In some of my last entries in this blog (here and here) I’ve mentioned the concept of Enterprise Information Management, something I will cover in depth in a report within the next few weeks. Enterprise Information Management will be sort of the long term evolution of today’s Identity Management and some of the tightly related topics, as well as the integration of IAM with some other technologies. I started thinking about this concept when I developed a simple chart which describes the future of IAM.

It starts with today’s IAM, which is sort of “Identity Management for Administrators”, e.g. solving mainly technical issues in synchronizing information, with support for single sign-on or with provisioning. I’ve titled the next level “Identity Management for Applications”, describing the service orientation and the integration into applications. It includes aspect like Application Security Infrastructures. Many vendors are working on a service layer or the integration of business applications with their IAM products.

“Identity Management for Applications” is still pretty technical. That changes with “IAM for business” as the upper level of Identity Management, which in fact is this Enterprise Information Management (EIM) approach I expect to become reality within the next five to seven years. Most of the building blocks of this concept are reality today. Enterprise Role Management, Information Rights Management, Classification approaches, context-based authorization, Segregation of Duty-approaches, Archiving all exist. But they aren’t integrated yet, even while some concepts like SISA (Secure Information Sharing Architecture) are not that far away from the idea of EIM.

There are two main areas in which EIM distinguishes from today’s approaches. One area is the business control of information, the other is that information and identities will become the central concepts. Business control of information is about who really controls what could be done with a single information “entity”, e.g. a document, a mail, a business record or anything else. That has to be the business user or information owner. He knows best who shall be allowed to work with this information – in a defined context with business rules, for sure. Thus, EIM will focus on this level and not the question, which access control has to be set on which directories on a file server or other pretty technical aspects. The concrete access controls are just sort of a result of what has been defined on the business level.

The central concepts in EIM are information “entities” or “objects” and identities. It’s about who (the identity) is allowed to do what with which information. In fact it is about handling information in an appropriate way. By defining the type of information (sort of classification) and the roles for access (which could be based on templates derived from business rules, for example) all subsequent steps can be automated – access control and authorization, encryption, archiving and so on.

The concept of EIM doesn’t replace today’s IAM, neither does the concept of “IAM for Applications” replace “IAM for Administrators”. It are just concepts which sit on top of each other. Services require the basic level of IAM. And EIM requires services. Thus, a strong IAM infrastructure is key to EIM, even while it isn’t sufficient to fulfill the business requirements.