Toward Federated Identity Management

The 1990s witnessed the adoption of IT systems designed to streamline business processes through electronic automation. The introduction of these systems has challenged companies with how to integrate and maintain an increasing number of distributed networks and platforms.

The challenge of managing these systems has resulted in a complex IT dilemma, namely how to control costs and maintain security while increasing access to information. To meet these new challenges, digital identity technologies are being recognized as a key ingredient in designing systems to accommodate distributed-computing models. As IT systems become more distributed and interdependent, companies are turning to digital identity-based architectures to identify each component.

To help manage the access to information, companies are integrating identity management systems that automate processes like user provisioning, password management and access control. However, the bulk of these solutions have focused on the internal use of identity management solutions, and not on intercompany information management.

Microsoft has promoted one response to this dilemma, namely the centralized identification model called .NET Passport. But critics have faulted that model as being fraught with security risks, largely because all user data is stored in one place. In light of these risks, alternative strategies — like federated identity management — are beginning to emerge.

Toward Federated Identity

Federated identity management (FIM) — which entails managing identities across security domains — has emerged as a compelling security strategy in today’s distributed IT environments. Unlike more conventional identity-management systems, federated identity management raises many complex issues.

To appreciate the FIM challenge, corporations must recognize that some identity information exists beyond the firewall and is beyond any single corporation’s control. As a consequence of federation, companies must deal with issues like liability and trust. These new challenges give rise to new costs, including the cost of establishing agreements with partners, the cost of implementing new technologies and the cost of maintaining security.

While it’s possible to control the costs and complexity of federated identity on a limited scale, wide-scale federation introduces many new challenges. To enable wide-scale federated identity systems, both technology and business standards must be established. The business issues of mutual confidence, liability, risk and compliance must be addressed for federation to become a reality.

Interoperability Standards

Technical interoperability is the cornerstone of federated identity. The Liberty Alliance Project is one consortium working on open standards for federated identity. Over the past two years, the alliance has issued two phases of specifications for federated identity that are already being supported in various products.

The first set of specifications focuses on opt-in account linking and single sign-on capabilities, while the second set focuses on a framework for identity-based Web services. Federated identity requires that the privacy requirements of all principals be satisfied. The exchange of data cannot violate legislation such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm Leach Bliley Act (GLB).

The challenge of federated identity lies mainly in managing and aligning the requirements of all constituents. Without doing so, constituents soon might find themselves at odds with government legislation, privacy concerns or enterprise requirements.

Ever-Expanding Federations

When engaging in federation, legal agreements become increasingly necessary. To overcome some of the associated challenges, new models of peering that do not introduce proportional costs or inconsistencies must be explored.

Imagine a brokerage firm that uses a shared identity to access an account to perform a trade, but is unable to do so because of a problem stemming from authentication. Who is liable here? What is the trader’s recourse? And what are the procedures for resolving the incident?

In today’s environment, parties specifically limit liability. With federated identity, intercompany dependencies become even more substantial, with the ramifications of inaccurate assertions becoming even more damaging. The future of Web services and federated identity depends upon the definition of methods for quality assurance in cases in which users assert identity. Furthermore, accountability must be established within the larger context of federation.

Quality Assurance and Risk

Without the ability to ensure quality assertions between companies, the cost of trust outweighs the rewards. The foundation of quality assurance begins with the ability to define minimum standards and requirements and the subsequent ability to enforce those standards and requirements.

One federated identity risk is security interdependency. The possibility of fraud between linked accounts is potentially terrifying. Solutions that allow companies to minimize security breaches, as well as quickly limit the resulting damage or financial exposure, will be essential.

Every interaction that involves a third party introduces risk. Each company must evaluate for itself how much it is willing to invest to reduce risk. In the current environment, companies typically address risk on a company-by-company basis — a format that is inappropriate in a federated environment. One way to address this issue is to define the minimum standards and procedures for a federation and then track adherence to these standards.

As authentications and attributes are shared within a federation, businesses must be cognizant of privacy rights and preferences. Federated identity does not work if an individual is subjected to differing privacy policies, but is not explicitly made aware of such fact as he or she moves from one company to another.

Recent Federal Legislation

Recent federal legislation has required strict verification and authentication for identity management. Growing numbers of state laws also are forcing companies to deal with the complexities of federated identity. One analogy that can serve as a model for understanding how the challenges of federated identity should be solved can be found in the history of ATM networks.

For decades, the banking industry was characterized as a regional business. With the advent of ATMs, a bank’s presence extended to a greater number of locations. While this enhanced consumer convenience, it also created a problem: How could individuals remove cash from any ATM even if that ATM was not sponsored by the individual’s bank?

To resolve this problem, banks began establishing regional ATM relationships. But even then, it was cost-prohibitive for banks to establish a never-ending number of relationships with other banks. Thus, ATM networks were established to respond to the peering dilemma.

By establishing a set of common operating rules and regulations, these ATM networks were able to ensure quality control and assurance. This allowed all participants to maintain security and mutual confidence. At the core of these networks was a member-owned corporation that provided a fair and equitable governance structure.

Business Challenges

Businesses are challenged by two seemingly opposed trends: increasing access to information and maintaining security. Digital identity constructs are helping solve this dilemma.

But the industry needs new infrastructures to manage these identities. Corporations are investing in identity-management solutions, but these solutions do not address many of the issues that result from federated identity technology.

As companies enter into an increasing number of electronic relationships involving identity, there is a commensurate need for a business framework that will provide consistent end-user handling, a means for dispute resolution and liability, and a baseline for privacy compliance.

Through common business frameworks and shared services, companies can efficiently engage in wide-scale federated identity.