RealTime IT News

Liberty Looks to Federated ID Business Issues

Noting that federated network identity requires more than just technology solutions, the Liberty Alliance Project Tuesday published what it considers a foundational document that outlines the business issues associated with wide-scale deployment.

The Alliance, a two-year-old consortium of 170 companies focused on developing and deploying federated network identification standards, said the new business guidelines document would be the first of several such documents.

Federated identity is a critical issue for Web services and other technologies that help integrate the networks of organizations with their partners, suppliers and customers.

IT managers are increasingly challenged with integrating identity management solutions that automate the procedures for user and role provisioning, password management and access control -- but many of these systems are focused on internal identity, and don't do much to help IT administrators manage identity outside their organizations' control.

That's where federated identity comes in: an infrastructure that allows users to "link" elements of their various online identities (at their places of employment, banks, credit card companies, brokerage firms, national IDs, pension funds and medical providers) without centrally storing all of their information.

For businesses, it facilitates Shared/Single Sign-On (SSO), which reduces redundant logons by allowing applications, systems and companies to share a user (identity) authentication.

At the same time, SSO raises issues like liability, risk and the cost associated with establishing trust and security. And these issues are heightened by the deployment of technologies like Web services, which essentially provide APIs that allow users to drill into back-end databases. While this provides many key business benefits without requiring expensive and time consuming custom integration, it also means that organizations must carefully guard access to critical services.

"The real value in Web services will never be reached until companies can more securely and efficiently manage trusted relationships among partners, suppliers, employees and customers," Michael Barrett, president of the Liberty Alliance Management Board and vice president of Internet strategy at American Express, said at the Burton Catalyst Conference in San Francisco, where he unveiled the new document. "Identity is the foundation of any trusted relationship, and there is a great deal of complexity in how businesses manage and share that identity information."

The new Liberty Alliance Business Guidelines document highlights four major business requirements that the consortium believes are essential for identity federation:

  • Mutual confidence, which encompasses the processes and tasks business partners must undertake to set minimum quality requirements, certify the other party has met those requirements and manage the risk of exposure
  • Risk management, consisting of the best practices and procedures business partners need to identify to guard themselves from losses due to identity fraud, exposure of identity information and losses of business integrity due to insecure processes or data
  • Liability assessment, consisting of the process for determining what parties will bear which losses, under what circumstances, and how to resolve disputes
  • Compliance, which refers to the agreed-upon standards, policies and procedures and how that compliance is governed, including compliance with local privacy requirements.

The document is an overview, intended to raise the business issues associated with identity federation, and builds the foundation for future documents which Liberty said are intended to become a "source library" to which business partners can refer when putting together a Liberty implementation.

Future documents will include a scenario document, which addresses the significant business issues in implementation scenarios like B2B, B2C, B2Cmobile, and so on. Liberty said the document will provide generic guidance to informational sources like legislation and articles for examining the broad business issues. It is expected by the end of 2003. That will be followed by an implementation document which examines specific Liberty implementation scenarios in both vertical and geographical context. Liberty said it is meant to highlight the differences in business issues as companies in different locations and industries move through implementations. It will include case studies and perspectives from Liberty members who have gone through the deployment process.