Accent on access control
Conference to highlight SAML, an emerging standard for identity management.
SAN FRANCISCO - Industry heavyweights this week will throw their support behind a developing standard that promises to help network executives build centrally managed, easily sharable user identity systems.
At the annual Burton Group Catalyst Conference, a parade of vendors, including RSA Security, Netegrity, Oblix and Novell, will announce support for Security Assertion Markup Language (SAML), an emerging XML-based standard for exchanging authentication and authorization information. Also at the conference, those vendors will join Baltimore Technologies, Crosslogix, Sun, IBM's Tivoli Systems and others in a SAML interoperability demonstration.
The biggest shot in the arm, however, will come from the Liberty Alliance, a group of vendors and corporate users who have spent the past six months creating a single sign-on specification. The group will release its work, and announce it is supporting SAML and adding nearly 20 new members.
"Having one place to control where people have access coupled with tools to create a single point of authentication is a big opportunity," says Richard Perry, director of enterprise operations and security for The Burlington Northern and Santa Fe Railway Company in Fort Worth, Texas. The opportunity is tighter security, personalized service, accountability and management efficiencies. "But we need standards for that to happen."
The wave of support for SAML likely will stamp it as a de facto standard, although it won't get official approval from the Organization for the Advancement of Structured Information Standards (OASIS) until fall at the earliest. The only snag could be that Microsoft has yet to commit to SAML, instead focusing on Kerberos as a way to pass authentication information. But Microsoft's commitment to WS-Security, a set of proposed standards it created with IBM and VeriSign and now under review by OASIS, could eventually bring the company into the fold.
SAML is but one important step in creating user authentication and authorization information that is portable across corporate networks so a user authenticated on one company's network can be recognized on another and granted or denied authorization to access resources based on that authentication. This sharing of user identity is being referred to as federated identity management and is emerging as a key technology for distributed e-commerce and Web services.
Perry says SAML "is the first hope for single sign-on in the Web environment."
And Perry knows the benefits of centralizing user access. Last year, he deployed provisioning software from Waveset Technologies to automate account creation and deletion for 45,000 internal users across four different back-end systems and countless applications.
"Now we have centralized user-account control, and we've cut in half the time it takes to establish, change or delete an account," Perry says. His next step is to add single sign-on. "If we can deploy that and make it secure, it's a big competitive advantage."
That's because use of a single user identity lets companies more efficiently control who gets on their networks and what resources they use. They can use ID information to personalize services and portal interfaces. The IDs also can identify not just users but machines that need access to execute Web services in tandem with other machines.
"We expect SAML to have a major-league impact on us," says a vice president for information security with a top financial services firm who asked to remain anonymous. "We can save millions of dollars with a centralized identity system."
The reason is that maintaining user IDs and access controls for potentially millions of users or machines is nearly impossible without combining existing technologies and creating new standards.
"Companies looking at value chain optimization or integrating business processes across company boundaries can't do that on any scale without identity management," says Jamie Lewis, president of Burton Group, which this week will publish a 44-page report called "Toward Federated Identity Management."
Corporations are in the early stages of creating these security infrastructures internally with proprietary products, such as Web access management and provisioning software.
But those products don't scale to Internet proportions because they don't talk to one another and they rely on duplicating information between partners using delegated administration or data synchronization.
But standards alone won't solve the problem. The answer lies in combining standards with policies that govern how shared identities can be used and with integrating security technologies, such as directory, access management, provisioning, workflow and portal software.
Ross Spencer, information security manager for Royal & SunAlliance, one of the largest insurance firms in Canada, knows the issues firsthand.
His company is working with Canada's Centre for Study of Insurance Operations to set up a federated identity management system that would let brokers sign on once and get access to quotes from many insurance providers.
"The issues are getting companies on board, the politics and the need for agreements and contracts to govern identity," says Spencer, who currently uses Netegrity's SiteMinder to support single sign-on for 7,000 internal users.
Standards work also is far from finished and it is not aligned across the industry.
For example, SAML does not specify any policy for using identity information. The Liberty Alliance specification will build on top of SAML, adding some policy protocols. Also, SAML does not incorporate a way to establish trust between business partners exchanging identity information.
And SAML, which has strong authentication services, will need the help of another emerging XML-based protocol called XML Access Control Markup Language to solve the more complex issue of authorization. A third protocol - the Services Provisioning Markup Language - also will have to be incorporated.
There are other, competing efforts. Microsoft is working on integrating its Passport service with Kerberos, as opposed to SAML, to create a single sign-on credential similar to Liberty's work. Microsoft also is developing TrustBridge, another product to unify sign-on across Microsoft environments, and focusing on Extensible Rights Markup Language, an authorization protocol similar to XACML.
At the conference, OpenNetwork Technologies will try to minimize the standards conflict by demonstrating interoperability between Microsoft Passport and SAML using the company's DirectorySmart access management platform.
Despite all the issues and the fact that federated identity management will roll out slowly, experts say its arrival is guaranteed.
"The security model today is designed to allow people in. It's security of inclusion not exclusion, and that is creating the identity management issue," says Joe Duffy, a partner with PricewaterhouseCoopers Consulting Services.
"Identity management is a fundamental part of any Web-based infrastructure," he says. "And it will be extended to include legacy and other enterprise applications."
SAML promises Web services security
Network World Tech Update, 07/01/02.