Wednesday, August 01, 2007

To blog list

I have a to do list for blog posts, so I guess technically it's a "to blog list". I'm posting the list for 2 reasons:
  1. So that I remember.
  2. I can no longer use the excuse that no one is going to notice if I don't get around to it.
It's not a long list, but each requires my brain to actually make an effort while writing. So here they are:
  • Follow up to my post on Data Security and Leakage Prevention. I said I'd look at issues to consider and how to address them.
  • My thoughts on the Oracle acquisition of Bharosa that I first mentioned here.
  • James McGovern suggested in a comment on this post (yet another one relating to Securent) that I share my thoughts on "the need for entitlement management in general and the problem space in terms of implementation."
I'll get around to these. In what order I'm not sure. But if you would like to read about one over the others let me know via a comment or by filling in the "email me" form on the right column of the blog.

Biometric entry into Australia

I'm still catching up with my news and I came across this story today (yes I know it was written almost a week ago). Apparently by 2010 non-Australian citizens will have to go through the pain of being fingerprinted and iris scanned when they enter the country. I imagine this will be similar to the process the US currently employs.

The most interesting thing from a technological standpoint was this statement:
"This information will be stored in the department’s central Identity Services Repository, which will be complemented with an ID management toolkit, including high-integrity enrolment and registration systems, forensic document examination techniques, a specialist identity investigation capability, advanced name search software, and an online document verification system."

It makes it sound easy doesn't it. Those of us who have had anything to do with identity Management and repositories know it's not, especially when you're talking about something of this scale. The thing that jumps out at me most of all is "central Identity Services Repository". Are they kidding? If that's really the plan, they better do some serious design work.

I'm also a little wary of the sentence: "ID management toolkit, including high-integrity enrolment and registration systems". Do they mean they want to use one of the provisioning solutions out there (I can make a pretty educated guess about what this would be because I know what they bought - I'm just not sure I'm allowed to say)? What's there to provision to besides the actual repository? The users being stored in the system will never have to use the system. I'm not saying that using a provisioning solution is a bad idea, but they don't need all the functionality that comes with it. The benefits you get from using an off-the-shelf product may not pay dividends here because of the performance trade-offs. They just need a scalable data store that performs. In other words, they need a great big relational database (or LDAP if they want something that has an open standard attached to it) with an application in front of it. I'm over-simplifying of course, but that's essentially what they need at the back end with the application being the glue between the biometric devices and the data store.

The DIAC actually have a bunch of off-the-shelf software products they could just pull out and use if they wanted. In fact, if I put my vendor hat on, I'd be able to slot a product into each part of the paragraph above (and not just for the "identity" part). But that would be fitting business processes to a set of products rather than the way it should be - figuring out what needs to be done and using the right solutions that fit.

IBM and Unisys are the service providers helping them put all this together and have their work cut out for them. They won't complain though. There's too much money to be made.