Noting that federated network identity requires more than just technology solutions, the Liberty Alliance Project Tuesday published what it considers a foundational document that outlines the business issues associated with wide-scale deployment.
The Alliance, a two-year-old consortium of 170 companies focused on developing and deploying federated network identification standards, said the new business guidelines document would be the first of several such documents.
Federated identity is a critical issue for Web services and other
technologies that help integrate the networks of organizations with their partners, suppliers and customers.
IT managers are increasingly challenged with integrating identity management solutions that automate the procedures for user and role provisioning, password management and access control — but many of these systems are focused on internal identity, and don’t do much to help IT administrators manage identity outside their organizations’
That’s where federated identity comes in: an infrastructure that allows users to “link” elements of their various online identities (at their places of employment, banks, credit card companies, brokerage firms, national IDs, pension funds and medical providers) without centrally storing all of their information.
For businesses, it facilitates Shared/Single Sign-On (SSO), which reduces redundant logons by allowing applications, systems and companies to share a user (identity) authentication.
At the same time, SSO raises issues like liability, risk and the cost
associated with establishing trust and security. And these issues are
heightened by the deployment of technologies like Web services, which
essentially provide APIs
back-end databases. While this provides many key business benefits without
requiring expensive and time consuming custom integration, it also means
that organizations must carefully guard access to critical services.
“The real value in Web services will never be reached until companies can
more securely and efficiently manage trusted relationships among partners,
suppliers, employees and customers,” Michael Barrett, president of the
Liberty Alliance Management Board and vice president of Internet strategy
at American Express, said at the Burton Catalyst Conference in San
Francisco, where he unveiled the new document. “Identity is the foundation
of any trusted relationship, and there is a great deal of complexity in how
businesses manage and share that identity information.”
The new Liberty Alliance Business Guidelines document highlights four major business requirements that the consortium believes are essential for identity federation:
- Mutual confidence, which encompasses the processes and tasks business
partners must undertake to set minimum quality requirements, certify the
other party has met those requirements and manage the risk of exposure
- Risk management, consisting of the best practices and procedures
business partners need to identify to guard themselves from losses due to
identity fraud, exposure of identity information and losses of business
integrity due to insecure processes or data
- Liability assessment, consisting of the process for determining what
parties will bear which losses, under what circumstances, and how to
- Compliance, which refers to the agreed-upon standards, policies and
procedures and how that compliance is governed, including compliance with
local privacy requirements.
The document is an overview, intended to raise the business issues
associated with identity federation, and builds the foundation for future
documents which Liberty said are intended to become a “source library” to
which business partners can refer when putting together a Liberty
Future documents will include a scenario document, which addresses the
significant business issues in implementation scenarios like B2B, B2C,
B2Cmobile, and so on. Liberty said the document will provide generic
guidance to informational sources like legislation and articles for
examining the broad business issues. It is expected by the end of 2003.
That will be followed by an implementation document which examines specific
Liberty implementation scenarios in both vertical and geographical context.
Liberty said it is meant to highlight the differences in business issues as
companies in different locations and industries move through
implementations. It will include case studies and perspectives from Liberty
members who have gone through the deployment process.