Update: This model was discussed today (2007-12-04) at Internet Identity Workshop and received a lot of positive feedback. If I receive any via the blogosphere, I will link.

Going into the last Internet Identity Workshop of the year, it is time for me again to reflect on how far we have come with internet identity in 2007, and what the primary topics will be next year.

I started this series of posts in 2006, when I created the "triangle diagram" that identified the URL-based, Liberty-based and WS-*-based technology stacks as the three pillars of the identity landscape (original post, updated one year later here). This diagram’s explanatory qualities seem to have struck a chord and it was picked up widely (e.g. here and here).

This year’s post is going to be different. That is because the focus of discussion in the internet identity market has clearly now changed from one mostly concerned with protocols, standards and technologies, to one of market applicability. (Which is great!) Thus, a technology/standards-focused diagram like last year’s would miss the target. A different perspective is called for.

In my view, the primary questions in 2008 will be:

• How do I apply some or al of these technologies to my business? Why should I, what’s the business case? Technology for technology’s sake is unimportant!
• Of the available technologies, which one should I use to address my particular use case(s)? How is it going to come together with these other use cases over there? Can I somehow take advantage of the >100 million available OpenIDs, what Microsoft builds into Vista etc.etc.?
• If I deploy technology X for purpose Y, what other elements of the value chain need to be in place so we can realize the promised benefits? Who provides them, and can we rely on that? For example, as many have pointed out, having gazillions of OpenID providers is of no use unless there are many sites accepting those OpenIDs.

To illustrate this change in perspective, consider web single-sign on. OpenID, SAML and a range of proprietary technologies can be used to accomplish it; overall, the technologies are remarkably similar in the way they deal with browser redirects etc. So, as many (technical) people have argued, it’s a bit of a draw which one "should" win because many techies think they are competing against each other. However, the situation is very different from a market perspective: SAML tends to get deployed into closely-knit circles of trust that have lawyers in the loop, while OpenID tends to get deployed on the open internet for "promiscuous federation" cases without considering liability much; both have good economic reasons for doing what they are doing, neither of which is inherently "right" or "wrong". In 2008, these non-technical (e.g. economic) considerations will be at the forefront of the questions and the positioning of the respective technologies. Let’s see whether I can help that discussion along with a new diagram:

So let me introduce my identity landscape diagram for 2008. It’s not a triangle, but a set of concentric circles. This diagram looks at the market from the perspective of the enterprise and the business ecosystem of employees, partners, affiliates and customers that the enterprise interacts with. (This does not make a non-user-centric diagram; it only recognizes that it is enterprises that deploy these technologies in a large volume, not individuals.)

At the center of the diagram, in Tier 0, is the enterprise with its employees and internal systems. Clearly, an identity management problems exists there. Given that all these systems and users are under the control of the enterprise, it can choose whatever technology it wishes to address its own identity management problem: after all, it has control over all parts. This is of course exactly why there have been so many proprietary identity management products in the market for intra-enterprise use, and why many have been able to be successful.

Moving to the next circle, Tier 1, we find the enterprise’s close business partners. These business partners are so close that there are only very few of them, and they are very important to the enterprise. Rich and deep integration is an absolute must, and many lawyers are involved already in those relationships even prior to identity technology showing up on the scene. It is very clear who trusts whom on what. This is the classic domain of circles of trust and federation: standards are used because they help lower costs, but very often there are many conventions, additions, customizations etc. (corresponding also to intentionally undefined areas in the specifications) that enables the business partners to get the best value out of their unique relationship. These customizations are not bad at all, just the opposite: instant plug-and-play is not required with new partners (extraordinarily close business relationships do not change frequently) and the customization allows the enterprise to interact most effectively with its most important partners. Example: the enterprise and its 401k provider.

Enterprises have many more less close business partners, however, often in the 100’s. Those are shown as Affiliates in Tier 2. While these affiliates are also important to the success of the company, each individual affiliate is less important. As the relationship is not as close and not as valuable as in case of Tier 1, integration is still needed, but the enterprise cannot afford to establish and maintain custom relationships with every affiliate. Traditionally, identity management has done very little about this tier, but it is becoming clear that major value could be created if it could be addressed effectively. Tier-1 technologies do not apply here because custom work is an impossibility with 100’s of partners; both from the perspective of the enterprise and the affiliate. Instead, this is one of the domains of internet identity technology that promises plug-and-play to a much larger extent.

The last two circles contain the company’s customers (inner circle) and prospects (outer circle). Traditionally, customers’ identities are managed with account numbers in Customer Relationships Management systems, usernames and passwords on websites and mothers’ maiden names for security. The identities of millions of potential future customers aren’t really managed at all, except perhaps in the aggregate through tracking cookies and the occasional direct mail response. Often, potential customer identity management is considered equivalent with privacy invasion by the customer.

Now let’s try and overlay how these tiers will look like in 2008:

In our discussions with customers, we have found this structure exceedingly helpful as it clarifies what vendors and technologies do and do not compete. For example, it makes it very clear that traditional circles of trust apply in very different business circumstances (close partners) than technologies offering lightweight plug-and-play (user-centric customer identity management), and thus do not compete in any business-relevant fashion.

As usual, I’m interested in any and all feedback.