to
be more specific about that.
I'm not at all interested in the mechanics of authentication, that is
encapsulated in the IM software and the risk analysis utilized to pick
the desired protocols is a business decision. From a programmers
perspective, my intent is merely to write a new JAAS LoginModule once
the customer picks an IM solution. I'm bringing the issue forward since
my gut tells me that this volume of data, the disparate data formats and
the amount of duplication in a decentralized model sounds like trouble.
I'm also pitching it because as an ISV it limits my liability. Why would
I want to shoulder the cost of notifying people in the event of a
privacy breach? I'd prefer to leave the mechanics and risks of
authentication to someone else, because the cost of 100K stamps alone is
more than I want to eat.