Customer Reviews

Digital Identity

5 star:		(8)
4 star:		(2)
3 star:		(1)
2 star:		(2)
1 star:		(0)

 

 

If you are looking for an architectural level book on tracking and maintaining identity in distributed systems this book is for you. If you are looking for something about managing your personal digital identity, there is nothing here for you. In addition those looking for code samples beware. There are some XML code fragments but this is an architectural level book, which means, no code.

The writing is great, and the illustrations are used well to cut through what are often some complex interactions between multiple digital authorities. Definitely worth the look if you know what you are getting.

When I received Digital Identity (234 Pages, O'Reilly, 2005, ISBN 0596008783) for review, I was fully expecting I would be slogging through a deep technical dive into identity management architectures (IMA). Boy, was I wrong. What I got was a extremely thorough discussion of identity management architectures within the context of information systems (IS) governance processes. This is the first time I have read a book that so thoroughly weaves technical discussions (at an appropriate level for the intended audience) with a full discussion of the IS governance frameworks that are essential to success when implementing an IMA. There is only one place where Phillip Windley, former CIO of the State of Utah, falls short in this book.

Windley is up front in stating that management of digital identities is fundamental to success in information technology. He also makes it clear that the purpose of the book is not to show how to design and implement an IMA. It is about understanding IMAs in a business context. Windley also does an excellent job at showing why critics of digital rights management (DRM) (as enforced by the movie and record industries), are doing more of a disservice by framing the DRM dialog in the wrong context. A such, people are predisposed in their opinions whenever the discussion comes up in any context.

Stating this up front, the reader of the book will walk through an explanation of what digital identity is, the concept of trust, the lifecycle of digital identity, and the business reasons for it. After laying the groundwork, as well as covering interoperability and federation of identity, the authors covers what really should be the best practices for any organization. By pulling from his own experiences he is able to substantiate that what he is saying is not just "theory". It is based on real experience.

This is, however, the point where I feel the author's lack of full disclosure keeps the book from being even stronger than it is. In his struggle to bring strong IS governance to the state of Utah. You see the reality is that if you come into an organization like a bull in the china shop, you are going to make enemies. From what he is written in this book, this seems to be the style he employed when trying to unify the Utah information infrastructure. The result of this, that is not covered in the book, is that he was forced to resign as CIO under the cloud of an investigation of improper hiring practices. I believe that if he had included this information in the book, along with lessons learned, the book would have been truly outstanding. Because it wasn't, I have to knock it down to 4.5 stars out of 5.

Note: In an e-mail exchange with the author, he indicated that although he strongly disagreed with what was in that report, his office never published a response to that report either formally or informally.

Who Should Read This Book

This is usually where I write a list of specific job types who should read this book, but this time I want to approach it from a different angle. This book should be read by any IT professional that wants to expand their knowledge and expertise beyond wires, pliers, and lines of code. It is this type book that will allow them to do so without totally stepping outside of their comfort zone. At the same time, it should also be read by anyone involved in IT Audit and/or governance issues. Worried that there will not be enough technical content for you? Don't. Technical matter is covered at an appropriate level to get a broad understanding, but in a way not to loose a nontechnical reader.

The Scorecard

Birdie on a Long Par 5

Many people who review their credit report for the first time are shocked to learn how many identities are linked to them. Even when there is no problem of identity theft, it is not uncommon for people to have 10 or more names linked to their credit reports due to various errors, including permutation of their name.

Just as it is difficult to maintain and manage identities in the real world, it is difficult to maintain and manage digital identities. As the digital economy is becoming more ubiquitous, the need for a single federated identity is becoming more critical. In Digital Identity, Phillip Windley details the steps needed to develop an identity management architecture (IMA).

Identity management has become a pressing need in the past few years. This has come about because networks and systems are no longer geared around a single infrastructure, and businesses have become increasingly virtual and decentralized. In previous years, there were simply internal users. Today, systems have internal users, along with external users such as consultants, contractors, third-parties, customers, collaborators, and many more. Such requirements necessitate a well-designed and planned IMA.

So what is this thing called IMA? Windley defines an IMA as the coherent, enterprise-wide set of standards, policies, certifications, and management activities that enable an organization to effectively manage digital identities.

IMA is also known as federated identity. The book notes that the real challenge in developing a federated identity infrastructure is dealing with the various different hardware and software platforms where user accounts reside, and working with different organizations and departments, including the ever-increasing amount of outsourcing. When all of that is put together, a single federated identity is not easy to come by if there is not an IMA in place.

The beauty of an IMA is that it allows an organization to securely link and exchange identity information across partner, supplier, and customer organizations, while having a single architecture. This makes identity management seamless.

The first 11 chapters of Digital Identity do a good job of introducing the underlying concepts of an IMA, including security, trust, authentication, access control, and names and directories. Without an effective security infrastructure in place, any IMA deployed will not be fully effective.

One oddity, though, is that in Chapter 6, the author defines cryptography as the science of making the cost of discovery of hidden information greater than the value of the information itself. This is the author's own characterization of cryptography and while interesting, is not how it is used in mainstream security.

Chapter 12 starts to get into the internals of federated identities. This and the rest of the chapters do not deal with the deep technical details of an IMA, rather it shows how to design and deploy the IMA in a context of a corporate environment under a single set of policies and procedures. Windley emphasizes that an IMA is not so much a technical issue, but rather a business issue that must be deployed in a business context.

This idea of a business context is manifest in Chapter 18, which deals with identity policies. The book creates what it calls an IMA policy stack, which is the interoperability framework for the IMA. The stack includes all of the elements necessary for the IMA, and comprises an identity management architecture, framework, and set of standards. The standards include all protocols and applications, from SSL, XML, LDAP, DNS, and much more. The framework includes policy issues such as naming, passwords, encryption, provisioning, and more. Finally, the architecture details the specific high-level controls (procurement, contracts, licensing, etc.) around the IMA.

The book itself is worth it solely for the information in this chapter. Anyone attempting to deploy an IMA without first getting a handle on the issues details in Chapter 18 will find that their IMA will likely be seriously deficient.

The only negatives to the book are a few too many editing mistakes that should have been caught during the editing process. Also, the author frequently discusses his own trials and tribulations of using an IMA during his short stint as CIO of the State of Utah and with previous employers. Depending on the readers' specific tastes, some my find the heavy use of the first-person anecdotes to be a negative.

Overall, Digital Identity provides the reader with a good introduction to the various areas necessary to develop a productive identity management infrastructure. Anyone planning to deploy an IMA or any sort of federated identity solution in a corporate environment will find Digital Identity a valuable reference.

In my opinion, this book is really feeding the buzzwords frenzy of Identity management domain . It certainly "talks the talk", but can it "walk the talk"? - Full of google-able content and no meat. I can think of numerous glaring examples where the book falls short. To name a few: SAML (huh? where is SAML 2.0), XACML, Liberty, WS-Federation
I think the book does a below average job of providing practical information. Even the content does not flow very smoothly and coherently.
I wasted mu money, now this book going to be on my shelf collecting dust.

Identity Management is my day to day job as our company heavily focuses on various IAM initiatives.I was always looking for a book that can give enough material on how to go about design, deploy IAM solutions. This book is the one for it. This book really deserves 5 stars.
Thanks,
Ramnath Krishnamurthi,
C.E.0
Like Minds Consulting Inc,
New York, U.S.A

One of the best coverings of the Identity Management space and I am sure that Phillip could have written several thousand more pages on the subject.

Excellent for any CXO that thinks there might be something to this Identity Management.

I wish all the CXO's I have worked with in the this space had read this book, it would sure save them and me a lot of time and them a lot of money wasted on "stop-gaps" that are sure to be dead-on-delivery projects.

