Towards Federated Identity Management
Mon, Dec 9, 2002; by Andre Durand.
Eric and I wrote this whitepaper back in 2002. It's always interesting to see if your writings stand the test of time. I believe two years later this document still captures the problems and challenges associated with scaling identity federation interactions. Most of the concerns addressed in this whitepaper have now been addressed through products and services offered by Ping Identity Corporation or through the PingID Network. If you like this whitepaper, I strongly suggest you also read the following: How the nature of identity will shape it's deployment & Topology of Federation.
by Eric Norlin and Andre Durand - (C) Copyright 2002-2004, Ping Identity Corporation
The IT Dilemma
The 1990’s witnessed enterprise adoption of an increasing number of information systems, each designed to streamline business processes through electronic automation. With the introduction of new systems for managing customers, supply chains, content and corporate knowledge, enterprises have been challenged with how to cost-effectively integrate and maintain an increasing number of information systems across a growing number of networks and platforms. Simultaneously, enterprises have also been challenged by the need to provide increased access to a larger and more dynamic group of end-users.
The challenge of managing these systems has resulted in a complex IT dilemma – namely, how to control costs and maintain security while increasing access to information.
The IT Dilemma: How to balance growing access to information with the need to maintain security.
As a consequence of globalization and to add to the growing list of corporate pressures, IT departments are now being forced to increase access to information for both employees (e.g. intranets) and partners and customers (e.g. extranets, supply chain management etc.). These and other pressures are driving corporations to re-evaluate their security and information architectures to accommodate the increasingly dynamic and transparent ways in which a growing number of parties wish to interact.
The Advent of Digital Identity
New distributed computing models such as those proposed by web services create a fresh set of challenges which in turn have given rise to a requirement to establish stronger and more granular methods of electronic identification.
To meet these new challenges, emerging technologies such as ‘Digital Identity’ are now being recognized as a key ingredient in the re-architecting of systems to accommodate the secure adoption of more distributed and transparent computing models.
The broad adoption of XML Web services as a computing model means that solutions no longer reside just within the four walls of an organization—while this brings new capabilities, it also forces one to consider how to manage trust and identity, not just across internal applications that are tightly controlled by corporate IT, but also to manage identity information across applications and services that span organizations, platforms, security approaches, and programming models.
Microsoft Website regarding Federated Security and Identity Roadmap
As corporate IT systems become more distributed and interdependent with partners and affiliates, new Digital Identity-based information architectures are helping to readily “identify” each component, thereby allowing IT departments to maintain security while allowing increased access to sensitive information. By answering the questions: a) Who are you? B) What are you allowed to do? and c) Where are you allowed to go? in a cost efficient way, IT departments are able to respond to the pressures of globalization by safely allowing their boundaries to become more transparent and permeable.
To help manage this transparent access to information, companies are integrating identity management solutions which help automate the procedures for user and role provisioning, password management and access control to information. To date however, the bulk of these solutions have focused on the internal use and management of identity, and not the inter-company and interdependent management of identity information between companies -- what is know referred to as ‘Federated Identity Management’.
While current identity management solutions provide distinct cost-saving benefits, they do not specifically address the issues which surround the emergence of identity federation, namely, how to safely and without incurring liability, exchange identity information between companies.
From Enterprise to Federated Identity Management
The true nature of the identity challenge is just now beginning to unfold, and stems not from how corporations manage identities within their control, but how they manage identities that are at least partially beyond their control.
Federated Identity Management (FIM), or the management of identities between corporate boundaries, has recently emerged in response to the desires to simplify the way in which individuals (consumers) are able to move between companies. Applications such as shared sign-on (SSO) and the emergence of web services architectures are driving the need for companies to understand and manage inter-company dependencies. Unlike EIM, where technology serves to resolve a good portion of the corporate IT dilemma, FIM raises issues which are far more complex and extensive, and require new approaches. To truly appreciate the FIM challenge, one must recognize that some identity information fundamentally exists beyond the corporate firewall, and is therefore at least partially beyond any one corporation’s individual control.
