Defending my thoughts on Active Directory
July 16, 2008
James McGovern was kind enough to take the time to respond to my post on “the evils of Active Directory”. I’ve managed to get this post in front of a few other people including members from the Active Directory team at Microsoft and I think that for the most part people have become quite defensive about it.
I think that perhaps I need to do a a better job of explaining my perspective better, and in doing so you’ll see that I’m not necessarily anti-AD, but more anti-“Corporation as Identity Silo”.
Active Directory and similar directories are a an attempt to model how people and organisations represent their identities to each other. Given the dominance of computing in the enterprise space it is natural then for the various directories to represent “the company” as the central resource and “the employee/user” as leaf nodes hanging off it.
This made sense especially at time when “the company” was the centre of everyone’s technological universe.
My argument is that over the past decade that center has started to move away from “the company” and towards “the individual”.
Interestingly I think that many in the IT profession will be the last to see this happening because as power users we have enjoyed quite a bit of freedom inside the enterprise to use technology how we see fit, and so the systems have “been made in our image” you could say.
So what does this have to do with identity management? Well – as an empowered user I am likely to start to rely on services outside the enterprise to do my job. This is not a trend we can stop, we just have to accept it and our definition of identity and who controls it will need to change.
This is where federated identity comes into the picture which basically allows two or more identity stores to agree to exchange identity information to authenticate users. There are lots different federated identity systems out there.
The theory is that in this brave new world federated identity will enable organisations to extend their control of their users identity into the cloud. However my theory is that users will reject this because it is less empowering and quite frankly – the federated identity solutions won’t be able to keep up with the plethora of new online products and services which users will be working with.
Technologies like Live ID and Open ID have more chance of succeeding because they work outside the enterprise but we will end up with at least a partially fragmented identity system where users maintain their identities in two systems.
CardSpace and similar technologies are much more interesting because they offer the ability of users to manage their own identities and present them to the relying party – it is user controlled and empowering – even if from a geeks perspective the identity stores are distributed and controlled by others outside “the company”.
So – my closing argument is that “identity” will not be owned by “the company” in the long run. Control of a users identity will pass to the user, and the user will present that identity to applications that empower them.
This isn’t about defending an existing market players turf, this is about acknowledging a move in the center of the identity universe.