This book is designed to familiarize CIOs, IT managers, and other IT professionals with the language, concepts, and technology of digital identity. Managing digital identity is one of the most fundamental activities in IT and a good identity management strategy is the key to not only protecting the enterprise from attack, but, more important, providing flexible access for partners, customers, and employees to needed information and systems.

This book is not a book with code examples and recipes for building digital identity management systems. Even so, it is a technical book that explains the technology of digital identity in some detail. More importantly, the book puts the technology in context and shows how it can all be put to the task of managing digital identities inside your organization.

The book is divided into three sections. The first section is about the core concepts in digital identity, including privacy and trust. The second section discusses the technology of digital identity. The third section portrays in some detail a process, called an identity management architecture (IMA), that you can use to build a digital identity infrastructure in your organization, regardless of its size or organization. The information in the last section is prescriptive in nature. Because of his experiences, the author has a clear philosophy on how to build an IMA. He therefore presents a rather detailed series of steps that show how to create an IMA and how to use it. I found the book quite accessible, and this isn't even an area of my expertise. I would recommend it for anyone trying to get started in the field, especially if you're a manager. The following is the table of contents:

Chapter 1. Introduction
Section 1.1. Business Opportunity
Section 1.2. Digital Identity Matters
Section 1.3. Using Digital Identity
Section 1.4. The Business Context of Identity
Section 1.5. Foundational Technologies for Digital Identity
Section 1.6. Identity Management Architectures

Chapter 2. Defining Digital Identity
Section 2.1. The Language of Digital Identity
Section 2.2. Identity Scenarios in the Physical World
Section 2.3. Identity, Security, and Privacy
Section 2.4. Digital Identity Perspectives
Section 2.5. Identity Powershifts
Section 2.6. Conclusion

Chapter 3. Trust
Section 3.1. What Is Trust?
Section 3.2. Trust and Evidence
Section 3.3. Trust and Risk
Section 3.4. Reputation and Trust Communities
Section 3.5. Conclusion

Chapter 4. Privacy and Identity
Section 4.1. Who's Afraid of RFID?
Section 4.2. Privacy Pragmatism
Section 4.3. Privacy Drivers
Section 4.4. Privacy Audits
Section 4.5. Privacy Policy Capitalism
Section 4.6. Anonymity and Pseudonymity
Section 4.7. Privacy Principles
Section 4.8. Prerequisites
Section 4.9. Conclusion

Chapter 5. The Digital Identity Lifecycle
Section 5.1. Provisioning
Section 5.2. Propagating
Section 5.3. Using
Section 5.4. Maintaining
Section 5.5. Deprovisioning
Section 5.6. Conclusion

Chapter 6. Integrity, Non-Repudiation, and Confidentiality
Section 6.1. Integrity
Section 6.2. Non-Repudiation
Section 6.3. Confidentiality
Section 6.4. Conclusion

Chapter 7. Authentication
Section 7.1. Authentication and Trust
Section 7.2. Authentication Systems
Section 7.3. Authentication System Properties
Section 7.4. Conclusion

Chapter 8. Access Control
Section 8.1. Policy First
Section 8.2. Authorization Patterns
Section 8.3. Abstract Authorization Architectures
Section 8.4. Digital Certificates and Access Control
Section 8.5. Conclusion

Chapter 9. Names and Directories
Section 9.1. Utah.gov: Naming and Directories
Section 9.2. Naming
Section 9.3. Directories
Section 9.4. Aggregating Directory Information
Section 9.5. Conclusion

Chapter 10. Digital Rights Management
Section 10.1. Digital Leakage
Section 10.2. The DRM Battle
Section 10.3. Apple iTunes: A Case Study in DRM
Section 10.4. Features of DRM
Section 10.5. DRM Reference Architecture
Section 10.6. Trusted Computing Platforms
Section 10.7. Specifying Rights
Section 10.8. Conclusion

