Digital ID: How are you managing?

For example, RSA Security is providing thousands of Nationwide Insurance's independent agents with federated access to a company portal as well as to third-party financial services. Federated identity allows participating companies to share each other's authentication and authorization services. With a single log-on, the agents can traverse Nationwide's portal as well as the sites of the external service providers. Cisco and Boeing are using Oblix's identity management solution to simplify secure access to applications as well as to establish consistent policies for governing compliance and maintaining security. VeriSign and RSA, for example, are working with AOL to provide stronger authentication for the consumer site's millions of customers.

Lewis defines identity management as comprising "electronic records that represent network principals, including people, machines, devices, applications, and services. Identity management comprises the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities within a legal and policy context."

More enterprises are realizing that IDM is core infrastructure, crosscutting with security, regulatory compliance, policy-based automation and business processes. However, building IDM into enterprise infrastructure is not a turnkey operation, according to Lewis. "Organizations are building IDM solutions, but few have completed rollouts," Lewis said. "Product promises don't always meet reality -- the biggest surprise is the degree of customization needed for workflow, rules and roles."

Part of the problem is that IDM, like security, is an afterthought in how applications are built. "IDM has to move from being a product to a platform, where the tooling to build applications exists," Lewis said. "The platform could include strong authentication, directory services, federation, rights management, and authorization. However, user and credential management and solutions that require agent-based integration have to be cross platform."

Controversy over standards from the Liberty Alliance and the WS-* camps has slowed the growth of federated IDM, but over the next few years those politically oriented issues will evaporate. "The Liberty Alliance is focused on a narrower problem than WS-* and is shipping today," Lewis said. "But Microsoft and IBM [the leaders in developing WS-* protocols] don't get enough credit for what they are trying to do with the WS-* framework. They have proposed a federated model independent of the token and transport, which intuitively makes sense. Security and IDM are a subset in an overall Web services architecture. The results so far are not bad, and more open than what Microsoft and IBM have done previously."

Longer term, Lewis expects that the standards for IDM will seep into the platform, and there will be some degree of interoperability and peaceful coexistence between the two camps. The Microsoft/Sun détente, IBM joining the Liberty Alliance and increasing cross-referencing of the protocols are signs that the two camps will make it easier for customers and vendors to deliver solutions with multiple protocols or standards.

"It will take three to five years before critical mass [on interoperability] is reached," Lewis said. "At that point, the focus will shift to making things works together in standardized ways, which leads to SOA (service-oriented architecture). And, the only way to get to deal more holistically with applications [and IDM} that span platforms is SOA."

The combination of Web services/SOA and IDM will significantly alter and simplify the management and provisioning of identity services, but it won't reach maturity until the end of the decade, Lewis said. Nor is it a panacea for IDM and security. "SOA is suitable for most low-risk applications today, and some medium-risk as long as fail-safe mechanisms are in place, but it's not high-risk applications," Lewis said. "It can streamline security, but it can also create interdependencies and raise surety, accreditation and security issues."

The combination of Web services/SOA and the federated identity aspect of IDM will transform how authentication is deployed. Currently, federation is mostly Web-based SSO and uses SAML (Security Assertion Markup Language) for assertions, but the transition to rich clients and WS-* standards will enable parties, regardless of size or granularity, to interoperate and exchange identity information in loosely coupled fashion, Lewis said.

While the technical issues around federated identity are manageable, the issues related to the business agreements and trust management in cross-boundary federations (with external partners) are difficult problems to solve. "Federation doesn't remove risk management -- it just moves it [to establish] reliance of assertions," according to Lewis. Partner assessment, compliance and privacy have to be addressed in creating a federation, as well as tasks such as record keeping, auditing, and forensics for dispute resolution. Companies already have legal contracts that govern relationships with external partners and suppliers, which can be extended to cover federated identity relationships. But, Lewis cautions, management of encryption keys, shared policies, technical assurance, and audit and accreditation could hinder the broad deployment of federations.

For the broader consumer world, federation of identity and strong authentication schemes is a kind of ideal state. Most users have more than a dozen passwords and multiple user names. Overcoming the chaos of managing multiple identities won't happen unless companies like Microsoft (MSN), Amazon, eBay, Yahoo, Google and AOL federate with each other. Art Coviello, CEO of RSA Security, said that his company is piloting a federated identity solution with eBay.

At the same time, the issues of privacy, trust, and who controls one's personal data have to be addressed. Microsoft's Passport proved that users don't want a single entity as the control point for user identity information. Microsoft is working on the Longhorn identity system for client systems, dubbed InfoCards, that allows Windows users to control their own information. It's not expected to be available until 2006. In addition, Microsoft products for federated identity management -- including Windows Server 2003 R2, Active Directory Federation Services, and .Net development tools, -- won't be available for a year or two, according to John Shewchuk, architect for the Distributed Systems Group at Microsoft.

A small Vancouver, Canada startup, Sxip Networks, gives individuals the ability to create and manage their online personas. Based on the idea that Web users can associate specific personal data properties within multiple "personas," Sxip can facilitate single sign-on and attribute exchange, placing individual users in control of their data. Sxip uses the concept of a "Homesite," a site (or sites) that is trusted by the user and provides authentication and storage of personal information that is doled out to sites based on user preferences. The Sxip Network itself is based on open source code.

Similarly, Identity Commons is creating a technology-neutral trust federation that allows individuals to control their personal information. Identity Commons is using two OASIS specifications: XRIs (eXtensible Resource Identifiers) and XDI (XRI Data Interchange)to develop its trusted network. For example, organizations could assign "i-names" to employees and customers, and provide single sign-on as well as data sharing in a secure and private framework. Identity Commons is member-owned and peer-governed.

A recent survey by Unisys of C-level executives and IT managers at large U.S. enterprises confirmed the growing importance of IDM. Among the respondents, 77 percent view IDM as the primary means of protecting against network intrusions resulting from identity theft and as key to compliance efforts in safeguarding sensitive information. Less than 20 percent of companies had any federated identity systems in place.

The 2004 Identity Management Survey, commissioned by EDS and the International Association of Privacy Professionals (IAPP), found that 70 percent of consumers will share information, such as their name, address, postal code, phone number, account number; or will give the answer to a security question in an unsolicited call or e-mail. The same survey found that 57 percent of consumers do not want their accounts locked down after three failed attempts to provide identification verification information.

Just as the Internet has TCP/IP as a backbone, IDM needs to be established as the backbone for the intersection of people (in their business and personal lives) with the network. The technology for building IDM into the fabric of networks is maturing. Now, it's time to tackle the social and political issues that get in the way of creating a global networked society.

You can write to me at dan.farber@cnet.com. If you're looking for my commentaries on other IT topics, check out my blog Between the Lines.