Digital Identity [Paperback]

Phillip J. Windley (Author)

Book Description

Publication Date: August 8, 2005

The rise of network-based, automated services in the past decade has definitely changed the way businesses operate, but not always for the better. Offering services, conducting transactions and moving data on the Web opens new opportunities, but many CTOs and CIOs are more concerned with the risks. Like the rulers of medieval cities, they've adopted a siege mentality, building walls to keep the bad guys out. It makes for a secure perimeter, but hampers the flow of commerce.

Fortunately, some corporations are beginning to rethink how they provide security, so that interactions with customers, employees, partners, and suppliers will be richer and more flexible. Digital Identity explains how to go about it. This book details an important concept known as "identity management architecture" (IMA): a method to provide ample protection while giving good guys access to vital information and systems. In today's service-oriented economy, digital identity is everything. IMA is a coherent, enterprise-wide set of standards, policies, certifications and management activities that enable companies like yours to manage digital identity effectively--not just as a security check, but as a way to extend services and pinpoint the needs of customers.

Author Phil Windley likens IMA to good city planning. Cities define uses and design standards to ensure that buildings and city services are consistent and workable. Within that context, individual buildings--or system architectures--function as part of the overall plan. With Windley's experience as VP of product development for Excite@Home.com and CIO of Governor Michael Leavitt's administration in Utah, he provides a rich, real-world view of the concepts, issues, and technologies behind identity management architecture.

How does digital identity increase business opportunity? Windley's favorite example is the ATM machine. With ATMs, banks can now offer around-the-clock service, serve more customers simultaneously, and do it in a variety of new locations. This fascinating book shows CIOs, other IT professionals, product managers, and programmers how security planning can support business goals and opportunities, rather than holding them at bay.

Editorial Reviews

Review

"Highly recommended" - Greg Matthews, news@UK, March 2006

About the Author

Phillip J. Windley is an Associate Professor of Computer Science at Brigham Young University. Dr. Windley is a nationally recognized expert in using information technology (IT) to add value to the business. Windley received his PhD in Computer Science from the University of California, Davis in 1990. Prior to his graduate studies, Windley worked for 4 years as a nuclear metallurgist and a member of the technical staff at the Department of Energy's Division of Naval Reactors.

Product Details

• Paperback: 256 pages
• Publisher: O'Reilly Media; 1 edition (August 8, 2005)
• Language: English
• ISBN-10: 0596008783
• ISBN-13: 978-0596008789
• Product Dimensions: 9.3 x 7.1 x 0.6 inches
• Shipping Weight: 14.9 ounces (View shipping rates and policies)
• Average Customer Review: 4.2 out of 5 stars  See all reviews (13 customer reviews)
• Amazon Best Sellers Rank: #540,421 in Books (See Top 100 in Books)

More About the Author

Phil Windley is the Founder and Chief Technology Officer of Kynetx, an early stage company providing a platform for building browser apps. He is also an Adjunct Professor of Computer Science at Brigham Young University where he teaches courses on reputation, digital identity, large-scale system design, and programming languages. Phil writes the popular Technometria blog and is a frequent contributor to various technical publications. He is also the author of the book Digital Identity from O'Reilly Media.

Prior to joining BYU, Phil spent two years as the Chief Information Officer (CIO) for the State of Utah, serving on Governor Mike Leavitt's Cabinet and as a member of his Senior Staff. Before entering public service, Phil was Vice President for Product Development and Operations at Excite@Home and Chief Technology Officer (CTO) of iMALL, Inc. an early creator of electronic commerce tools. Phil serves on the Boards of Directors and Advisory Boards for several high-tech companies. Phil received his Ph.D. in Computer Science from Univ. of California, Davis in 1990.

Customer Reviews

Most Helpful Customer Reviews

10 of 10 people found the following review helpful:

5.0 out of 5 stars Excellent architectural overview of identity management, September 29, 2005

By 

Jack D. Herrington "engineer and author" (Silicon Valley, CA) - See all my reviews
(VINE VOICE)    (REAL NAME)   

This review is from: Digital Identity (Paperback)

If you are looking for an architectural level book on tracking and maintaining identity in distributed systems this book is for you. If you are looking for something about managing your personal digital identity, there is nothing here for you. In addition those looking for code samples beware. There are some XML code fragments but this is an architectural level book, which means, no code.

The writing is great, and the illustrations are used well to cut through what are often some complex interactions between multiple digital authorities. Definitely worth the look if you know what you are getting.

14 of 16 people found the following review helpful:

4.0 out of 5 stars Very Good Discussion of IT Governance and Digital Identity, August 29, 2005

By 

Christopher Byrne "The Business Controls Caddy" (Atlanta, GA USA) - See all my reviews
(REAL NAME)   

This review is from: Digital Identity (Paperback)

When I received Digital Identity (234 Pages, O'Reilly, 2005, ISBN 0596008783) for review, I was fully expecting I would be slogging through a deep technical dive into identity management architectures (IMA). Boy, was I wrong. What I got was a extremely thorough discussion of identity management architectures within the context of information systems (IS) governance processes. This is the first time I have read a book that so thoroughly weaves technical discussions (at an appropriate level for the intended audience) with a full discussion of the IS governance frameworks that are essential to success when implementing an IMA. There is only one place where Phillip Windley, former CIO of the State of Utah, falls short in this book.

Windley is up front in stating that management of digital identities is fundamental to success in information technology. He also makes it clear that the purpose of the book is not to show how to design and implement an IMA. It is about understanding IMAs in a business context. Windley also does an excellent job at showing why critics of digital rights management (DRM) (as enforced by the movie and record industries), are doing more of a disservice by framing the DRM dialog in the wrong context. A such, people are predisposed in their opinions whenever the discussion comes up in any context.

