Monday, April 17, 2006

imho Arch of Governance pt 1 of n


The current meditation started when I accepted the position of principal analyst with Current Analysis.

Surveying the vast domain of my focus area (data management) and just following a long DRM sequence, it occurred to me that DRM is what you might call a use case of “data governance”: “flexible deployment of content-control policy-enforcement logic throughout networks” (hence sort of under my current coverage scope; in fact, you may notice this in the previous post: “governance of … distributed data…in the form of a corporate-standard master data management (MDM) environment”).

But governance sprawls across many coverage areas, including information security (“heavyweight content security, policy, trust, and key management infrastructure that will inevitably be embedded everywhere”), which is the province of my colleagues Andrew Braunberg and Charlotte Dunlap. It also fits squarely into the SOA governance province of my colleague Shawn Willett.

Regardless…no need to feather my overcrowded nest any further…this concept of governance keeps creeping into my thinking on many topics. Federated identity, for example. In a November 22, 2005 post, I list one of the elements of federated IdM patterns as “federation governance,” with the alternatives of “bilateral trust agreements” and “multilateral agreements.” (Yes, I am using my blog as a memory aid).

And on January 27, 2005, I posited the following “laws” (normative) of “identity governance”:

  • Law of identity federation: Domains must be able to establish trust relationships under which they can choose to accept each other’s identity assertions and honor each other’s identity decisions--or reject them--subject to local policies.
  • Law of identity assurance: Entities must be able to unambiguously ascertain, resolve, and verify each other’s identities, and reserve the right to refrain from or repudiate interactions in which such assurance is lacking.
  • Law of identity self-empowerment: Humans must be able to self-assert their identities, and reveal or conceal as much or little of their identity as they wish, at any time, for any reason, from any other party, for any duration, and also to unlaterally defederate from any domain that deliberately or inadvertently compromises or violates these rights.

All of which brings us to the core issue (of this post at least). What exactly is “governance”? And what exactly distinguishes it from “management,” “administration,” “access control,” “federation,” and other related terms of art in this industry? Is “governance” simply another empty fuzzword coined to give the false impression of new substance?

It occurs to me that, in IT contexts, “governance” is usually used in the same breath as “federation.” And both terms are used in contexts in which responsibility for some functions (e.g., authentication, authorization, etc.) is decentralized across two or more autonomous peer sibling domains. In other words, governance as barely controlled anarchy. As an alternative to centralized, command-and-control environments, in which there is a parent/child relationship between domains (in other words, hierarchy, aka big G Government).

But of course, some use “governance” to characterize all options on the spectrum from anarchy to hierarchy. All of it describing the different control structures on human interactions, some of which emerge from the confusion of decentralized self-interested interactions (e.g., Adam Smith’s “invisible hand”) and some of which are imposed by very visible iron hands.

If we take the most global definition of “federation,” we can describe it as one type of governance structure, to wit:

  • “Federation is a governance structure in which autonomous domains choose to honor each other’s decisions and accept each other’s assertions in some realm of human endeavor—such as identity management, data management, or SOA management--subject to business contracts, trust relationships, interoperability agreements, and local policies.”

Or you can characterize federation as governance built up from contracts, and the alternative (hierarchy) as governance handed down from constitutions and covenants. Contracts vs. constitutions: horizontal vs. vertical policy envelopes: negotiated vs. decreed governance environments.

All a part of the art of governance. Or the arch of covenants.