Setting the foundation for identity management

Jackson can’t afford to make mistakes – nor can anyone else. Security, privacy and federal compliance issues are among the critical initiatives Detroit-based GM and others will tackle on the back of identity-management tools such as strong authentication, single sign-on (SSO), provisioning, password management, federation, auditing and tracking. In November 2005, Ponemon Institute, a research firm focused on information and privacy management, found the financial impact of data breaches ranged from nearly $500,000 to as high as $52 million for 14 companies studied.

“Ten years ago, the prevailing assumption was that if you were on the GM network, then you were a GM employee,” says Jackson, who is on the board of the Liberty Alliance, a consortium developing protocols for sharing identities.

“Today, we have dealers and suppliers [on the network] that are not a part of GM. Add the fact that we are completely outsourced, and it becomes critical to track who you are and what rights you have so we can make sure that people only get to the information they are allowed to get to. Identity is the foundation for everything we do,” he adds.

So important is this that GM has a 12-person identity group within the security team. The group continues to consolidate internal directories while expanding its identity federation deployment and building out virtual directories and SSO capabilities.

Users and analysts agree that identity is seeping into corporate infrastructure.

“In five years, what we talk about today as identity and access management will just be another part of the infrastructure, and it won’t be sold separately. It will be part of your security foundation,” says Sally Hudson, a security research manager at IDC.

Prequel

Last year’s rush of consolidation punctuates this heady proposition. Vendors such as BMC Software, CA, HP, Microsoft and Oracle snapped up technology to fill blossoming identity suites (see chart “Identity management integration and challenges”). This year, those vendors along with IBM, Novell, RSA Security and Sun will begin a multiyear task of building identity platforms designed to help reduce IT costs and deployment chores.

Meanwhile, vendors such as ASG Software Solutions, Entrust, Evidian, PingID, Quest Software, Red Hat, Siemens and others will hone their identity tools.

The work is happening against a backdrop of an industrywide discussion to define the characteristics of identity, ignited by Seven Laws of Identity published last May by Microsoft identity architect Kim Cameron. This year, users say, they will try to figure out how to incorporate those laws, which focus on users having control over their identity data.

Burning developments include uptake in strong authentication, further consolidation of federation protocols, as well as developing auditing and tracking controls and user self-service to ease identity administration. “There is a fascinating shift underway that has us moving from the management of identity to management by identity,” says Sara Gates, vice president of identity management for Sun.

Getting started

Today, many users are in the early stages of projects targeted at specific needs with occasional glances at the future.

Hudson Advisors, a multibillion-dollar provider of commercial mortgage services and real estate asset management in Dallas, is on the second stage of a phased rollout of identity technology. The project started last year with RSA’s Sign On Manager to provide SSO to internal and Web-based sites.

This fall, Hudson plans to complete a deployment of strong authentication based on RSA SecurID that will secure administrator access to its network, financial systems and Microsoft Outlook Web Access. Projects in 2006 include phasing in access control, encryption and self-service password reset while exploring identity federation.

“We manage a lot of financial holdings over the Web; the Web provides the communication between our offices that transact billions of dollars in business. If we can do that in a way that is more secure, if we can mitigate risk, it becomes a key piece against our competitors,” says Mark Lynd, vice president and global CTO at Hudson. In addition, he is targeting cost savings. His SSO project saved $4 for every dollar spent on deployment, though he would not reveal total costs.

At Bechtel, a San Francisco-based multinational engineering and construction company with 40,000 employees, identity’s future is fused to an overall plan for policy-based security modeled on the Enterprise Security Architecture drafted in 2004 by the user-group Network Applications Consortium (NAC).”I would like a policy that says only financial people can get to financial data,” says Fred Wettling, technology strategy manager for Bechtel and NAC chairman. “The implication there is that I know who the financial people are.”

For years, Bechtel has been cleaning up its user/identity data and is extending its homegrown SSO capabilities to external partners.

In December 2005, the company won a contract to help run Los Alamos National Laboratory and plans to secure the relationship using identity as an underpinning.

Wettling also is looking long range with identity as the foundation for such business processes as issuing employee badges and managing digital rights.

Wettling and others maintain that while identity has its concrete concepts, its definition is unique to each adopter.

For Community Health Network, a $1.3 billion healthcare company in Indianapolis with about 10,000 employees, identity is defined by provisioning employee accounts and system access as part of the Health Insurance Portability and Accountability Act.

