The economic shifts that have occurred over the last decade have changed how businesses operate and the expectations of customers. One of the most dramatic shifts has been the rise of network-based, automated services. In many cases, we’re “spending more and owning less,” in the words of Jeremy Rifkin. When I fly, I almost always purchase tickets online, but more than that, almost all of my needs as a customer of the airline are self-serviced, using online web applications. I can check flight schedules, be notified by SMS if my plane is running late, check my frequent flyer account balance, and even redeem upgrade points and change my seat online. The changes underlying these trends have profound implications for businesses and customers alike.

For businesses, a service-oriented economy means that they must adjust to entirely new ways of relating to their customers. The World Wide Web changed the way companies market their products. But more importantly, the products themselves have changed. Perhaps the most significant change is that there is no longer a human in the loop to create a trust relationship with the customer, make up for process deficiencies, and represent the company. When two businesses merge, they often find that they have very different approaches to knowing their customer and that this makes leveraging the combined operation almost impossible.

For customers, the changes are equally dramatic. Where they used to purchase things from people at physical locations, they now purchase or use services delivered to them electronically on their computer, PDA, and even their phone. The usual trust marks that customers have relied on in the past are either missing or easily forged. As the number and breadth of services that people use grows, they find that they are inundated with requests to identify themselves and to divulge information they consider private.

In addition to their customers, businesses have relationships with partners, suppliers, and employees. Networks have changed those relationships as well. Just as with the business-customer relationship, these relationships are increasingly moving to the electronic world and being mediated by automated processes rather than people.

At the heart of this service-oriented economy are network-based, automated transactions. Automated transactions are fundamentally different than the transactions that occur in the physical world. When I stop by the convenience store to buy a snack, I can exchange cash for peanuts. Unless the clerk happens to know me, the transaction is anonymous. In contrast, in the service-oriented economy, anonymous transactions are rare, because delivering service automatically almost always implies that you have to know something about who’s receiving the service—if not their names, then at least their preferences or other attributes. This identifying information is usually transferred digitally, across the network. In a service-oriented economy, digital identity matters.

Of course when we talk about the service-oriented economy, we’re not just talking about e-commerce. Note that my example with the convenience store involved a small cash purchase. But imagine the same scenario, except this time I use a debit card, credit card, or check. In any of those cases, I’ve invoked a network-based financial service as part of the overall transaction. Network-based services are as pervasive in transactions that occur in the physical world as they are in online interactions.

In an automated, network-based service, I have to know who you are in order to sell you access to my service. Since these services are increasingly delivered over digital networks, businesses need reliable, secure, and private means for creating, storing, transferring, and using digital identities. Network-based, automated services are not just delivered to customers—employees, partners, and suppliers also interact with the enterprise via services. In many cases, anonymous service is impossible or undesirable, and as a consequence, digital identities must be assigned and managed.

In addition to identifying customers to sell them services, business have an increasing need to identify employees, systems, resources, and services in a systematic way to create business agility and ensure the security of business assets.

Digital identity is the lynch pin in each of the activities we have just discussed, along with a wide variety of other activities important to business. Consequently, how your organization manages digital identities will have a great impact on whether you are constantly fighting problems brought on by a lack of attention to managing identity, or whether you are exploiting opportunity enabled by a flexible and rational digital identity infrastructure.

The common ATM machine is a great example of how digital identity enables new business opportunities. Before ATMs were invented, a bank’s customers took care of their banking needs by presenting pieces of paper to a human teller. The papers included instructions to the bank (e.g., deposit slips), cash, checks, and other financial instruments. Unless the teller personally knew the customer, the customer usually also presented some kind of identity credential, such as a driver’s license. The teller was able to verify the identity of the customer and the validity of the various pieces of paper.

The ATM was possible only because banks created a means of identifying their customers digitally. We’re all familiar by now with the debit card and PIN that ATMs require from us before service. The card carries identity information and the PIN tells the bank that the person presenting the identity is entitled to use it. With the advent of a digital identity infrastructure, banks no longer needed a human in the loop to verify the customer’s identity.

