Now truly is the time for organizations to invest in federated identity management. Not surprising to hear that from me, but it's actually a paraphrase of a statement by Tom Smedinghoff, partner at Chicago law firm Wildman Harrold, in an interview with Government Information Security News.
Lessons learned from the underwear bomber
Now Mr. Smedinghoff uses a somewhat broader definition of federated identity than, say, the Kantara Initiative. He offers this analogy:
"The best example I like to use is the process that you go through when you board an airplane at the airport and you go through security. The TSA could go through a process of identifying all passengers, issuing them some sort of a credential or an identification document and then maintaining a database, so as passengers go through they would check them against that database and so forth.
But what they do instead is really a whole lot more efficient and a whole lot more economical, and that is to rely on an identification process done by somebody else -- in this case it is a government entity typically that issues driver's licenses at a state level or passports at the federal level. But by relying on this sort of identification of a third party, it is much more economical, much more efficient and works better for everybody involved and of course the passengers don't need to carry an extra identification document."
But the important part of the interview is his explanation of the four legal challenges federation partners face:
1. privacy and security – "there is a fair amount of concern about what level of security are we providing for that information, and what are the various entities doing with it?"
2. liability – "what is their [the identity provider's] liability if they are wrong?"
3. rules and enforcement – "We need everybody who is participating to know what everybody else is responsible for doing, and need some assurance that they really are going to do it correctly."
4. existing laws – "And as you do this across borders, of course, it complicates it even more."
The technology may be straight-forward, if not easy. The corporate politics can be Byzantine. Getting users to enthusiastically embrace the new technology can be maddeningly slow. But there is this other challenge, one many of us tend to gloss over, but which may be the biggest stumbling block on the road to federation – the law. Mr. Smedinghoff's interview makes interesting reading. I tip my hat to my former Network World colleague, John Fontana for making me aware of it.