The adoption of new distributed computing models (e.g. federated identity and web services) are requiring enterprises to recast their view of themselves as a component of a larger interdependent construct. With the emergence of inter-company computing, the hard boundaries of today’s corporate firewalls are dissolving, or at least becoming semi-transparent -- allowing for more transparent movement of the individual between control boundaries.
Identity Federation
Federated Identity is just one of several new distributed computing constructs that recognizes the fact that individuals move between corporate boundaries at an increasingly frequent rate. Driving the requirement to understand the implications of identity federation is the rise in popularity of Shared Sign-On (SSO), an application which reduces redundant logons by allowing applications, systems and companies to share a user (identity) authentication. As a consequence of inter-company SSO, and the interdependency which is assumed in such interactions, companies are now forced to deal with new issues such as liability, risk and the costs associated with establishing trust and security in a quality conscious manner. As one would expect, these new challenges give rise to new costs, including: (i) the cost of negotiating and establishing formal agreements with electronic trading partners, (specifying the rules which will govern the exchange of identity information—including provisions for legal liability, dispute resolution and ensuring compliance with privacy requirements), (ii) the cost of implementing new technologies and (iii) the cost of maintaining security.
“Over the next few years we have to deal with some very messy problems – namely, what it takes to deploy federated technology along with what it takes to bash out contracts between partners...”
Michael Barrett, Vice President of Internet Strategy at American Express & President of Liberty Alliance
Challenges of Wide-Scale Identity Federation
While it’s entirely possible to control the costs and complexity of identity federation on a limited scale, within small circles of trust, wide-scale federation introduces new costs, complexity and challenges which exist on an entirely new scale.
The real challenge of wide-scale FIM only becomes evident when attempting to scale beyond a few partnerships, as when engaging several dozen, hundreds or even thousands of companies, many of which may not be known or ‘trusted.’
The reality is, trust will only take you so far in terms of managing quality and maintaining security in a new world of inter-company computing dependencies. It’s inevitable that if we are to realize the full potential of the Internet as a medium for automated electronic interaction, we holistically approach the challenges which allow us to engage one another on the largest of scales -- everyone talking to everyone.
To efficiently enable wide-scale identity federation, without incurring incremental costs which are proportional to the number of relationships which are established, both technology and business standards must be established and new frameworks for creating these relationships explored.
Figure: Four major areas which must be addressed to enable wide-scale identity federation.
Furthermore, the business issues of mutual confidence, liability, risk and compliance must be consistently and cost effectively addressed if inter-company interaction surrounding identity is to become a reality.
In analyzing the complete spectrum of technical and business issues surrounding wide-scale federation, the following challenges must be addressed:
Interoperability Standards
Technical interoperability is the cornerstone of efficient wide-scale federation. Less interoperability, the full potential of identity federation will never be achieved. Addressing interoperability requires cross industry cooperation to ensure that the resulting solutions address the wide range of systems with which it must integrate. The Liberty Alliance Project is one such consortium which understands the need for open standards surrounding interoperable identity.
The mission of the Liberty Alliance Project is to establish an open standard for federated network identity through open technical specifications.
Liberty Alliance Project Website
Managing the Needs of All Constituents
Unlike the management of identity within an enterprise, where user data is deemed proprietary and an asset of the corporation, federated identity requires the privacy requirements of the principle be satisfied and that the exchange of data does not violate government legislation such as the Health Insurance Portability and Accountability Act (HIPPA) or Gramm Leach Bliley Act (GLB).
Figure: Successful identity federation requires that the needs of three different constituents be met: 1) individual, 2) government and 3) business.
The challenge of federated identity lies in managing – and indeed aligning – the needs of all three constituents. Without a structure for doing so, constituents might soon find themselves at odds with government legislation, privacy concerns of consumers or the needs of business to better serve their customers.
Ever Expanding ‘Circles of Trust’ - Peering to the Nth Degree
As companies engage ever larger concentric circles of trust, moving from known and trusted trading partners to first time interactions with a growing number of entities, a requirement to establish legal agreements becomes ever more evident. Practically speaking, while it’s possible to establish agreements with a few dozen entities through bilateral negotiation, it’s entirely cost prohibitive and impractical to do so with hundreds or potentially thousands of companies.
To overcome this challenge, new models of peering must be explored -- models which do not introduce proportional costs, or an inconsistent handling of relationships.
