Tuesday, December 11

User-Centricity in the Enterprise

Most of the on-line discussions about Identity Management over the past few years seem to have been about consumer authentication. The industry has developed solutions for user-centric authentication models. I'm not going to go into detail here or try to define those models. But, now that OpenID and other technologies has brought the user-centric model to reality, I'm beginning to see more chatter about user-centricity in the enterprise.

Patrick Harding doesn't seem to think that the enterprise is the right place for a user-centric model. I agree. I also agree with Pamela Dingle who noted that user-centric technology may be useful in an enterprise for the purpose of users keeping some information up-to-date.
I would qualify that, though, by saying that it's only going to be the information that the enterprise decides is unimportant enough to leave in users' hands. Companies never allow employees to update critical information on their own -- job title, pay grade, SSN, email address, etc.. Nor do they allow employees to decide what information they choose to share with the company's HR department. Companies require forms to be filled out completely. And if there are blank spaces, there's often warning that it could be just cause to rescind the employment offer.

Nishant Kaushik doesn't seem to think that the user-centric model is right for an enterprise environment. And Johannes Ernst disagrees.

I've been thinking about this for a while and I'm with Patrick and Nishaunt on this one. The goal of user-centricity is to give control of their identity information to the end users. That's great in the consumer world. Enterprises, however, have been spending millions on Identity Management specifically so that they (the enterprises) can control identity information more effectively. In the consumer world, it makes sense for people at home to want control over their information as it travels across the Internet. But, in a corporate environment (or government or education) employees and associates don't have rights over their identity information. Since Johannes is the one I've seen to recently claim otherwise, I'll look at his comments.

First, he talks about potential customers. For most enterprises, potential customers are anonymous or simply contact info and notes about whatever the enterprise can learn about their interest in the company's product. He talks about current customers and their desire to use user-centricity when interacting with the enterprise. OK, I can see that point, but that's not really enterprise. To me, that's still a consumer solution.

He then talks about affiliates. This is the typical use-case for Federation. Since this is about business transactions, the most important component of the federation model seems to be the non-technical stuff -- business agreements, contracts, terms of use, processes, etc.. It's not a scenario where you want one business partner to decide to withhold information from the other for the purposes of privacy or information control. Affiliates don't tend to share personal information, but business account information and transactional information that are both critical to the transaction in process.

Finally, he mentions user-centricity within an enterprise's own internal systems. Specifically, he gives the example of a personal cell phone number. To me, that's not enterprise data -- you can manage sharing your personal contact information with friends and close co-workers through social networking sites. Company-sponsored cell phones and IM addresses should be part of the corporate identity management infrastructure. Employees may be allowed to keep information up-to-date, but they're not allowed to decide which managers can view their information and which can't. The company makes the decisions about information use.

I don't know if I'm "defining away the issue of user-centric identity in the enterprise", but I don't see any major value or realistic adoption of a user centric model within an enterprise. The examples presented in the argument for it seem to be consumer scenarios and not enterprise scenarios. If you're expected to be available at 2am, then it's the enterprise who controls where your cell phone number is posted for anyone who needs to find you.

Let me be clear. I'm not bashing Mr. Ernst or trying to minimize his argument. He's obviously an intelligent guy and has contributed a great deal to the industry. But I'm challenging him and others to give me better examples of where the user-centric model may be useful within the enterprise. Because right now, I don't see it.

No comments: