Continuing from my post a few weeks back about the four components of modern identity (policy, orchestration, execution, and data), I wanted to spend a little time on one of the components: data. I have a really bad idea and need to get it out of my head… and I want a bit of validation that yes, in fact, this is a really bad idea.
For the moment, let’s look at the consumer world of IT. In this space, there is a notion of a customer data platform (CDP.) CDP’s are thought of as marketing technology. They are notionally the repository for everything related to customers. From clickstream, to email open, to expressed preferences, to orders, to call center interactions, to life time value, and more… all flow into the CDP. And the CDP is consulted to construct a customer’s journey, regardless of whether that journey starts as an email campaign, a guest user on a site, in an app, or just browsing around. Different kinds of tools use the CDP for their own outcomes (e.g. segmentation, ad placement, customer lifetime value analysis, etc.)
So what if we did something similar for workforce-related users? What if built a workforce identity data platform? Into which we poured “classic” HR data, certification and training data, all the access information identity tools operate on, security related information (like what Mimecast is up to), end-point posture data… all of it. Put it all on an everything bagel and call it a workforce identity data platform (WIDP).
If we did build a WIDP and the analogy to CDPs holds, then the WIDP would be the source to consult when making a decision about a worker’s journey within the enterprise. From birthright access to suggested career development choices to potential mentor/mentee matches and far beyond - the WIDP could inform all of them. Naturally, a WIDP would have to have a vectorized form of its data built in to facilitate GenAI natively. Similarly, it would have to extremely robust access and data protection controls bake in from day one.
If it existed, a WIDP could serve as the data tier for an identity fabric. It could provide a domain-specific facade/view for different kinds of tools to do their thing. For example, a run-time access policy and orchestration tool could get a view that enables the tool to reason about which people have what kinds of access to which resources. Similarly, an admin-time policy and execution tool could use a WIDP-generated facade to facilitate birthright provisioning.
So why is this a bad idea? First off, humans are, like it or not, territorial creatures. I have a hard time seeing HR, talent development, and an IAM access team all agreeing to share a common foundational layer for their IT infrastructure. Everyone likes to think their data is so remarkable unique that it cannot play with the other kids on the enterprise data playground. (I am not sure, however, that everyone is actually right about that.) But at the same time, I cannot see one single team willing to fund the construction of a WIDP unless a robust chargeback model was in place.
Second, this is a bad idea because… when does data consolidation lead to better outcomes? Larger data repositories just make for large data spills and losses. Consolidation cross-domain workforce data would create an absolute honeypot for both classic adversaries as well as newer GenAI-powered emergent ones. (I bet I could train an Ian-bot on WIDP data about me… which might be awesome or horrible or both.) But the fundamental question remains - if a WIDP existed, would be bring some form of efficiency or risk-reduction to the enterprise?
Lastly, a WIDP is likely a bad idea because the value of a WIDP comes from the multiplicity of data it contains, but proving that value either has to happen at scale or not at all. Either you get a sufficiently diverse spread of kinds of data in it and thus see value, or you cannot get enough to show that value. Said differently, building a pilot version of a WIDP is the same effort as building a production WIDP… and I am not sure, yet, that the juice is worth the squeeze so to speak.
I cannot tell you how much better I feel now that I have this bad idea out of my head. So what do you think? Are WIDPs as bad of an idea as I think they are? Or are they the new data tier for our identity fabrics?