IdM and Outsourcing - teaser
As more and more companies outsource their work, information sharing amonst the outsourcers will become more prevalent. For example, if Company-1 (C1) outsources their Desktop work to ABC-corp, and their HelpDesk function to XYZ-corp, then information about an individual must not only be present in the systems which C1 directly accesses, but also in the back-office supporting systems of ABC-corp and XYZ-corp. For ABC and XYZ to be paid for their services, they need to know information about C1's users in their asset-management systems. Otherwise how would they be able to pay for the appropriate software licenses, etc., on behalf of C1?
It may even be the case that info needs to exchange directly between ABC and XYZ on behalf of C1. For example, if C1 asks ABC to provide a desktop to Joe User, then ABC will need to send Joe User's info to XYZ so that Joe can be supported by the Help Desk.
In an outsourced world, the only thing C1 would really be responsible for is the initial "vetting" of the user and "assigning" of resources. C1 has to maintain that responsibility due to legal reasons. The outsourcer's responsiblity is to provide and support the contracted service, including any access control to the service.
This effectively breaks RBAC into two parts, with RB being C1's duty, and AC being the duty of the outsourcer. This concept can apply to more than IT resources ... for example, Benefits. C1 hires the person and assigns a role which entitles them to one of three Benefits packages. The outsource benefits provider (B0) is responsible for access control to the benefits enrollment system. The rule between C1 and B0 is setup via the contractual agreements, but must also be followed by system-level data-sharing about the hired individual. If the HR function is also outsourced, then it's back to the ABC / XYZ example above.
This means federation, and most importantly brokered-trust relationships, are essential to the business process and technology of the future. Also, the solutions which the outsourcer put in-place to support their clients will be subject to the same privacy and regulatory statutes which C1 would be subject to if they'd in-sourced their work. This may mean higher outsourcing costs long-term, as outsourcers are forced to expand their overseas environments (e.g. to support Safe Harbor), their US operations (e.g. for systems which are under ITAR requirements), and for clients who will not accept (or are too large for) a leveraged outsource enviornment. All this questions whether outsourcing or off-shoring, long-term, will remain cost-competitive.