When I was in grade school, our class captured a caterpillar and placed it in a jar with some leaves to see what would happen. Of course, in time, the caterpillar spun a cocoon and the little jar became pretty boring. But our teacher encouraged us to keep watching, and one morning, we were thrilled to see a large moth in the bottle. This simple experiment clearly illustrated to me that the moth and the caterpillar were the same creature at different stages of its life.
Scientists use lifecycles to connect the seemingly unconnected. I'm a big fan of lifecycles in analyzing information technology problems for the same reason. Lifecycles help define all of the phases of a problem or project so that they can be dealt with holistically rather than piecemeal. In addition, lifecycles are useful for categorizing activities associated with the process.
Digital identities have lifecycles, as shown in Figure 5-1. The digital identity lifecycle is applicable regardless of whether we're discussing a complex identity system for a large business or the accounts on a home computer. Understanding how the digital identity lifecycle plays out on every system in the enterprise, and in the enterprise as a whole, is crucial when creating a digital identity management strategy.
Briefly, a digital identity starts out by being provisioned, or created. Once created, the digital identity is propagated to any systems that will use it. Once propagated, the identity is used. Occasionally, some kind of maintenance will be performed on the identity, such as a password change or an attribute addition, and it is repropagated. At some point, the digital identity has served its purpose and is no longer needed and it is deprovisioned, or destroyed. We discuss each phase in more detail below.
Provisioning is the process of preparing an IT system to provide service to a client, customer, or other user. From the perspective of digital identity, provisioning is the creation of the identity record and its population with the correct attributes. These attributes might be standard items, such as name, location, email, and phone, as well as items more specific to the system. For example, the identity system that feeds the custom page presentation system for My Yahoo! contains attributes such as page color, positioning, and so on.
Provisioning can be done through the action of an administrator, or it can be self-service, occurring as a result of user actions. When a new employee joins a company, administrators, usually on multiple systems, provision identities for that employee so that she can be assigned an office, get on the payroll, get a computer, get a badge, become part of the health plan, and so on. One of the trends in enterprise computing has been termed "zero-day start," meaning that the enterprise links all of these systems so that when a new employee starts, all of the systems, permissions, and infrastructure are set up and ready, allowing the employee to start work the first day and have access to all of the resources, physical and virtual, that she needs to be productive.
We're all familiar with self-service provisioning—we see it every day on the Web as we visit web sites and sign up for services, both paid and free. For example, I've had a virtual server account with Verio for six years, and I've never talked to a human. I signed up online, and I manage the account entirely online. Self-service provisioning is a hallmark of the Internet age and perfect for services that are delivered over the network. Self-service provisioning works well where there is little need to verify credentials other than perhaps a credit card.