Digital Identity

Product Description
The rise of network-based, automated services in the past decade has definitely changed the way businesses operate, but not always for the better. Offering services, conducting transactions and moving data on the Web opens new opportunities, but many CTOs and CIOs are more concerned with the risks. Like the rulers of medieval cities, they’ve adopted a siege mentality, building walls to keep the bad guys out. It makes for a secure perimeter, but hampers the flow of c… More >>

Digital Identity

5 replies
  1. Jack D. Herrington says:

    If you are looking for an architectural level book on tracking and maintaining identity in distributed systems this book is for you. If you are looking for something about managing your personal digital identity, there is nothing here for you. In addition those looking for code samples beware. There are some XML code fragments but this is an architectural level book, which means, no code.

    The writing is great, and the illustrations are used well to cut through what are often some complex interactions between multiple digital authorities. Definitely worth the look if you know what you are getting.
    Rating: 5 / 5

  2. Christopher Byrne says:

    When I received Digital Identity (234 Pages, O’Reilly, 2005, ISBN 0596008783) for review, I was fully expecting I would be slogging through a deep technical dive into identity management architectures (IMA). Boy, was I wrong. What I got was a extremely thorough discussion of identity management architectures within the context of information systems (IS) governance processes. This is the first time I have read a book that so thoroughly weaves technical discussions (at an appropriate level for the intended audience) with a full discussion of the IS governance frameworks that are essential to success when implementing an IMA. There is only one place where Phillip Windley, former CIO of the State of Utah, falls short in this book.

    Windley is up front in stating that management of digital identities is fundamental to success in information technology. He also makes it clear that the purpose of the book is not to show how to design and implement an IMA. It is about understanding IMAs in a business context. Windley also does an excellent job at showing why critics of digital rights management (DRM) (as enforced by the movie and record industries), are doing more of a disservice by framing the DRM dialog in the wrong context. A such, people are predisposed in their opinions whenever the discussion comes up in any context.

    Stating this up front, the reader of the book will walk through an explanation of what digital identity is, the concept of trust, the lifecycle of digital identity, and the business reasons for it. After laying the groundwork, as well as covering interoperability and federation of identity, the authors covers what really should be the best practices for any organization. By pulling from his own experiences he is able to substantiate that what he is saying is not just “theory”. It is based on real experience.

    This is, however, the point where I feel the author’s lack of full disclosure keeps the book from being even stronger than it is. In his struggle to bring strong IS governance to the state of Utah. You see the reality is that if you come into an organization like a bull in the china shop, you are going to make enemies. From what he is written in this book, this seems to be the style he employed when trying to unify the Utah information infrastructure. The result of this, that is not covered in the book, is that he was forced to resign as CIO under the cloud of an investigation of improper hiring practices. I believe that if he had included this information in the book, along with lessons learned, the book would have been truly outstanding. Because it wasn’t, I have to knock it down to 4.5 stars out of 5.

    Note: In an e-mail exchange with the author, he indicated that although he strongly disagreed with what was in that report, his office never published a response to that report either formally or informally.

    Who Should Read This Book

    This is usually where I write a list of specific job types who should read this book, but this time I want to approach it from a different angle. This book should be read by any IT professional that wants to expand their knowledge and expertise beyond wires, pliers, and lines of code. It is this type book that will allow them to do so without totally stepping outside of their comfort zone. At the same time, it should also be read by anyone involved in IT Audit and/or governance issues. Worried that there will not be enough technical content for you? Don’t. Technical matter is covered at an appropriate level to get a broad understanding, but in a way not to loose a nontechnical reader.

    The Scorecard

    Birdie on a Long Par 5
    Rating: 4 / 5

  3. Ben Rothke says:

    Many people who review their credit report for the first time are shocked to learn how many identities are linked to them. Even when there is no problem of identity theft, it is not uncommon for people to have 10 or more names linked to their credit reports due to various errors, including permutation of their name.

    Just as it is difficult to maintain and manage identities in the real world, it is difficult to maintain and manage digital identities. As the digital economy is becoming more ubiquitous, the need for a single federated identity is becoming more critical. In Digital Identity, Phillip Windley details the steps needed to develop an identity management architecture (IMA).

