American Express vice president Barrett fights for Liberty Alliance

Michael Barrett, vice president of Internet systems for American Express and president of the Liberty Alliance Project, tells Network World where the alliance is headed and why the effort is so important to American Express.

Michael Barrett, vice president of Internet systems for American Express, recently took over as president of the Liberty Alliance Project, a consortium developing a ‘federated identity’ system aimed at simplifying and securing Internet transactions by creating open, federated specifications for network identity. Barrett recently spoke with Network World Senior Editor John Fontana about where the alliance is headed and why the effort is so important to American Express.

Now that you’ve taken the reins at the Liberty Alliance, what are your goals?

The nature of my job is to help direct strategy with particular regard for the Internet and the technology that we deploy at American Express, so I tend to [think long-term]. In terms of the alliance, everything we have done so far has been very tactical. What I am doing is saying, ‘OK, that was the right set of priorities, but we can do a better job of articulating what we think the alliance is going to look like over a longer time frame and what overall classes of solutions are needed.’ I am asking the alliance at large a whole lot of questions.

Like what?

They are really around what the organization looks like when it grows up. The organization in under a year went from being kind of a twinkle in a few companies’ eyes to an organization with 130 companies, and it is still growing.

What do the Liberty Alliance’s efforts mean to corporate customers like American Express?

We had been doing a number of Web services pilots, and whenever we did one, we found that doing the Web services itself was rather straightforward, but the security integration every single time was horrible. Liberty will enable us to build and deploy Web services without having to get into these monstrous point-to-point security integration issues.

What are the highlights in Version 2 of the alliance specification slated to ship early next year?

The identity business is going to evolve much in the same way as automated teller machine networks did, where first of all you had an individual bank and it had its own ATM machines. Customers could use that and then you had these islands or networks that formed and you could interoperate within that network. At the next stage the networks were cross-wired together so you could go to any ATM and get your money out. We believe the same evolutionary path will occur in the identity management space, so Version 1 could be likened to a single network or island of trust. What Version 2 is doing is basically providing the plumbing that wires those islands of trust together. Version 2 also provides a robust mechanism for data to be moved around between partners, but also – and this is the tricky piece – it provides a robust permissioning framework to allow consumers to manage that.

It sounds like there are going to be issues that go well beyond the technology.

The alliance and American Express were explicitly making the assumption that the sorts of islands of trust that we were talking about required that the various partners in those islands of trust had contractual limitations on them that managed things like liability. The first deployments are going to be in the arenas where it is easiest to manage that.

There have been a number of less than successful efforts to federate trust systems, most notably public-key infrastructure [PKI]. What prevents the Liberty Alliance from meeting a similar fate?

One of the things that is pretty unique about Liberty is that it consists of a large and impressive list of vendors and user companies. The user companies touch more than a billion people. That means the alliance has both the technology savvy to build solutions and has companies that can help define in glorious and painful detail what the real problem is and help define it so that the technologist can go off and build solutions. That is pretty unusual. When I think about [public-key infrastructure], it is a technology that was designed by technologists. It is very complex to deploy, and it was never clear what the business problems were that it was solving.

Do you have to find a common ground for the Liberty Alliance and Microsoft’s Passport strategy for federated identity management to become a reality?

We have very good working relationships with Microsoft and IBM. They are jointly developing the WS-Security spec and the road map specifications. We have pretty substantial dialogues with them around how we can ensure that these things interoperate and what the longer-term path to convergence is. The [notion] that there must be some kind of a fight with Microsoft will turn out to be an incorrect viewpoint.

Most major Web services specifications are being worked on within standards bodies. Why not this?

If you look at standards organizations like [the Organization for the Advancement of Structured Information Standards] or [the World Wide Web Consortium], on what dimension do they differ from the Liberty Alliance? For all intents and purposes, the Liberty Alliance is a de facto standards organization.

What does the American Express identity management system look like?

It varies depending on which environment one is talking about. Like most companies, American Express has a range of technologies: Netegrity and Oblix, a homegrown system that, heaven help me, I helped design 10 years ago, and [Resource Access Control Facility (RACF)]. Name your favorite security engine and we probably have it. So we have, like many companies, a great deal of difficulty trying to integrate all of those environments.

When you talk about identity outside the enterprise, how do you have to change your current authentication and authorization mechanisms to support the Liberty Alliance spec?

You have to make sure that the liability flow through the network is very well understood and very well managed at a contractual level. You need to know what the partnerships are within a particular island of trust, know who carries [the liability] under what circumstances, and essentially how that liability gets distributed among partners. That is where we will be very cautious in moving forward.

How many people internally are dedicated to identity management at American Express?

Something like six to 10, but not all of them are full-time. The efforts are across the gamut from planning where to deploy this stuff to the public policy side.

Does identity management change the nature of the Internet as a business tool?

It is going to be a big change, but it is going to be a while before people look back and say, ‘Golly that was pretty significant.’ But at a practical level, all this nonsense of [how] you have to register and provide a user name and password [at every different Web site], all of that kind of incredibly tedious nonsense will just start fading away.

When do you see identity management taking off in the enterprise?

The day of magically arriving at a Web site and shoving in some username and password that is your sole global, unique username and password will arrive but it will be a number of years. Over the next few years we have to deal with some messy problems – what it takes to deploy technology, what it takes to bash out contracts between partners – but that is what we all get paid for.

Getting personal