Chapter 11. Interoperability Standards
Section 11.1. Standards and the Digital Identity Lifecycle
Section 11.2. Integrity and Non-Repudiation: XML Signature
Section 11.3. Confidentiality: XML Encryption
Section 11.4. Authentication and Authorization Assertions
Section 11.5. Example SAML Use Cases
Section 11.6. Identity Provisioning
Section 11.7. Representing and Managing Authorization Policies
Section 11.8. Conclusion

Chapter 12. Federating Identity
Section 12.1. Centralized Versus Federated Identity
Section 12.2. The Mirage of Centralized Efficiency
Section 12.3. Network Effects and Digital Identity Management
Section 12.4. Federation in the Credit Card Industry
Section 12.5. Benefits of Federated Identity
Section 12.6. Digital Identity Standards
Section 12.7. Three Federation Patterns
Section 12.8. Conclusion

Chapter 13. An Architecture for Digital Identity
Section 13.1. Identity Management Architecture
Section 13.2. The Benefits of an Identity Management Architecture
Section 13.3. Success Factors
Section 13.4. Roadblocks
Section 13.5. Identity Management Architecture Components
Section 13.6. Conclusion

Chapter 14. Governance and Business Modeling
Section 14.1. IMA Lifecycle
Section 14.2. IMA Governance Model
Section 14.3. Initial Steps
Section 14.4. Creating a Vision
Section 14.5. IMA Governing Roles
Section 14.6. Resources
Section 14.7. What to Outsource
Section 14.8. Understanding the Business Context
Section 14.9. Business Function Matrix
Section 14.10. IMA Principles
Section 14.11. Conclusion

Chapter 15. Identity Maturity Models and Process Architectures
Section 15.1. Maturity Levels
Section 15.2. The Maturity Model
Section 15.3. The Rights Steps at the Right Time
Section 15.4. Finding Identity Processes
Section 15.5. Evaluating Processes
Section 15.6. A Practical Action Plan
Section 15.7. Filling the Gaps with Best Practices
Section 15.8. Conclusion

Chapter 16. Identity Data Architectures
Section 16.1. Build a Data Architecture
Section 16.2. Processes Link Identities
Section 16.3. Data Categorization
Section 16.4. Identity Data Structure and Metadata
Section 16.5. Exchanging Identity Data
Section 16.6. Principles for Identity Data
Section 16.7. Conclusion

Chapter 17. Interoperability Frameworks for Identity
Section 17.1. Principles of a Good IF
Section 17.2. Contents of an Identity IF
Section 17.3. Example Interoperability Framework
Section 17.4. A Word of Warning
Section 17.5. Conclusion

Chapter 18. Identity Policies
Section 18.1. The Policy Stack
Section 18.2. Attributes of a Good Identity Policy
Section 18.3. Determining Policy Needs
Section 18.4. Writing Identity Policies
Section 18.5. An Identity Policy Suite
Section 18.6. Assessing Identity Policies
Section 18.7. Enforcement
Section 18.8. Procedures
Section 18.9. Conclusion

Chapter 19. Identity Management Reference Architectures
Section 19.1. Reference Architectures
Section 19.2. Benefits and Pitfalls
Section 19.3. Reference Architecture Best Practices
Section 19.4. Using a Reference Architecture
Section 19.5. Components of a Reference Architecture
Section 19.6. Technical Position Statements
Section 19.7. Consolidated Infrastructure Blueprint
Section 19.8. System Reference Architectures
Section 19.9. Conclusion

Chapter 20. Building an Identity Management Architecture
Section 20.1. Scoping the Process
Section 20.2. Which Projects Are Enterprise Projects?
Section 20.3. Sequencing the IMA Effort
Section 20.4. A Piece at a Time
Section 20.5. Conclusion: Dispelling IMA Myths

This book gives a hello world introduction about digital identity concepts and nothing beyond. The book absolutely fails and falls short on explaning the identity management standards and technologies related to single sign-on, federation, provisioning and assurance. From a real-world IDMS deployment perspective the book is truly misleading !

