4 internautes sur 4 ont trouvé ce commentaire utile
- Publié sur Amazon.com
Format: Format Kindle
I selected this book based on an upcoming IAM project I'd be involved in, and on Amazon reader recommendations (overly positive, as it turns out). The book, written around 2003 is a bit outdated in some points, but this is not too much of an issue given its focus: governance, broad principles of identity management, high level theoretical guidelines of architecture. Sure, it is a good refresh of the high level governance principles that should guide identity management projects from a managerial perspective.
But the book clearly lacks substance when it comes to the practical implementation. While it is of some help during the planning phase of IM projects, it essentially stops where one wants to start. Conceptual approach, theoretical design, planning are one thing. Implementing is another, totally absent here. The book will not help in areas like dimensioning, practical issues and pitfalls, product evaluation, actual design and architecture, ROI, cost vs benefit and such. It is totally lacking any How To?
The book starts the traditional way: explaining what digital identity is. This is followed by about 8 chapters about the constituents of identity management, including authentication, trust, integrity, non-repudiation, and even digital rights management. Except for a very brief refresher, I think these have no place here and they should have been summarized in one single chapter. Other books treat this much better, and many readers will find this part to be a somewhat boring given it is background knowledge for any CISSP-level security person. The DRM chapter (Chapter 10), and some other parts in this area are even irrelevant, in my view.
This first part is followed by two chapters on (11) Interoperability Standards and (12) Federating Identity. Here again, the Interoperability Standards goes into unneeded technical details and misses the point. It is not giving the reader an understanding of the real issues: interoperability for what purpose? What are the issues? How can we go about them?
On the other hand, the Federating Identity chapter should probably be substantially expanded, as it is the meat of what identity management is about today. Three or four chapters should probably be devoted to this, and they should include practical examples of scenarios, architectures. It should be shown why identity federation is key, but again, the chapter does not go beyond very high-level and theoretical principles.
Finally, the book concludes with about eight chapters on architecture, governance, policies and such. While these give an idea of what is required in a well governed enterprise with an advanced maturity model, once again, these chapters lack real practical usability. In addition, this part is really not specific to identity management, but is rather a short summary of what has to be done in terms of governance, enterprise and reference architectures, and policy management.
Having read the book, I'm kind of disappointed. Facing a real project on identity management, the reader will surely think. Good, and now, what do we do? Possibly, it may make happy the high-level manager only seeking to understand what identity management is about, with no intention to get involved in the project.
This other reader, Prasad Reddy, summarizes it very well: "The book absolutely fails and falls short on explaining the identity management standards and technologies related to single sign-on, federation, provisioning and assurance. From a real-world IDMS deployment perspective the book is truly misleading !". Why so many gave it 4 or 5 stars is unclear. I'd hesitate between 2 and 3.
Useless, no, but I will still have to look out for something more useable in real life.
7 internautes sur 9 ont trouvé ce commentaire utile
- Publié sur Amazon.com
Many people who review their credit report for the first time are shocked to learn how many identities are linked to them. Even when there is no problem of identity theft, it is not uncommon for people to have 10 or more names linked to their credit reports due to various errors, including permutation of their name.
Just as it is difficult to maintain and manage identities in the real world, it is difficult to maintain and manage digital identities. As the digital economy is becoming more ubiquitous, the need for a single federated identity is becoming more critical. In Digital Identity, Phillip Windley details the steps needed to develop an identity management architecture (IMA).
Identity management has become a pressing need in the past few years. This has come about because networks and systems are no longer geared around a single infrastructure, and businesses have become increasingly virtual and decentralized. In previous years, there were simply internal users. Today, systems have internal users, along with external users such as consultants, contractors, third-parties, customers, collaborators, and many more. Such requirements necessitate a well-designed and planned IMA.
So what is this thing called IMA? Windley defines an IMA as the coherent, enterprise-wide set of standards, policies, certifications, and management activities that enable an organization to effectively manage digital identities.
IMA is also known as federated identity. The book notes that the real challenge in developing a federated identity infrastructure is dealing with the various different hardware and software platforms where user accounts reside, and working with different organizations and departments, including the ever-increasing amount of outsourcing. When all of that is put together, a single federated identity is not easy to come by if there is not an IMA in place.
The beauty of an IMA is that it allows an organization to securely link and exchange identity information across partner, supplier, and customer organizations, while having a single architecture. This makes identity management seamless.
The first 11 chapters of Digital Identity do a good job of introducing the underlying concepts of an IMA, including security, trust, authentication, access control, and names and directories. Without an effective security infrastructure in place, any IMA deployed will not be fully effective.
One oddity, though, is that in Chapter 6, the author defines cryptography as the science of making the cost of discovery of hidden information greater than the value of the information itself. This is the author's own characterization of cryptography and while interesting, is not how it is used in mainstream security.
Chapter 12 starts to get into the internals of federated identities. This and the rest of the chapters do not deal with the deep technical details of an IMA, rather it shows how to design and deploy the IMA in a context of a corporate environment under a single set of policies and procedures. Windley emphasizes that an IMA is not so much a technical issue, but rather a business issue that must be deployed in a business context.
This idea of a business context is manifest in Chapter 18, which deals with identity policies. The book creates what it calls an IMA policy stack, which is the interoperability framework for the IMA. The stack includes all of the elements necessary for the IMA, and comprises an identity management architecture, framework, and set of standards. The standards include all protocols and applications, from SSL, XML, LDAP, DNS, and much more. The framework includes policy issues such as naming, passwords, encryption, provisioning, and more. Finally, the architecture details the specific high-level controls (procurement, contracts, licensing, etc.) around the IMA.
The book itself is worth it solely for the information in this chapter. Anyone attempting to deploy an IMA without first getting a handle on the issues details in Chapter 18 will find that their IMA will likely be seriously deficient.
The only negatives to the book are a few too many editing mistakes that should have been caught during the editing process. Also, the author frequently discusses his own trials and tribulations of using an IMA during his short stint as CIO of the State of Utah and with previous employers. Depending on the readers' specific tastes, some my find the heavy use of the first-person anecdotes to be a negative.
Overall, Digital Identity provides the reader with a good introduction to the various areas necessary to develop a productive identity management infrastructure. Anyone planning to deploy an IMA or any sort of federated identity solution in a corporate environment will find Digital Identity a valuable reference.