Brave New World of Identity Management
Brave New World of Identity Management Tsecurity.com: Is federated identity management seeing greater adoption these days? Has the market expanded since standards coalesced around SAML 2.0 and WS-Federation? Lander: We are definitely seeing greater adoption. I don’t think it is coming in waves. It is a slow, but gradual adoption of technology – both the technology and the business concepts that federation allows.The technology is more mature. You have general availability of systems that come with solid SAML 2.0 and WS Federation support built in. ITsecurity.com: Are any particular industry segments leading the way in the adoption of federation?Lander: Telecommunications and financial services look at federation.For the most part, on the enterprise-side federation is somewhat limited to cost reduction initiatives. For example, being able to outsource the management of identities to the identity provider. So, if you can image CA has a partner that manages our 401k. By enabling federation between CA and the mutual fund company, we can log into their site using our CA identity and the authentication and validation of that identity is done by CA. This way, the mutual fund company doesn’t have to maintain a help desk in case we forget out passwords. It lowers their cost of providing services.ITsecurity.com: And beyond cost reduction?Lander: [Businesses] start asking questions: how can we use this to grow and not just save money?For example, they can offer a service or a product that they don’t manage themselves. By being able to integrate with a service provider they are able to resell the service to their user base and do it quickly.We’re seeing some deployment in the telecom community where consumers, for example, who have cell phones can subscribe to different offerings from their providers even though those offerings or services may in fact be delivered from a [third-party] service provider.We are also seeing some federation initiatives in the financial sector around business-to- consumer type environments. For example, one financial services company can team up with another to deliver a unified banking experience covering a variety of different banking products. So if one company offers checking and savings and the other company offers brokerage services, they can team up. ITsecurity.com: I’ve heard that user-centric federation represents the next wave. How do you see this area evolving? Lander: We are seeing some activity and participate in all the industry initiatives. User centric stems from the fact that there is some amount of control that the user has … as part of the federation process between the service provider and the identity provider. Right now, the system is fairly rigid. We don’t decide who our service providers should federate with. Once the technology is more widely accepted, we will have greater say in getting our service providers to federate with our identity providers. [User-centric federation] will be subject to liability issues. There are more relationships, and because there are more relationships, there are more instances where liability needs to be addressed. When the technology starts being used commercially, the first users of the technology will be in the business-to-consumer environment, not in the enterprise. Imagine a scenario where you go into a site and you’re asked to provide your credential and to provide some information -- whether or not a person is over a certain age, 18 or 21. Today, what you have to do is say yes or no. With the user-centric paradigm, it is going to be someone else who will vouch for age and then issue the claim. Instead of presenting your age to the site that is asking, you present the claim that vouches that you are over a certain age. This way privacy is maintained. It’s actually good for everyone involved. You want to maintain privacy. The organization doesn’t want to deal with privacy issues. ITsecurity.com: Any advice for organizations planning to pursue federation? Is this something that they can do in stages?Lander: They need to … make sure they understand the business requirements. They need to understand legal requirements as well. The technology is almost never an issue with federation. It’s the legal agreements, the liability agreements that have to be worked out. From the technology perspective, federation is about separating the use of identity from the management of identity. The use of identity, of course, is with the service provider and the management of identity, and establishing one’s identity, that responsibility is with the identity provider. So, by definition, you have an identity provider and a service provider [and] they need to have an agreement … that specifies what happens if the identity isn’t the identity that is claimed by the identity provider. Who is responsible when the password is stolen? Is it the identity provider or the service provider?You need to … roll [federation technology] out in phases. You probably don’t want to federate among too many partners immediately. You want to create a pilot program and generate some success stories and, upon reaching success, make sure the rest of the organization knows about it.We see people starting with one application. Once they show the success, they create the buy in. I don’t know where the cut-off number is, but once you start to do more than a few [applications], you’ll probably start looking at a shared [federation] infrastructure.