Identity analysis and structure is the cornerstone of any collaboration system. Some questions that need to be asked are:
- Who are the people that are required to collaborate, and any possible groupings that need to be thought of? Are these external only, internal, or a mix.
- What is the level of their attachment to the host organisation, and which organisations do they belong to? Are they employees, contractors, freelancers, suppliers or customers? There may be sub-groupings that are unique to the business model or industry.
- Do we need to verify actual identities, or are virtual identities good enough? The degree of confidence in an identity is crucial. By requiring fully-verified identities, additional overhead is introduced and enrolment discouraged. For a customer support forum, is positive identification necessary. If so, for which tasks?
- What is the mechanism of verifying their real or virtual identity? Is email verification with a certain domain enough. Should we re-validate users who have been inactive for a while.
- What is the least obstructive authentication method for their role in the collaboration? Passwords, unless used frequently, carry a security risk that is disproportionate to their advantage. Seriously consider one-time passwords, on-demand passwords sent to a known email address and transient identities tied to social media accounts like Facebook, Twitter etc.
- What amount of identity information needs to be stored? In addition to being subject to statutory regulation -- do not keep any more data than is absolutely necessary to provide convenience to the user and execute the task at hand. Retire obsolete data and erase for users that have not accessed the system for some time. Unauthorized access to stored data (account or email compromised) can complicate identity verification processes.
- What are the processes for provisioning and de-provisioning of entitlement, and what is the cost of these processes as opposed to their benefit? For each authorization, think about what would be wrong if it was opened to everyone. For example, why can 'opening a support ticket' be open to anyone?
Many other questions will be raised in specific situations, but the spectrum of collaboration activities (polls, surveys, blogs, forums, applications etc.) will build upon the identity management, authentication, authorisation and provisioning structures that have been set up keeping in mind the desired business objectives.
The general rules are:
- Cater for multiple strengths of identity and the verification means.
- Ensure that data and identity strength automatically deteriorate over time.
Some of the largest organisations in the world are catering to hundreds of millions of users of varying identity strength by building upon some of these ideas.