Stating this up front, the reader of the book will walk through an explanation of what digital identity is, the concept of trust, the lifecycle of digital identity, and the business reasons for it. After laying the groundwork, as well as covering interoperability and federation of identity, the authors covers what really should be the best practices for any organization. By pulling from his own experiences he is able to substantiate that what he is saying is not just "theory". It is based on real experience.

This is, however, the point where I feel the author's lack of full disclosure keeps the book from being even stronger than it is. In his struggle to bring strong IS governance to the state of Utah. You see the reality is that if you come into an organization like a bull in the china shop, you are going to make enemies. From what he is written in this book, this seems to be the style he employed when trying to unify the Utah information infrastructure. The result of this, that is not covered in the book, is that he was forced to resign as CIO under the cloud of an investigation of improper hiring practices. I believe that if he had included this information in the book, along with lessons learned, the book would have been truly outstanding. Because it wasn't, I have to knock it down to 4.5 stars out of 5.

Note: In an e-mail exchange with the author, he indicated that although he strongly disagreed with what was in that report, his office never published a response to that report either formally or informally.

Who Should Read This Book

This is usually where I write a list of specific job types who should read this book, but this time I want to approach it from a different angle. This book should be read by any IT professional that wants to expand their knowledge and expertise beyond wires, pliers, and lines of code. It is this type book that will allow them to do so without totally stepping outside of their comfort zone. At the same time, it should also be read by anyone involved in IT Audit and/or governance issues. Worried that there will not be enough technical content for you? Don't. Technical matter is covered at an appropriate level to get a broad understanding, but in a way not to loose a nontechnical reader.

The Scorecard

Birdie on a Long Par 5

6 of 7 people found the following review helpful:

4.0 out of 5 stars Good introduction to IMA, November 15, 2005

By 

Ben Rothke "Author of 'Computer Security: 20 ... (USA) - See all my reviews
(REAL NAME)   

This review is from: Digital Identity (Paperback)

Many people who review their credit report for the first time are shocked to learn how many identities are linked to them. Even when there is no problem of identity theft, it is not uncommon for people to have 10 or more names linked to their credit reports due to various errors, including permutation of their name.

Just as it is difficult to maintain and manage identities in the real world, it is difficult to maintain and manage digital identities. As the digital economy is becoming more ubiquitous, the need for a single federated identity is becoming more critical. In Digital Identity, Phillip Windley details the steps needed to develop an identity management architecture (IMA).

Identity management has become a pressing need in the past few years. This has come about because networks and systems are no longer geared around a single infrastructure, and businesses have become increasingly virtual and decentralized. In previous years, there were simply internal users. Today, systems have internal users, along with external users such as consultants, contractors, third-parties, customers, collaborators, and many more. Such requirements necessitate a well-designed and planned IMA.

So what is this thing called IMA? Windley defines an IMA as the coherent, enterprise-wide set of standards, policies, certifications, and management activities that enable an organization to effectively manage digital identities.

IMA is also known as federated identity. The book notes that the real challenge in developing a federated identity infrastructure is dealing with the various different hardware and software platforms where user accounts reside, and working with different organizations and departments, including the ever-increasing amount of outsourcing. When all of that is put together, a single federated identity is not easy to come by if there is not an IMA in place.

The beauty of an IMA is that it allows an organization to securely link and exchange identity information across partner, supplier, and customer organizations, while having a single architecture. This makes identity management seamless.

The first 11 chapters of Digital Identity do a good job of introducing the underlying concepts of an IMA, including security, trust, authentication, access control, and names and directories. Without an effective security infrastructure in place, any IMA deployed will not be fully effective.

One oddity, though, is that in Chapter 6, the author defines cryptography as the science of making the cost of discovery of hidden information greater than the value of the information itself. This is the author's own characterization of cryptography and while interesting, is not how it is used in mainstream security.

Chapter 12 starts to get into the internals of federated identities. This and the rest of the chapters do not deal with the deep technical details of an IMA, rather it shows how to design and deploy the IMA in a context of a corporate environment under a single set of policies and procedures. Windley emphasizes that an IMA is not so much a technical issue, but rather a business issue that must be deployed in a business context.

This idea of a business context is manifest in Chapter 18, which deals with identity policies. The book creates what it calls an IMA policy stack, which is the interoperability framework for the IMA. The stack includes all of the elements necessary for the IMA, and comprises an identity management architecture, framework, and set of standards. The standards include all protocols and applications, from SSL, XML, LDAP, DNS, and much more. The framework includes policy issues such as naming, passwords, encryption, provisioning, and more. Finally, the architecture details the specific high-level controls (procurement, contracts, licensing, etc.) around the IMA.

The book itself is worth it solely for the information in this chapter. Anyone attempting to deploy an IMA without first getting a handle on the issues details in Chapter 18 will find that their IMA will likely be seriously deficient.

The only negatives to the book are a few too many editing mistakes that should have been caught during the editing process. Also, the author frequently discusses his own trials and tribulations of using an IMA during his short stint as CIO of the State of Utah and with previous employers. Depending on the readers' specific tastes, some my find the heavy use of the first-person anecdotes to be a negative.

Overall, Digital Identity provides the reader with a good introduction to the various areas necessary to develop a productive identity management infrastructure. Anyone planning to deploy an IMA or any sort of federated identity solution in a corporate environment will find Digital Identity a valuable reference.