Users rising to ID management challenge

SAN DIEGO - Integration of corporate identity systems with trading partners and others is inevitable and should be factored into security architectures being built today even though many complex issues still need to be resolved.

That was the conclusion users and analysts reached last week at the annual Burton Group Catalyst conference. Attendees said the technology that lets users take company-issued electronic identities and use them to access resources on partners' networks - known as federated identity - is being fueled by a demand for tighter security and as a means to comply with a growing list of federal regulations governing privacy and access control.

But the discussion was tempered by the reality that users will have to develop all kinds of complex technological and contractual support systems for federated technology, including policy, trust, risk management and auditing.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

SAN DIEGO - Integration of corporate identity systems with trading partners and others is inevitable and should be factored into security architectures being built today even though many complex issues still need to be resolved.

That was the conclusion users and analysts reached last week at the annual Burton Group Catalyst conference. Attendees said the technology that lets users take company-issued electronic identities and use them to access resources on partners' networks - known as federated identity - is being fueled by a demand for tighter security and as a means to comply with a growing list of federal regulations governing privacy and access control.

But the discussion was tempered by the reality that users will have to develop all kinds of complex technological and contractual support systems for federated technology, including policy, trust, risk management and auditing.

"The fact that we are wrestling with these problems is a good sign," said Jamie Lewis, president of Burton Group. "Before, with [public-key infrastructure], we just wrestled with these issues in theory. Now we are doing it as part of deployments."

Among the high-profile deployments are Boeing's identity deployment with partner Southwest Airlines, Fidelity's work to federate identities with partners for 401(k) services, and The Ohio State University's federated identity management project based on the open source Shibboleth identity system.

Lewis said federated identity will take hold where PKI failed because "PKI tried to create a single global trust structure that everyone had to agree to. That approach does not work." He said standards such as Security Assertion Markup Language (SAML), which promises to eliminate the need to hard wire a coupling between partners' identity systems, will promote adoption of federated identity.

"The biggest lesson is that this is all business driven," said Scott Cantor, security architect at Ohio State in Columbus and the author of OpenSAML. The university will put its software into production this year, according to Cantor, who has worked on the project since 2000 to build a centralized authentication system that departments such as the library can use to share identity services.

Cantor and others know that solutions to these issues are tough to come by.

"The trick is to get real federation across providers and customers and to make it easy to implement on both ends," said a systems manager with a large insurance company who asked not to be named. "It takes time. We are taking baby steps now."