Lessons Learned With Federated ID

As federated identification technology enters a new phase of interoperability within Web services , the biggest concern for businesses adopting the ID policy is trust, according to analysts at the Burton Group.

Jamie Lewis, CEO and research chair for the Salt Lake City-based
research firm, said the notion of a “nirvana of dynamic connections” from businesses around the world exchanging personalized customer information while retaining privacy concerns is just that, a higher state of being that won’t happen in the short-term.

“I think we’ve got a long way before the standards, the legal
frameworks and the
case law and the other things that are going to be necessary to make
[federated
ID] a part of the day-to-day operations a reality, that stuff has yet
to
evolve,” he said during a Web cast.

The notion of a federated ID in today’s Web services environment has
garnered attention from the corporate world in recent years. More than an authentication scheme allowing users access to different applications
on
different networks, the technology has tangible business benefits that
can
be
delivered to customers, suppliers and companies at a customization
level.

Dan Blume, Burton Group
senior
vice
president and research director for directory and security strategies,
cited an airline company as an example.

Because of prior experience with the customer,
the airline company knows whether he
or she wants a window seat. Flight scheduled, the customer can then rent a car at the airline’s Web site. With a federated ID agreement between the airline and the car rental agency — which allows them to swap information during transactions — the airline is able to extend that personalization to the customer’s rental choice too, offering the mid-size vehicle the customer prefers.

But it’s not as easy at it sounds. The airline and car rental
companies need access to the other’s network of information about a customer and then has to drill into that information, access that involves a measure of trust along with legal
wrangling. For example, who would be liable if one database is hacked and private information is made public?

Blume talked about the challenges for companies facing these issues,
noting
one
top financial company that hired six people to assess federated ID
agreements
but didn’t have standard metrics on which to base a decision.

“There’s no standard for how you assess a partner. Often the partner
will
send
you a copy of their assessment but say, ‘we don’t want to spend
$500,000 to
do
this over again,’ ” he said. “So you have to look at the assessment
the
partner
sent you and decide whether it’s secure enough you to interconnect with
and
not
risk your own compliance [requirements].

“So we need to get a common vocabulary for security metrics that we can
all
talk
about before we can really hope that firms are going to be able to go
out
there
and affordably provide assessments we can use with many partners,”
Blume
continued.

For the time being, Blume noted, most companies are going to keep
federated
ID
close to the vest, using it only for internal network use or in
agreements
with
established partners.

It’s an issue that’s been debated for more than a year already. The
Liberty
Alliance, a consortium of roughly 150 companies organized in 2001 to
build
open
standards for federated ID and identity-based services, outlined many
of the
issues facing companies in a document in July 2003 entitled, “Liberty
Alliance Business Guidelines.”
It said four essential requirements are needed for
companies forging federated ID agreements: mutual confidence, risk
management,
liability assessments and compliance.

In addition to technical
issues
the group is working to resolve — like Security Assertion
Markup
Language , WS-Security, the alliance has developed a “Circle of Trust.”

Although the program doesn’t solve the assessment or metrics problems posed by Blume, it is a big first step in helping companies that haven’t worked together before to forge new working agreements.

“Once a user has been authenticated by a Circle of Trust identity
provider,
that
individual can be easily recognized and take part in targeted services
from
other service providers within that Circle of Trust,” Liberty’s FAQ
site
states.

The good news is that federated identification technology is still in
its
infancy, and companies still have time to plan out a strategy for
dealing
with
potential partners. According to the Burton Group, up until this year,
the
technology has been riding the first wave of federated ID technology,
taken
up
primarily by first adopters.

The second wave won’t happen until later this year and next, when Security Assertion Markup Language (SAML) 2.0
ships and more work is done on WS-* standards such as WS-Federation.

Blume said in time, efforts by standards group Organization for the Advancement of Structured Information Standards (OASIS, which shepherds the Web services standards movement), Liberty and software vendors will merge into the third wave between 2008-2010,
where the parts will become whole and Lewis’ dynamic communities
nirvana, as well as built-in federation and identity networks, will become reality.

“Ultimately, federation represents a more acceptable set of tradeoffs
that
are
more aligned with business risks and operations,” Blume said.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web