From the bank’s perspective, the most obvious benefit from an ATM is to reduce the cost of employing the teller, but there are other benefits as well. I lived in Japan for two years during the 1970s and experienced ATM machines there for the first time. I’d never even heard of ATM machines before that. I had a chance to visit Japan again in 1996 and found something strange. There were still plenty of ATM machines, but they operated only when the bank was open. You you could only receive during banking hours.

Japanese banks, at least in 1996, still viewed ATMs as simply “teller replacements.” But in the U.S., something more interesting had happened: ATMs were used to extend service in ways that went beyond merely replacing the teller in the branch. ATM machines extended service in three fundamental ways:

This example shows clearly the three primary ways that information technology can extend a business. Tom Parenty^[*] describes them as extensions of time, scale, and locale.

Each of these extensions is built on a foundation of digital identity. Without a digital identity infrastructure to give bank executives the ability to trust that people using the ATMs are allowed to take authorized actions, ATMs would have never been deployed.

The other side of this relationship is equally instructive. Customers feel good about participating in transactions with the bank because of trust marks that they encounter before and during the experience: the big building, the brand of the bank, the FDIC sticker, and last but not least, the teller are all part of this. The first ATMs were installed in bank lobbies to keep much of that intact. Humans frequently helped customers through their initial fear of dealing with a machine, effectively transferring the trust that customers placed in the human teller to the digital identity infrastructure and computer systems that made up the ATM system. Nowadays, of course, ATMs appear in all kinds of settings, and most people trust the debit card and PIN to adequately protect their assets.

Just as ATMs changed the way banks do business, information technology, and especially the growth of the Internet, has fueled a multitude of opportunity for business to throw off the old restrictions of time, scale, and locale. Doing so, however, requires a better understanding of digital identity than ever before.

Like medieval city planners, IT professionals and others have traditionally thought of security as an edge game. Given a firewall and access control to the network, we can do a reasonable job securing a business. However, the economic shifts spoken of previously have driven the need to integrate systems not only internally, but with trading partners and customers as well. This trend is fueled by XML and the creation of standards for exchanging data and the increasing trend to decentralized computing that is embodied in service-oriented architectures (SOAs) and web services. But this trend has ramifications for business security: we can no longer treat the edges of the network as a secure perimeter.

When integration is driven by business, rather than IT needs, security policies need to talk about documents, data, actions, people, and corporations instead of machines and networks. This new security model is infinitely more complex than the old “secure perimeter” model. But even if you can define your identity strategy, how do you ensure that it is properly implemented across dozens or even hundreds of systems, and, at the same time, control access to fields of a database or paragraphs of a document?

Understanding how your organization can make use of digital identity requires understanding concepts such as trust and privacy. Moreover, digital identity is built on a set of technologies that includes cryptography, authentication, authorization, identity provisioning, directories, digital rights management, identity federation, and interoperability standards. Later chapters in this book will discuss these concepts and technologies in detail, and show how they fit into an overall identity management strategy.

The most difficult part of getting identity management right isn’t technical. Management, policy, and even political issues are more likely to be the things that stand in the way of success. To that end, the final section of this book will describe a methodology for creating what I call an identity management architecture (IMA) that can help you overcome these challenges.

An IMA is unique to each organization. Creating an IMA for your organization requires a firm framework for governance and understanding the business context within which it will operate. To that end, the methodology in this book includes detailed ideas about how you can document, analyze and understand the business context that your identity infrastructure will have to support.

An IMA has three primary components:

Later chapters in the book will discuss each of these components in detail and help you build processes in your organization to create them. Each of these components makes use of two other important parts of an IMA:

Some organizations believe that they can’t be bothered to create policies and make standards decisions, but I hope that the chapters on these two important subjects will change your mind and show you how policies and standards can be liberating, rather than confining, for your business.

Digital identity is at the core of almost every modern business process. I’m confident that an IMA will help your organization, regardless of its size, use digital identity technologies to build an infrastructure that will pay dividends in every other area of your business.