Oh What a Tangled Web…

In May 2014, Ian Glazer posted a draft of his Laws of Relationships (for Identity Management). In June he presented these at the IRM Summit. Ian is a member of the Kantara working group on Identity Relationship Management and he has ‘donated’ his Laws to that initiative. It is to Ian’s credit that he actually asked his audiences to turn on their ‘BS detectors’ and to challenge his thinking at will.

This post is the third in a series I am writing on the Laws.


Ian Glazer’s Laws of Relationships contain two axioms about relationships. The first is, in Ian’s words;


Clearly the future holds more of everything for identity management. Relationship management much be scalable in terms of the number of actors, relationships, and attributes. But those three axes are insufficient, we must also keep in mind scalability of administration.

This axiom clearly reflects a point from the Kantara Pillars of Identity Relationship Management. (1) Which include the following ‘technical pillar’:

INTERNET SCALE over enterprise scale

Today’s users access secure systems not just on premises, but in the cloud and via the Internet, any time, day or night. Today’s users are not just employees logging on at work but also partners, customers, and devices signing in from anywhere. As the number of users grows exponentially, modern IRM systems must be able to accommodate hundreds, thousands, or even millions of additional identities instantaneously, achieving a scalable volume that was neither possible nor needed for the enterprise, but is essential in an Internet-connected, consumer-facing world.

These are compelling assertions. They chime with the expanding role of the internet in daily life that we see all around us. It is unproblematic to posit that scalability is an essential or definitive characteristic of contemporary digital identity. The real discussion starts with what scalability means to identity, and how it might work.

One of my axioms for digital identity is more basic,

Digital identity exists to allow relationships to be mediated by machines.

The reason I come back to this axiom so often is that it reminds us that relationships precede access control. Access control is just a use case. Digital identity doesn’t need to exist at all if there is no relationship to manage.

Ian is correct to equate identity and relationship management. A corollary of that equality is that scaling digital identity means scaling relationships.

So, to understand how identity scales we need to understand how relationships scale. And because relationships always involve at least two parties that means thinking about networks.

When we access a service, we are establishing or enjoying a relationship with the provider of that service. So let’s say have an account with a bank….

 isolated identity

Of course that relationship is likely to be relevant to another relationship. Your employer, with whom you have a different relationship is going to need to understand your relationship with the bank so that it can fulfill its obligation to pay you…


See where we are going?

We exist in a vast web of different relationships, which may be connected to each other in different ways. Relationships can take all kinds of forms. If we think about it, each of them is a section of a network.

relationship network

Which by the way, brings me to my second “axiom” of identity.

Identity is a function of networks.

Even when the relationship is a simple isolated two-party affair, it is still a network. It’s just a very simple one.

isolated identity

What the internet has done is make it very difficult to ignore the network. (2)

Keeping the network in mind it should be easy to see that for identity, scaling is not a matter of quantity. Networks can grow in different ways.

We could look at scale as the growth of different kinds of relationships between the same parties…

Relational Scale

Or are we trying to scale the identity or service domains….

Relational Scale 2

Or everything at once….

Relational Scale 3

As I said above, the scale problem has been around since we started connecting systems together. Historically we have become very dependent on X.500 directory technology to solve the scale problem.

What isn’t often considered is that directories are a topological solution. They take the chaotic problem of scaling networks of relationships and attempt to reduce everything to a single, star, topology (3)

center of all

I think we don’t think about the topological position of directories themselves, because we tend to focus on the internal topology of each directories containers. But at the architectural level, the star topology is pretty much the X.500 stock-standard answer to scaling digital identity. What we need to remember in passing is that the directory-at-the-center topology however didn’t remove, so much as mask the topological complexities of digital identity. (4)

And in the end it didn’t matter when the next solution to scale came around – federation…

Fedaeration Scale

Because we are back to fluid merging topologies on a meta-scale – and everything old becomes new again.

Let’s recap…

  • Digital identity allows machine mediated relationships.
  • Relationships, and therefore identity, are a function of networks.
  • Networks don’t just grow in size, they also change shape (topology).

And let’s reconsider the nub of Ian’s axiom…

Relationship management much be scalable in terms of the number of actors, relationships, and attributes. But those three axes are insufficient, we must also keep in mind scalability of administration.

There are four factors Ian lists as subject to scale…

  1. Actors
  2. Relationships
  3. Attributes
  4. Administration

I think I have done enough spade -work in this post to jump directly to a couple of observations…

From a network point-of-view actors and relationships are indivisible. You can’t have one without the other. The quantitative growth of more actors of the same kind, or of more relationships of the same kind…

Relational Scale 2

…is a trivial case. What matters is the ability to model and manage meaningful changes in the topology of networks of relationships…

Relational Scale 3

In the realm of identity relationship management (if we are going to make that a thing), it is this second ‘graph’ we should keep in mind when we talk about scaling digital identity.

Finally it is worth asking how our legacy of directories-everywhere constrains the design of topologically sophisticated services.

Constraining the topology of the identity domain is actually a smart choice. Star topologies are powerful simplifiers.

Unfortunately X.500 actually applied a star topology to the communications and security network and not the relationship network (roles, entitlements, cohorts, authorisations). The freely unfolding network of relationships is still there in all its polymorphic glory, it is just occluded (and ossified) inside our directories. (5)

In summary, the consequences of Ian’s first axiom are that digital identity needs to move into the realm of ‘big data’ and MapReduce-like production capabilities. Because making digital identity work at internet scale is that kind of problem – and even more so the task of making digital identity relationship services technical feasible.


But, you ask through this lame rhetorical device, what about attributes and administration?

Well there’s this…

Ian’s axiom is a little untidy, ontologically speaking. The questions about what it means to scale attributes and administration are of a different order. But they are interesting, and this post is already longer than I expect most people to read. So I am going to leave them for an Axiom 1b discussion.



(1) Well worth a read if you are interested in the future of identity. However, I want to disclaim a strong allegiance. The capitalist weltanschauung  exerts too strong a hold on the author’s mind for my taste. The bit about ‘top line revenue’ and ‘operating expenses’ is a sour, small-minded note in what could have been a visionary document. We are talking about how the world works here.

(2) It isn’t the internet per se. It’s simply networks. The first big transformation in identity, from isolated to centralised architecture was a response to the first organisational LANS.

In fact the evolution of digital identity architecture from isolated, to centralised, to federated to domainless / user-centric exactly mirrors the growth of networks.

If you understand that, then you will understand that digital identity has been scaling from the start. Production systems for digital identity services have been shaped by the need to scale.

(3) Centrum omnium sum – I am the center of all things.

(4) How directories became the carpets-under-which-awkward-topologies were swept is an interesting history – but there really isn’t room here for what would be a massive digression.

(5) Another – more nuts and bolts – perspective on the problem of legacy and directories is provided by Michael Prompt (Radiant Logic) in a series of posts – also in response to Ian Glazer – that starts with Why Kill Identity Management When You Can Virtualise IT? Michael here is focused on a particular technology strategy – virtual directories – but he casts some useful light on problems I have touched on here. I highly recommend the series – with no implication I recommend Radiant Logic’s product,  about which I know little.

4 thoughts on “Oh What a Tangled Web…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s