Though this book covers some basic issues surrounding identity management, the architecture part is very weak. What I felt is that the author is confusing delivery management with the technology itself. Major sections of the book (under the guise of governance) are devoted to people and expectation management and politics rather than technology. Majority of what is discussed is applicable universally to execution of any project in any decent sized organization. Not that this books has nothing to offer on IMA itself - but it is too generic and very little on actual technology.

Ever noticed how many of the most useful books are really short? Kernighan and Ritchie on C Programming and Kent Beck on Extreme Programming come to mind, well now we have a short, to the point, and similarly useful book on identity Phil Windley's book, "Digital Identity". Increased integration, security concerns, distributed computing, SOA and Web Services, privacy issues, crimeware/malware, and compliance all conspire to make identity a mission critical element in software architecture. Many of the key concerns get conflated and confused amidst the buzzwords and arcane terminology used by the identerati. What is needed is conceptual clarity about the key elements in identity management architecture, and how they relate to each other as well as the software platform and its users.

Phil Windley's book, "Digital Identity" delivers the needed clarity, breaking down identity management architecture into Process Architecture ("how your business accomplishes identity related tasks and how they should be accomplished in the future."), Data Architecture ("The data architecture is a model of the identity data in your organization"), and Technical Reference Architecture ("how the IMA communicates implementation guidance to system architects"). None of these architectural elements are a vendor-specific solution, so architecture is required to design the correct approach for your organization. Windley describes two important parts of an IMA - Policies ("crucial in creating identity infrastructures that work for the simple reason that it's impossible to create technical solutions to every problem.") and Interoperability Framework ("list of standards that your organization has chosen to support and use."). The supporting website contains useful policy templates for a wide variety of identity policy domains.

The early chapters deal with setting a consistent terminology for identity data and processes. Chapter 5 defines an identity lifecycle including two helpful in the trenches observations 1) that identity maintenance is one of the most costly areas and 2) deprovisioning is just as important as the notion of provisioning. Chapter 6 talks about cryptosystems, message digests, hashing, and related infrastructure (such as PKI) the part I found most useful is that Windley shows what solutions deliver particular properties such as confidentiality, integrity, and non-repudiation.

Refreshing discussion in Chapter 8 on Access Control and Principle of least privilege in the real world. Many security policies blithely state (and restate) the principle of least privilege, but in reality when it is assumed but in place this creates an issue. This chapter also has a good RBAC discussion. Chapter 9 draws important distinctions between directory services and relational databases, and gives prescriptive guidance on where each is appropriate. Chapter 9 also introduces the notion of metadirectories and virtual directories. Again, these concepts are mapped directly by Windley to the specific issues they solve, making the book a very handy design partner for identity management architects.

Chapter 11 correlates standards to the identity lifecycle. SPML is geared towards provisioning, propagating, and deprovisioning; SAML is geared towards using identity; and XACML is geared towards maintaing identity (I am not sure why XACML is not included in using identity though). The power and challenges of SAML and XACML are well defined, some additional examples would be helpful. For traditional information security people who need to understand how these important XML-based technologies work in decentralized SOA and Web Services systems, this chapter will be very helpful.

Chapter 12 on federating identity is my favorite. "Mirage of centralized efficiency...Centralized digital identity systems do not scale. Identity relationships are inherently web-like in structure while centralized technologies like directories are hierarchical." Windley also points out lack of privacy support in SAML (which is why Dick Hardt calls federation Identity 1.5). The latter chapters show example identity data architectures, technical reference architecture, and other elements. In sum, this book is extremely useful at the conceptual level for identity architects to think/plan/act strategically and real world in the trenches advice on how to execute tactically.