“We wanted to get a better grasp on access control and authorization and ensure people have access to the systems they need,” says Dave McClain, information systems security manager for the five-hospital network. Last year, 32,000 account requests were processed on a system anchored by Microsoft’s Identity Integration Server.

The savings are not hard dollars but the ability to reassign staff, McClain says. His goals in 2006 are to extend provisioning to clinical systems, and use identity to support third-party network access.

“Identity-management vendors have grandiose plans for their products, but for us the focus is on account provisioning,” he says.

Developing the tools

Indeed, vendors are frenzied. Last year’s flurry of acquisitions ended a three-year consolidation cycle and now comes the multiyear, multistage task of melding all the parts into a back-end identity infrastructure.

On the front end, Microsoft’s InfoCard, which will let users control their identity information, may be the most watched development. InfoCard, slated to ship with the Vista client operating system at year-end, could become a model for client-side access to identity. In addition, the Higgins Project, unveiled in February, also could foster user-centric identity tools, as well as easier ways to integrate identity systems across platforms.

“We think what we are doing with InfoCard will start to provide alternatives where users can move away from user names and passwords for Web services-based applications,” says Michael Stephenson, group product manager for Windows Server at Microsoft.

These infrastructure efforts will morph into networked identity services with identity eventually becoming inherent in platform technology beginning around 2015, according to research firm Burton Group.

“Enterprises will have to roll with the punches and take the suites and deploy them for what they need now,” says Mike Neuenschwander, vice president and research director for Burton.

“In the context of those projects, users will learn a lot. When they circle back around to update their architectures to support a wider range of applications they will want to do it in a services model, because their developers will want that,” he adds.

He advises users to build a services veneer today so interfaces do not have to change.

As an example, Nokia is integrating the Liberty Alliance’s Identity Web Services Framework specification into the protocol stack on its Series 60 phones, providing access to identity services.

“In the mobile space, it is hard to figure out a service that does not relate to the subscriber’s identity,” says Timo Skytta, director of Web services for Nokia.

Hot in 2006

Password alternatives are expected to spring up this year. Strong authentication, something a user knows (such as a PIN) and something they have (such as a smart card), has been gaining momentum especially after the Federal Financial Institutions Examination Council issued guidelines last October calling for Internet banking to adopt two-factor authentication by January 2007.

In November, the Liberty Alliance formed the Strong Authentication Expert Group to develop the Identity Strong Authentication Framework. The open framework will allow interoperability among tokens, smart cards and biometrics. “We could shoot ourselves in the foot if we don’t focus on interoperability and strong authentication,” says George Goodman, director of Intel’s Platform Capabilities Lab and president of the Liberty Alliance.

RSA, a pioneer of strong authentication, is working to make access to the technology easier and more flexible. “Increasingly what we are getting into is how can we make SecurID available as a software token running on a BlackBerry, as a toolbar browser or running on a memory stick,” says Toffer Winslow, vice president of product management and marketing for RSA. In February, RSA introduced some of those capabilities.

Progress on consolidating federation protocols also is on corporate wish lists.

Microsoft released in January Active Directory Federation Services, which is based on the WS-Federation protocol that the company promises eventually to turn over to a standards body. The move would come amid growing momentum behind the Security Assertion Markup Language 2.0, which is supported by Liberty and the Shibboleth project, an effort to create federation standards for Internet 2.

“We need to start seeing the integration of all this stuff,” says Justin Taylor, chief strategist for Novell’s identity management team. “We see too many companies trying to piecemeal things together. It is painful and expensive.”

Debate also is growing around bridging enterprise identity and identity needed on the Internet to help alleviate such problems as e-mail spam, identity fraud, data security and Web site password bloat. Technologies such InfoCard, Liberty’s People Service, Lightweight Identity, iNames, OpenID, Simple Extensible Identity Protocol and URL-based identifiers are candidates to bridge gaps.

Where identity is headed

Users, vendors and analysts see identity becoming the glue that binds security and privacy to everything on internal and external networks. The days of blocking at the firewall will give way to credentials presented by users or machines that are validated against a set of usage policies.

The prevailing wisdom is that the evolution of distributed computing hinges on identity.

“We are networking everything into one big distributed network that includes back end, front end, Internet, RFID, wireless sensors – it’s all networked,” says Eric Norlin, co-founder of the Digital ID World Conference now run by Network World’s parent company IDG.

“If everything is a distributed network there is no hierarchy. In a distributed network there is only one logical organizing paradigm and it is identity. It is the only way you can maintain any control or order over anything,” he says.

Previous: New Data Center home page > | Next story: Protecting data throughout its life cycle >