What RSA has to do with federated identity

Anyone like me with more than a few years in the networking trenches remembers when RSA was RSA Data Security, and was known as “…the world’s brand name for cryptography…” (see link below).

Until 1996, in fact, the company existed almost solely to exploit public-key cryptography. Even after RSA Data Security was acquired by Security Dynamics, which later changed the name to the current RSA Security, it was still best known for cryptography and PKI. So when I got a note from RSA publicist Amy Barney asking if I was interested in talking to the company, I was, as usual, somewhat quizzical.

Yes, I’d come across RSA at identity-related events, for example at last year’s Catalyst conference, but usually RSA was partnered with another company such as Thor Technologies and Oracle (see https://www.nwfusion.com/newsletters/dir/2003/0721ds2.html).

I assumed that RSA wanted to talk to me about providing the “security” component within a provisioning or federation scenario. But Amy wanted me to meet with Senior Product Manager Howard Ting, and his product wasn’t security. His product was Federated Identity Manager. Whoa! Had I slept through the movie?

If pushed, I might have admitted that RSA was “involved” in provisioning, but security was its strongpoint and strong authentication was its forte. Ting did enlighten me, however.

To his benefit, Ting did admit that few people thought “RSA” when they were considering identity federation projects, so I wasn’t alone. But he explained that RSA’s long experience with both strong authentication and rules-based authorization made the company a natural to develop a best-of-breed federation system. Provisioning is one-time, federation is run-time, is how he put it.

Federation requires quick exchange of data – secure data, while also requiring the strongest possible authentication. RSA’s Federated Identity Manager supports all known standards “out-of-the-box,” including the Liberty Alliance specification, Shibboleth and WS-Federation. It’s a powerful product (read about it at https://www.rsasecurity.com/node.asp?id=1191) but that’s not the end of the story, by a long shot.

Many of you probably have something in your pocket, or on your keychain, with RSA’s name on it – the credit card-sized RSA SecurID. The device with the constantly changing numbers on its LCD screen that you have to type in to your computer to gain access to some resource. It’s the best-known two-factor (username/password and one-time use number) authentication method available.

Now you can get RSA’s Federation product and tightly couple it to the SecureID card. That puts RSA well ahead of other federation providers, I believe, because strong two-factor authentication will be required of many participants when federation projects move outside the firewall. Ting spoke softly, but he carried a big message. I doubt I’ll be forgetting RSA’s role in identity management any time soon.