Identity Management Comes of Age

The past several weeks have seen an onslaught of articles regarding privacy, identity and security. Most of them bemoan the fact that we all have too many passwords, they are difficult and costly to manage, and that “there must be a better way!” Suggestions have ranged from password-reset and password-synchronization software, to biometrics such as finger scans, to third-party “trusted sites” that will act as a broker for all your private information.

This shotgun approach comes in response to a very real problem: We really do have too many passwords — too many ways of identifying ourselves. It’s a problem for the organizations that store this information online, since we will probably forget some of our passwords at various times, and it can cost from US$15-100 to do a reset. Multiply that by the hordes of people who increasingly live online, and you can see that the cost is astronomical. But it is even worse for consumers, since we need to balance our need for seamless access to information, with the overwhelming requirement for identity protection.

Dawn of a New Era

Several weeks ago we wrote about consumer trust, and discussed various ways for organizations to provide both strong security and user convenience. We mentioned that the Liberty Alliance, a coalition of more than 170 businesses and organizations around the world, is making progress in using digital identity services to help build consumer confidence, and promised an update on their activities.

This week we will report on four important deployments that might just represent a new era in online business. Although aimed primarily at employees, they nevertheless represent important steps forward in the quest for improved security, customized content delivery and simplification of the Web experience through federated identity.

Simplified Employee Experience

General Motors was one of the founding members of Liberty and recognized early the value of the federation model. They focused first on an effort to simplify the user experience for internal GM employees and users when communicating both with internal applications and with the many outsourced services GM provides. From employee benefits to corporate travel to expense accounts, GM is looking to federation to make the experience easier, seamless, secure and private.

With GM, cutting costs was a side benefit. The main objective of the initial program was to improve the level of employee satisfaction. GM sees the creation and management of digital identities as keystone technologies for the future, especially in ventures such as OnStar that deal directly with the consumer. And, in light of increasingly stringent regulation, security and risk management are critical factors. Why did this initiative rise to the top at GM?

“When you look at the market, and what’s happening around identity theft, phishing, privacy concerns, and privacy regulations in the U.S. and in Europe — how can you NOT make this a corporate initiative?” asks John Jackson, Director of Software Technology at GM. “It would be irresponsible to ignore identity management. And Liberty is the right way to go — especially as we begin to see convergence in the market.”

Supply Chain Enablement

The automotive industry is an early adopter of federation for supply chain enablement. An initiative launched in 2001 by a consortium of companies including General Motors Daimler Chrysler, Ford and others, provides centralized interoperability and security that actually enables participating companies to securely expose their applications, data and business processes to trading partners — even when they are competitors. In a highly competitive industry like this, it is imperative that trade secrets be kept secret. Yet just as important is the need to expose applications to suppliers, to achieve efficiencies and ensure timely transaction processing.

According to Dave Miller, Chief Information Security Officer of Covisint, “Manufacturing is global — your trading partners might be in Japan or South America, so as you open up your applications, you will need to provide 7×24, multi-lingual help desk support for your external users. We feel it’s much better to rely on federation to eliminate the need for dozens of passwords, and let supply chain members use only one authentication method to securely access all those applications for which they have permission.”

Access to Political Information

BIPAC — the Business Industry Political Action Committee — set out to solve a different problem. For over four decades, BIPAC has provided detailed information on elected officials, voting information and the like, to America’s business community. However, under Federal Election Commission regulations, company Political Action Committees (PACs) are regulated in terms of what types of information they can provide can provide managers, executives and shareholders (the “restricted class”) as opposed to all employees.

Until now, in order to remain compliant with both federal and widely-varying state regulations, employers had to settle for paper-based communication, or for sending sensitive employee information to a third party who would ensure the guidelines were being adhered to – an expensive proposition. BIPAC developed a Liberty-based solution, the Prosperity Project, that would protect employee privacy, eliminate the need for third-parties, and provide relevant information to employees without requiring additional registration or logon.

An employee signs onto the company intranet, and can then seamlessly visit the Prosperity Project site. BIPAC checks behind the scenes to make sure that only information specific to that employee is shown, and that the company is in compliance with all regulations. Perhaps most important, employee privacy is protected: The only data sent to BIPAC is the information needed to find the right content.

Value-Added Products and Services

AOL took a different tack. Rather than concern themselves with federation per se, they focused on the broad issue of identity-based Web services. Over a year ago they put into production a set of radio and photo services that use Liberty Alliance protocols for authentication and discovery services.

Using the standard protocols has enabled the company to rapidly spread the approach to a number of consumer electronics device vendors who have since built Liberty layers into their products. By extending the idea of identity management beyond the single sign-on and password simplification problem, AOL is looking to the future when devices will communicate with applications, on behalf of users. This calls for robust standards that are focused on privacy and security.

Conor Cahill, Chief Architect at AOL, explains: “Customers around the world are demanding standards-based solutions. We at AOL have found that Liberty is the only one comprehensive solution that allows you to do identity-based Web services. And the beauty of this is that the consumer can have access to a variety of higher-value services while preserving their privacy. I would characterize this implementation as an unqualified success.”

Conclusion

Identity management is an idea whose time has come, as evidenced by the variety of tools, initiatives and services. We have discussed a few in this article, but there are many more that affect not only employees and partners, but consumers as well.

Many in industry believe that it is only a matter of time before the early implementations of federated identification, and Web-based identity management, become standard operating procedure. If so, this bodes well for e-business in general, and for the consumer in particular.