Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Symantec, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues

Accent on access control

Conference to highlight SAML, an emerging standard for identity management.

Today's breaking news
Send to a friendFeedback

SAN FRANCISCO - Industry heavyweights this week will throw their support behind a developing standard that promises to help network executives build centrally managed, easily sharable user identity systems.

At the annual Burton Group Catalyst Conference, a parade of vendors, including RSA Security, Netegrity, Oblix and Novell, will announce support for Security Assertion Markup Language (SAML), an emerging XML-based standard for exchanging authentication and authorization information. Also at the conference, those vendors will join Baltimore Technologies, Crosslogix, Sun, IBM's Tivoli Systems and others in a SAML interoperability demonstration.

The biggest shot in the arm, however, will come from the Liberty Alliance, a group of vendors and corporate users who have spent the past six months creating a single sign-on specification. The group will release its work, and announce it is supporting SAML and adding nearly 20 new members.

"Having one place to control where people have access coupled with tools to create a single point of authentication is a big opportunity," says Richard Perry, director of enterprise operations and security for The Burlington Northern and Santa Fe Railway Company in Fort Worth, Texas. The opportunity is tighter security, personalized service, accountability and management efficiencies. "But we need standards for that to happen."

The wave of support for SAML likely will stamp it as a de facto standard, although it won't get official approval from the Organization for the Advancement of Structured Information Standards (OASIS) until fall at the earliest. The only snag could be that Microsoft has yet to commit to SAML, instead focusing on Kerberos as a way to pass authentication information. But Microsoft's commitment to WS-Security, a set of proposed standards it created with IBM and VeriSign and now under review by OASIS, could eventually bring the company into the fold.

SAML is but one important step in creating user authentication and authorization information that is portable across corporate networks so a user authenticated on one company's network can be recognized on another and granted or denied authorization to access resources based on that authentication. This sharing of user identity is being referred to as federated identity management and is emerging as a key technology for distributed e-commerce and Web services.

Perry says SAML "is the first hope for single sign-on in the Web environment."

And Perry knows the benefits of centralizing user access. Last year, he deployed provisioning software from Waveset Technologies to automate account creation and deletion for 45,000 internal users across four different back-end systems and countless applications.

"Now we have centralized user-account control, and we've cut in half the time it takes to establish, change or delete an account," Perry says. His next step is to add single sign-on. "If we can deploy that and make it secure, it's a big competitive advantage."

That's because use of a single user identity lets companies more efficiently control who gets on their networks and what resources they use. They can use ID information to personalize services and portal interfaces. The IDs also can identify not just users but machines that need access to execute Web services in tandem with other machines.

"We expect SAML to have a major-league impact on us," says a vice president for information security with a top financial services firm who asked to remain anonymous. "We can save millions of dollars with a centralized identity system."

The reason is that maintaining user IDs and access controls for potentially millions of users or machines is nearly impossible without combining existing technologies and creating new standards.

"Companies looking at value chain optimization or integrating business processes across company boundaries can't do that on any scale without identity management," says Jamie Lewis, president of Burton Group, which this week will publish a 44-page report called "Toward Federated Identity Management."

Corporations are in the early stages of creating these security infrastructures internally with proprietary products, such as Web access management and provisioning software.

But those products don't scale to Internet proportions because they don't talk to one another and they rely on duplicating information between partners using delegated administration or data synchronization.

But standards alone won't solve the problem. The answer lies in combining standards with policies that govern how shared identities can be used and with integrating security technologies, such as directory, access management, provisioning, workflow and portal software.

Ross Spencer, information security manager for Royal & SunAlliance, one of the largest insurance firms in Canada, knows the issues firsthand.

Pondering identity management

Reduces user management costs.
Provides secure single sign-on combined with authorization.
Creates scalable security infrastructure.
  Supports personalization services.

Standards in development stage.
Vulnerable to familiar Web-based computing security issues such as spoofing, DoS attacks.
Companies left to integrate products.

His company is working with Canada's Centre for Study of Insurance Operations to set up a federated identity management system that would let brokers sign on once and get access to quotes from many insurance providers.

"The issues are getting companies on board, the politics and the need for agreements and contracts to govern identity," says Spencer, who currently uses Netegrity's SiteMinder to support single sign-on for 7,000 internal users.

Standards work also is far from finished and it is not aligned across the industry.

For example, SAML does not specify any policy for using identity information. The Liberty Alliance specification will build on top of SAML, adding some policy protocols. Also, SAML does not incorporate a way to establish trust between business partners exchanging identity information.

And SAML, which has strong authentication services, will need the help of another emerging XML-based protocol called XML Access Control Markup Language to solve the more complex issue of authorization. A third protocol - the Services Provisioning Markup Language - also will have to be incorporated.

There are other, competing efforts. Microsoft is working on integrating its Passport service with Kerberos, as opposed to SAML, to create a single sign-on credential similar to Liberty's work. Microsoft also is developing TrustBridge, another product to unify sign-on across Microsoft environments, and focusing on Extensible Rights Markup Language, an authorization protocol similar to XACML.

At the conference, OpenNetwork Technologies will try to minimize the standards conflict by demonstrating interoperability between Microsoft Passport and SAML using the company's DirectorySmart access management platform.

Despite all the issues and the fact that federated identity management will roll out slowly, experts say its arrival is guaranteed.

"The security model today is designed to allow people in. It's security of inclusion not exclusion, and that is creating the identity management issue," says Joe Duffy, a partner with PricewaterhouseCoopers Consulting Services.

"Identity management is a fundamental part of any Web-based infrastructure," he says. "And it will be extended to include legacy and other enterprise applications."


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.