    Identity management has become a pressing need in the past few years. This has come about because networks and systems are no longer geared around a single infrastructure, and businesses have become increasingly virtual and decentralized. In previous years, there were simply internal users. Today, systems have internal users, along with external users such as consultants, contractors, third-parties, customers, collaborators, and many more. Such requirements necessitate a well-designed and planned IMA.

    So what is this thing called IMA? Windley defines an IMA as the coherent, enterprise-wide set of standards, policies, certifications, and management activities that enable an organization to effectively manage digital identities.

    IMA is also known as federated identity. The book notes that the real challenge in developing a federated identity infrastructure is dealing with the various different hardware and software platforms where user accounts reside, and working with different organizations and departments, including the ever-increasing amount of outsourcing. When all of that is put together, a single federated identity is not easy to come by if there is not an IMA in place.

    The beauty of an IMA is that it allows an organization to securely link and exchange identity information across partner, supplier, and customer organizations, while having a single architecture. This makes identity management seamless.

    The first 11 chapters of Digital Identity do a good job of introducing the underlying concepts of an IMA, including security, trust, authentication, access control, and names and directories. Without an effective security infrastructure in place, any IMA deployed will not be fully effective.

    One oddity, though, is that in Chapter 6, the author defines cryptography as the science of making the cost of discovery of hidden information greater than the value of the information itself. This is the author’s own characterization of cryptography and while interesting, is not how it is used in mainstream security.

    Chapter 12 starts to get into the internals of federated identities. This and the rest of the chapters do not deal with the deep technical details of an IMA, rather it shows how to design and deploy the IMA in a context of a corporate environment under a single set of policies and procedures. Windley emphasizes that an IMA is not so much a technical issue, but rather a business issue that must be deployed in a business context.

    This idea of a business context is manifest in Chapter 18, which deals with identity policies. The book creates what it calls an IMA policy stack, which is the interoperability framework for the IMA. The stack includes all of the elements necessary for the IMA, and comprises an identity management architecture, framework, and set of standards. The standards include all protocols and applications, from SSL, XML, LDAP, DNS, and much more. The framework includes policy issues such as naming, passwords, encryption, provisioning, and more. Finally, the architecture details the specific high-level controls (procurement, contracts, licensing, etc.) around the IMA.

    The book itself is worth it solely for the information in this chapter. Anyone attempting to deploy an IMA without first getting a handle on the issues details in Chapter 18 will find that their IMA will likely be seriously deficient.

    The only negatives to the book are a few too many editing mistakes that should have been caught during the editing process. Also, the author frequently discusses his own trials and tribulations of using an IMA during his short stint as CIO of the State of Utah and with previous employers. Depending on the readers’ specific tastes, some my find the heavy use of the first-person anecdotes to be a negative.

    Overall, Digital Identity provides the reader with a good introduction to the various areas necessary to develop a productive identity management infrastructure. Anyone planning to deploy an IMA or any sort of federated identity solution in a corporate environment will find Digital Identity a valuable reference.

    Rating: 4 / 5

  4. Craig Anderson says:

    In my opinion, this book is really feeding the buzzwords frenzy of Identity management domain . It certainly “talks the talk”, but can it “walk the talk”? – Full of google-able content and no meat. I can think of numerous glaring examples where the book falls short. To name a few: SAML (huh? where is SAML 2.0), XACML, Liberty, WS-Federation

    I think the book does a below average job of providing practical information. Even the content does not flow very smoothly and coherently.

    I wasted mu money, now this book going to be on my shelf collecting dust.
    Rating: 2 / 5

  5. Ramnath Krishnamurthi says:

    Identity Management is my day to day job as our company heavily focuses on various IAM initiatives.I was always looking for a book that can give enough material on how to go about design, deploy IAM solutions. This book is the one for it. This book really deserves 5 stars.


    Ramnath Krishnamurthi,


    Like Minds Consulting Inc,

    New York, U.S.A
    Rating: 5 / 5

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.