Is Identity Management a Security Thing?

Most all security guys will tell you that Identity Management (IDM) is a security thing, but if you think about it security is focused on keeping people out of your systems and IDM is a framework for letting people in. I think that IDM fits  better in the privacy area. Privacy is about letting the right people, and only the right people, see your information. In healthcare no one would say that “keeping my data private means that no healthcare professionals should ever be able to see my data’. In a world like that we would be relegated to repeat all tests and procedures over and over again (come to think of it perhaps that IS what we have).

So if security is keeping people out and IDM identifies how to get in to data, then would that not be a privacy thing. If you look at the HIPAA privacy rule it talks about when users can access healthcare data, which is exactly what a well written IDM system does. IDM includes all the processes that control identifying users, and associating them with the services or data they can see or modify. It also has logging for users access (another HIPAA requirement).

So, who cares? IDM is privacy not security. What difference does this make? A LOT. If you look at the focus of IDM today most all of the technologies are primarily concerned with the use case of “the break-in”. (i.e. what happens if the identity is hacked or stolen). If we re-focus the discussion to privacy of information then we can create systems that better track authorization workflows (i.e. what happens if a user can’t get to the information they need). I think we would all agree that as much as I don’t want my information shared everywhere I really don’t want to be poked with a needle because my doctor can’t access the last blood test I had.

It may not change the products, but I think it may change the focus of discussion thereby enabling the creation of environments needed for SHARING of data not SECURING data from others.