RealTime IT News

Lessons Learned With Federated ID

As federated identification technology enters a new phase of interoperability within Web services , the biggest concern for businesses adopting the ID policy is trust, according to analysts at the Burton Group.

Jamie Lewis, CEO and research chair for the Salt Lake City-based research firm, said the notion of a "nirvana of dynamic connections" from businesses around the world exchanging personalized customer information while retaining privacy concerns is just that, a higher state of being that won't happen in the short-term.

"I think we've got a long way before the standards, the legal frameworks and the case law and the other things that are going to be necessary to make [federated ID] a part of the day-to-day operations a reality, that stuff has yet to evolve," he said during a Web cast.

The notion of a federated ID in today's Web services environment has garnered attention from the corporate world in recent years. More than an authentication scheme allowing users access to different applications on different networks, the technology has tangible business benefits that can be delivered to customers, suppliers and companies at a customization level.

Dan Blume, Burton Group senior vice president and research director for directory and security strategies, cited an airline company as an example. Because of prior experience with the customer, the airline company knows whether he or she wants a window seat. Flight scheduled, the customer can then rent a car at the airline's Web site. With a federated ID agreement between the airline and the car rental agency -- which allows them to swap information during transactions -- the airline is able to extend that personalization to the customer's rental choice too, offering the mid-size vehicle the customer prefers.

But it's not as easy at it sounds. The airline and car rental companies need access to the other's network of information about a customer and then has to drill into that information, access that involves a measure of trust along with legal wrangling. For example, who would be liable if one database is hacked and private information is made public?

Blume talked about the challenges for companies facing these issues, noting one top financial company that hired six people to assess federated ID agreements but didn't have standard metrics on which to base a decision.

"There's no standard for how you assess a partner. Often the partner will send you a copy of their assessment but say, 'we don't want to spend $500,000 to do this over again,' " he said. "So you have to look at the assessment the partner sent you and decide whether it's secure enough you to interconnect with and not risk your own compliance [requirements].

"So we need to get a common vocabulary for security metrics that we can all talk about before we can really hope that firms are going to be able to go out there and affordably provide assessments we can use with many partners," Blume continued.

For the time being, Blume noted, most companies are going to keep federated ID close to the vest, using it only for internal network use or in agreements with established partners.

It's an issue that's been debated for more than a year already. The Liberty Alliance, a consortium of roughly 150 companies organized in 2001 to build open standards for federated ID and identity-based services, outlined many of the issues facing companies in a document in July 2003 entitled, "Liberty Alliance Business Guidelines." It said four essential requirements are needed for companies forging federated ID agreements: mutual confidence, risk management, liability assessments and compliance.

In addition to technical issues the group is working to resolve -- like Security Assertion Markup Language , WS-Security, the alliance has developed a "Circle of Trust."

Although the program doesn't solve the assessment or metrics problems posed by Blume, it is a big first step in helping companies that haven't worked together before to forge new working agreements.

"Once a user has been authenticated by a Circle of Trust identity provider, that individual can be easily recognized and take part in targeted services from other service providers within that Circle of Trust," Liberty's FAQ site states.

The good news is that federated identification technology is still in its infancy, and companies still have time to plan out a strategy for dealing with potential partners. According to the Burton Group, up until this year, the technology has been riding the first wave of federated ID technology, taken up primarily by first adopters.

The second wave won't happen until later this year and next, when Security Assertion Markup Language (SAML) 2.0 ships and more work is done on WS-* standards such as WS-Federation.

Blume said in time, efforts by standards group Organization for the Advancement of Structured Information Standards (OASIS, which shepherds the Web services standards movement), Liberty and software vendors will merge into the third wave between 2008-2010, where the parts will become whole and Lewis' dynamic communities nirvana, as well as built-in federation and identity networks, will become reality.

"Ultimately, federation represents a more acceptable set of tradeoffs that are more aligned with business risks and operations," Blume said.