Roadblocks for shared IDs: Trust, immature standards

Speaking at last week's Digital ID World conference, American Express, Fidelity Investments, Boeing, Fifth Third Bank, Premier and a host of other companies shared their hopes, early successes and concerns as they try to integrate their identity management services with business partners and customers.

The goal is the ability to have users authenticate themselves to their local network and then be able to pass that authentication to partners for access to services or data on the partner's network.

The concept, known as federated identity, would ease user management and the associated costs, improve network security, provide a means to document regulatory compliance and fuel e-commerce and Web services that let partners share computing resources.

Early adopters are reporting some of those benefits mainly in combination with business partners with whom they already have a relationship. Those relationships, they say, are the place to start because they reduce the trust and legal issues inherent in sharing user data and exposing corporate systems.

Both those issues are major sticking points to adoption of federation. Users are concerned not only about liabilities in handling sensitive and often private data, but how partners will use or share that information with others through federation, which could expose otherwise confidential data.

"The challenge in federation is the trust model,"says Mike Beach, associate technical fellow in the shared services group at Boeing. "How do we not jeopardize security, and not anger customers."

Standards challenge

Another challenge is standards.

While there is agreement that identity management standards must converge, there is no industry agreement yet on one benchmark. The Security Assertion Markup Language seems to have garnered more acceptance than the Liberty Alliance specifications, although the two will converge in SAML 2.0, which is nearing standardization.

IBM and Microsoft also are developing a competing specification called WS-Federation. While different in approach, both SAML and WS-Federation look to standardize the way companies share user and machine identities among disparate authentication and authorization systems.

Beach says role-based access, in which a user is granted network privileges based on some defined role such as engineer, is another problem area.

"We do role-based access today with about 400 airlines and each one has its own roles. SAML isn't equipped to deal with that," he says.

Fidelity has half a dozen companies and 200,000 people who use SAML-based federation services. Fidelity also does some federation between its internal benefits site and third-party providers and internal federation so users have access to partners.

"Time and effort put into education and legal issues are among our biggest gotchas," said Alex Popowycz, vice president of information security at Fidelity. But he said the technology solves access issues and agreed with other users that federated identity will be the wave of the future.

"The technology is not ready today, but federated identity will eventually become ubiquitous," Beach said.

Boeing last year kicked off a federated identity deployment with Southwest Airlines. "We are learning that trust is a real problem, slowing much broader deployments. Our pains since deployment have been monitoring, management and troubleshooting. It's hard enough to troubleshoot issues within Boeing, now we have other companies involved."

Those types of issues point to the risks associated with federated identity when users start to share policies, to mandate certain levels of technical operation and try to audit and log the information that is passed between partners.

"The next step from identity management to federated identity is really a huge leap," said Mike Neuenschwander, an analyst with Burton Group, who led a Digital ID World panel of early adopters in a discussion about federated identity.

"We've had some quick thrills but now we want to share such things as user attributes to support personalized services, and you create issues around semantics, privacy and trust," he said.

Users says those issues might be solved by creating smaller communities of trust, possibly by vertical industry, which would create standard policies around sharing identities.

"I look at Covisint in the auto industry where you have a community of trust," said Bob West, chief information security officer for Fifth Third Bank in Cincinnati. Covisint allows those in the auto industry to share business processes.

"You could create the same sort of identity hub," he says.

While users are quickly identifying their concerns, no one seems to be looking back.

"The centralized model [for identity] is dead. It didn't scale in the '90s and it doesn't scale now,"says Michael Barrett, vice president of Internet technology strategy for American Express and the president of the Liberty Alliance.