• United States

ID mgmt. poised for next stage

Jul 07, 20036 mins
Access ControlEnterprise ApplicationsHIPAA

Existing identity management practices and standards in combination with Web services security protocols will provide needed protection to support distributed computing between corporations and their partners.

Existing identity management practices and standards in combination with Web services security protocols will provide needed protection to support distributed computing between corporations and their partners.

That concept, and the ultimate benefits for corporate users, will be main themes at the annual Burton Group Catalyst Conference, which officials say could host 1,200 attendees this week in San Francisco.

The conference also is expected to showcase vendor announcements of a number of identity management products, and the Organization for the Advancement of Structured Information Standards (OASIS) will hold an interoperability test focused on Service Provisioning Markup Language (SPML) and announce ratification of the specification.

The Catalyst conference, now on its 10th edition, has been at the forefront in espousing the benefits of directories and most recently the concept of a virtual enterprise network, in which network boundaries between companies are blurred.

This year the focus is on identity management as a key to securing and managing the virtual enterprise network. Identity management is defined as a set of business processes and an infrastructure for the creation, maintenance and use of digital identifies under strict policies and legal constraints.

A milestone in the evolution of the virtual enterprise network concept is coming up on corporate IT executives who believe that digital identities and identity-based security and policies are fundamental for the next era of distributed computing based on Web services.

“It’s fair to say we have exploited the existing generation of Web-enabled identity infrastructure about as well as is possible,” says Jamie Lewis, president of Burton Group. That infrastructure consists of directories, Web access management products for single sign-on, provisioning, and delegated and self-service administration.

“Low- to medium-value applications are fairly pervasive. You can log into Web sites, you can get self-service interfaces, but if we really want to take it to the next level with higher-value transactions, more automation of processes is needed,” Lewis says.

Those automated processes will rely more on federated identity, a concept that lets identity credentials be shared across corporate boundaries.

The important evolution, however, is to go beyond identities just for end users and use identity for applications and services so applications can talk securely to other applications, so Web services can talk to Web services and Web services can talk to applications.

“We can’t do that without stronger security, and one of the first predicates for stronger security is well-formed and well-understood forms of identity,” Lewis says.

Those identities will be tied to users, applications or computers. “Identities can be linked with policies that govern activity and draw boundaries around acceptable and allowable use,” he says.


The need for this broader scope of identity management is being driven by corporate executives who see the value in digital identity as they tune IT systems to comply with recent legislation such as the Sarbanes-Oxley Act, the Graham-Leach-Bliley Act and the Health Insurance and Portability and Accountability Act.

“We are getting into identity management to manage objects and environments; it goes beyond people and extends to machines, applications and the network,” says Fred Wettling, chairman of the board for the Network Applications Consortium (NAC) and infrastructure architect for Bechtel.

NAC is an end-user organization focused on IT infrastructure and the interoperability and manageability of business applications linked across disparate platforms.

Wettling says identity has its benefits for user access but also allows for operations such as uniquely identifying computers and their components to check for license compliance. He cites other benefits such as securely tying together applications and reusable components to support quality-of-service policies, and provisioning such as establishing the endpoints on a VPN.

The fringes of identity convergence can be seen today between identity management standards and Web services protocols of the future. But they also point to possible fragmentation.

The Liberty Alliance, which is developing a federated user-identity framework, now has as its foundation the Security Assertion Markup Language (SAML), an XML-based protocol for exchanging security information.

The next step in the process, Lewis says, is to converge current efforts with the Web services security protocol WS-Security. The Liberty/SAML combination already has embraced WS-Security, which is being developed at OASIS.

SPML will become another important ingredient in an identity management framework.

Another direction

But the creators of WS-Security, IBM and Microsoft, are taking the base WS-Security specification and building their own federated identity management framework with derivative protocols, such as WS-Policy, WS-Federation and WS-Trust, that overlap the scope of the Liberty Alliance effort. The two also have not supported SPML.

“We’ll ask Liberty, IBM and Microsoft how they see their parallel development efforts converging, if and when the Liberty Alliance, SAML and WS-Security come together into a framework,” Lewis says.

It’s the same question on the minds of users.

“It’s important for all this to come together, and the NAC wants the standards bodies to work together to resolve their differences,” Wettling says.

Wettling and others agree that there is a lot of work to do before an identity management framework that extends across corporate boundaries is reality.

“Customers still have a lot to do to get their act together before any of this is valid,” says Gary Loveland, a principal in the security and privacy practice at PricewaterhouseCoopers.

Loveland says corporations can use their portals to transition into Web services, but there are still areas outside the portal that have to be brought into the identity-based security model. “There is not a fix overnight, but there is an evolution,” he says.

And that evolution includes a heavy dose of Web services.

The topic will dominate an entire day at Catalyst, with Anne Thomas Manes, the head of Burton Group’s new Application Platform Strategies group, outlining how Web services will weave into IT including development tools, platforms, applications and overall infrastructure.

“The infrastructure is the most interesting,” Manes says. “Today, you can build simple Web services to connect systems, but eventually you need scalability, reliability and security.”

She says SPML and specifications under development for reliable messaging, management and business process workflow are critical.

“These are big impediments to taking Web services to the next level, as are solving vendor squabbles,” Manes says. “We’ll break those down and take a look at the road map and the potholes.”