Wow. I would never have thought that my first post after IIW wouldn’t come until Catalyst. I’ve been absolutely absorbed in my work helping angel investors with Angelsoft, as we’re releasing Version 3.0 of the platform on August 1st (and it is going to be SICK!). Fortunately, I’ve got a little more time now that we’re out of the product development stage, so I’m back at the keyboard.Even more fortunate, is the fact that I’m at Burton’s Catalyst Conference! For those of you who don’t know, Burton has long had the strongest Identity practice in the industry and has played a major role in helping enterprises understand the identity problem. I’ve been a proponent of applying the lessons learned from the enterprise to the issues we’re trying to solve for the internet, and this conference has only served to further that belief. Anyone who is working on the issues surrounding internet identity and doesn’t think the work being done in the enterprise is relevant is just kidding themselves. They’ve been doing it way longer, with way more people; and they’ve been forced to be extraordinarily rigorous, as they are controlling access to trillions in assets.It’s easy to see why this lack of communication between the two communities exists. As I’ve written before, the origins of the internet identity movement were deeply idealistic and anti-corporate. Much of the energy comes from a desire to usher in a sci-fi vision of the virtual worlds portrayed in books like Snow Crash or Down and Out in the Magic Kingdom. What could the short-sleeved, button-down wearing IT servants of the corporate machine have to say about this brave new world?It turns out a lot. The first thing to remember about the enterprise space is that many of these enterprises have tens of thousands of people, offices in dozens of countries, and hundreds of applications that each of their employees use. Moreover, through acquisitions and the fiefdoms that naturally arise in organizations of this scale, there is rarely any consistent architecture from team to team or office to office. In fact, when you begin to look inside these organizations, you quickly realize that these massive intranets have almost all the same characteristics as the World Wide Web.To get a sense of some of the issues they have dealt with that the internet identity movement has just begun to look at, let’s take a look at a few:
- International Regulations: Hearing from George Sherman about the constraints put on Morgan Stanley’s efforts to build an Identity system, given that they have to comply with dozens of regulatory jurisdictions, clearly demonstrates the hazards we are likely to face as we grapple with the widely divergent privacy legislation emerging throughout the world.
- Revocation: Employees move on (often not by their own choice). Enterprises understand all the complexities of revoking access to multiple systems.
- Federation: Companies need to work with partners, suppliers, consultants and a multitude of other organizations. They’ve dealt with the issues required to enable people from other organizations to access to their secure systems.
- Usability: The enterprise has experimented with hundreds of Identity Management products and has an extremely tight feedback loop with their users. We can learn from their UI sucesses and failures.
- Roles: Enterprises have had to deal with fine-grained permissioning for decades. What kind of employees should have access to which details of a customer isn’t too far from wanting to let your mom see your baby’s first step, but not your drunken exploits from the weekend that’s all the rage with your friends.
- Monitoring: Enterprises need to know when someone’s credentials have been compromised so they can take immediate action. What happens when someone’s internet ID has been compromised? How do we even know and what do we do?
- Concensus Building: Getting different business units to agree on a framework is no less easy than getting Google and Microsoft to agree (okay… maybe a LITTLE easier). Regardless, spend a half-hour speaking with a CIO who’s implemented a company-wide identity management project, and you will quickly learn how expert they are at building concensus around a project.
These are just a few examples, but it’s clear the enterprise has dealt with identity issues for a long time and solved use-cases many in the internet identity community have yet to consider. We need to learn from them, so we don’t make the same mistakes or repeat work that’s already been done. I don’t know exactly how to start this dialog, but it’s one that needs to begin. Any suggestions? That’s what Comments are for.