Book Review: Digital Identity
When I received Digital
Identity (234 Pages, O'Reilly,
2005, ISBN 0596008783) for review, I was fully expecting I would be slogging
through a deep technical dive into identity
management architectures (IMA).
Boy, was I wrong. What I got was a extremely thorough discussion of identity
management architectures within the context of information
systems (IS) governance processes.
This is the first time I have read a book that so thoroughly weaves technical
discussions (at an appropriate level for the intended audience) with a
full discussion of the IS governance frameworks that are essential to success
when implementing an IMA. There is only one place where Phillip
Windley, former CIO of the State
of Utah, falls short in this book.
Windley is up front in stating that
management of digital identities is fundamental to success in information
technology. He also makes it clear that the purpose of the book is not
to show how to design and implement an IMA. It is about understanding IMAs
in a business context. Windley also does an excellent job at showing why
critics of digital
rights management (DRM) (as enforced
by the movie and record industries), are doing more of a disservice by
framing the DRM dialog in the wrong context. A such, people are predisposed
in their opinions whenever the discussion comes up in any context.
Stating this up front, the reader of the book will walk through an explanation
of what digital identity is, the concept of trust, the lifecycle of digital
identity, and the business reasons for it. After laying the groundwork,
as well as covering interoperability and federation of identity, the authors
covers what really should be the best practices for any organization. By
pulling from his own experiences he is able to substantiate that what he
is saying is not just "theory". It is based on real experience.
This is, however, the point where I feel the author's lack of full disclosure
keeps the book from being even stronger than it is. In his struggle to
bring strong IS governance to the state of Utah. You see the reality is
that if you come into an organization like a bull in the china shop, you
are going to make enemies. From what he is written in this book, this seems
to be the style he employed when trying to unify the Utah information infrastructure.
The result of this, that is not covered in the book, is that he was forced
to resign as CIO under the cloud of an investigation of improper hiring
practices. I believe that if he had included this information in the book,
along with lessons learned, the book would have been truly outstanding.
Because it wasn't, I have to knock it down to 4.5 stars out of 5.
Note: In an e-mail exchange with the author, he indicated that although
he strongly disagreed with what was in that report, his office never published
a response to that report either formally or informally.
Who Should Read This Book
This is usually write a list of specific job types who should read this
book, but this time I want to approach it from a different angle. This
book should be read by any IT professional that wants to expand their knowledge
and expertise beyond wires, pliers, and lines of code. It is this type
book that will allow them to do so without totally stepping outside of
their comfort zone. At the same time, it should also be read by anyone
involved in IT Audit and/or governance issues. Worried that there will
not be enough technical content for you? Don't. Technical matter is covered
at an appropriate level to get a broad understanding, but in a way not
to loose a nontechnical reader.
Business Controls Caddy Scorecard
Birdie on a Long Par 5
Related Links