Authentication Failure?
This is federated identity at work. The problem is, the example isn't one from the business sector that's being so hopefully targeted by security companies and alliances. It's just a person doing his banking. The secured documents are cash from his account, the additional information he needed was his balance, his security clearance is his PIN and the terminals are ATMs.
A purely federated system would enable authorized employees of partnering companies to be able to access, share and transfer whatever information they need by logging in to the companies' shared networks from whatever terminal is most convenient. This ability, the theory goes, would make intranets and extranets run more efficiently and improve companies' services and business processes, and not just incrementally.
"The near-term benefits to federated identity are in sight, but we're only beginning to tap its potential," says Daniel Blum, senior vice president and research director for the Burton Group consultancy.
Microsoft's Passport system was one of the earliest examples of federated identity, allowing users to consolidate their information and have it automatically called up whenever they visited a Passport-affiliated site.
Of course, last fall Microsoft cut a deal with the Federal Trade Commission that exposes the company to 20 years of third-party audits of the Passport system, a situation that arose after Microsoft was accused of misrepresenting the levels of privacy and security available to Passport users. This trust issue is why federated identity faces such an uphill climb to widespread deployment, whether the context is business-to-business or business-to-consumer.
"At the business level, people are very concerned about who is getting authorized to see their data," says Ed Giorgio, a principal at Booz Allen Hamilton and a former cryptographer at the National Security Agency. "A federated scheme requires all kinds of business, legal and technical agreements between organizations because the potential losses due to a breach are huge."
Benefit Or Boondoggle?
Doug Kaye, CEO of RDS Strategies, Kentfield, Calif., is another skeptic. "The key to developing federated identity is to understand the perspectives of the merchant and the consumer," Kaye says. "There's nothing technically wrong with this, but it's driven by the merchants. It doesn't really benefit the consumers; it's all about greasing the skids for commerce."
Kaye issued a white paper in May on federated identity that provided an example of the technology at work. By clicking a button embedded in the report, the user was taken automatically to Amazon.com, where a copy of Kaye's book, Strategies for Web Hosting and Managed Services, had been placed in the user's shopping cart. Efficient? Sure, if it were the user's intention to buy the book. If not, the benefit is lost, and the power the technology has to know your identity without you realizing it can be a little chilling.
The business-to-consumer questions surrounding federated identity are whether the technology will truly benefit consumers, or if it's just another way for big companies to partner up and further dominate the landscape, thwarting competition. But what about the business-to-business sector? Microsoft, IBM and VeriSign released the Web Services Security (WS-Security) specification for federated identity in April 2002, a SOAP-based standard for XML Web services. Countering this is the Liberty Alliance Project, a consortium of some 160 companies led by HP, Novell, Sun and others. In April, the group released its latest specifications, which included support for WS-Security and SOAP, as well as for a few others. Liberty Alliance president Michael Barrett says the organization will release an updated specification by the end of this year. "Because the alliance is an open consortium and the companies represent real end users, we've put together a scenario that deals with a generic set of problems that are broadly applicable," he says.
Barrett describes a "circle of trust" that must be established among partnering companies that want to institute a federated system, guidelines that will be particular to the needs of the organizations and their sectors. "In Phase One, we had the core notion of the circle of trust, but we couldn't cross-link networks; now we can do that," Barrett says. But the simultaneous need for open standards--because of the disparity of networked systems, even between like-minded partners--and the specific security and application requirements of a given sector have so far meant that federated identity is most effectively applied in a vertical industry rather than a horizontal one.
"Federated-identity management is bigger than we expected it to be, but we didn't think it would mean using the system to normalize security domains throughout enterprises; we're using the Liberty protocol to shim systems together," says Eric Norlin, vice president of strategic marketing for PingID, a Denver-based federated-identity software and services provider. Norlin says he doesn't expect the technology to take off until mid-2004, but that its adoption is inevitable. "If Web services is the noun, federation is the verb," he says. "We think we'll see a consolidation of standards, but the enterprises are driving the standards, not the vendors."
So where might VARs find an opportunity in an area that has momentum but also will come up against considerable resistance and controversy? RDS' Kaye says that single-sign-on applications and services would be a good starting point. "That's the sweet spot for VARs right now. They can sell that today, mostly in heterogeneous environments," he says. "The next step will be intranets, because a lot of VARs already are building those for customers." But he adds that the focus by retailers, credit-card companies and their partners on establishing federated systems for consumers might keep business-to-business projects in the background for now. "It's not such a big deal with B2B; at the end of the day, Liberty won't amount to much," Kaye says.
That's because no one has yet been able to definitively outline how the benefits of a federated system will outweigh the risks. Any company participating in a federated arrangement will broaden its field of authorized users and, thus, its exposure to crossover attacks and other breaches. Given the costs a federated-system breakdown may create, a relatively slow development pace may be best for everyone.