Dispute Resolution
Just as the necessary business agreements must be established for the federation of identity, so too the necessary measures of resolving disputes. Imagine a customer of an online brokerage firm who uses a shared identity to access their account to perform a critical trade but is unable to do to so as a result of a problem stemming from the shared authentication. Who’s at fault? Who’s financially liable? What’s the individual’s recourse? And most importantly, what are the efficient and timely procedures for revolving the incident? Without a defined resolution process to the issues which will arise as a result of inter-company dependencies such as this, the legal ramifications alone would prohibit voluntary interaction.
Liability
In today’s electronic environment, liability is both compartmentalized and binary, each party specifically limiting or explicitly refusing to incur any liability which results from assertions or representations to third parties. With a movement towards web services and identity federation, inter-company dependencies become fundamentally more substantial and the potential ramifications which may result from assertions which are inaccurate more damaging.
Initially at least, it is unlikely that any additional liability will be tolerated as companies begin to engage one another in federated identity interactions. While this may be satisfactory (because the risk is known) when dealing with known and trusted trading partners, it becomes less tolerable when engaging or relying upon an unknown company’s assertions. Long term at least, the future of web services and identity federation depends on the industry at large defining acceptable methods of addressing quality in identity assertions, thereby reducing the risk of financial liability. Furthermore, accountability must be established as companies engage one another in asserting identity or other forms of information within the larger context of federation.
Quality Assurance
Overall, addressing the issue of quality is a major challenge in the context of wide-scale federation. Without an ability to assure or affect quality in the assertions which are made between companies, the cost of misplaced trust outweighs the rewards of relying upon others.
A foundation for enabling quality begins with an ability to define minimum standards and requirements, and an assertion by each party which is either self-certified or independently certified that they can and will adhere to these minimum requirements.
Furthermore, legally binding recourse must be defined in a context which motivates (if not rewards) each party for continual improvement in the quality of the assertions which they represent to other relying parties.
Revocation
One of the risks of identity federation is that security becomes interdependent, a notion which is viewed negatively or in some cases unacceptable by IT. Furthermore, as an identity-owner, the possibility that linked accounts (within an identity federation) can result in additional damage to a digital reputation if compromised by identity fraud is potentially terrifying.
How therefore companies can minimize the inevitability of security breaches and the resulting damage or financial exposure is of major concern. Defining the procedures for revoking credentials, suspending an identity or lowering the confidence in a particular interaction below some threshold must become an integral component of any quality assured identity network.
Risk Management
Every interaction which involves a third party inherently introduces new risks. While every company’s tolerance for risk is different, each company must evaluate for themselves how much they are willing to invest to reduce risk.
Within the context of wide-scale identity federation, the risks of misplaced trust can easily outweigh the potential return of having the freedom to interact with everyone. That said, the risk of isolationism can result in a loss of marketshare to those companies who better serve the same customer.
In today’s non-federated environment, risk is both assessed and addressed on a company by company basis, a format which is appropriate, but also expensive and inappropriate or perhaps even cost prohibitive if new variables are introduced through federation. While federation introduces new risks, it also introduces new possibilities, and requires new approaches towards addressing those problems. With proper coordination, both group and individual risk can be minimized through a pooling of efforts. One of the ways to address this collectively is to define for the federation the same minimum quality standards, standardized procedures, certification and credentialing programs which are used individually, and to track the adherence to these standards and the success or failures of each interaction.
Privacy Compliance
As identity authentications and attributes are shared within an identity federation, businesses are compelled through privacy legislation to be cognoscente of the individuals privacy rights and preferences. Identity federation simply does not work if an individual is subjected to differing privacy policies but is not explicitly made aware of such fact as they move from one company to the next within a SSO interaction. Privacy legislation such as HIPPA and GLB are making these issues ever-more complex. As noted earlier, identity federation MUST accommodate the needs and desires of all three constituents, the individual, the business and the government. Once again, a pooling of resources within an identity federation can reduce redundancy and thereby alleviate or help to solve many of these issues.
Defining a Solution: The ATM Network Analogy
One potential framework which can serve as a model to understand how many of the challenges surrounding federated identity can be resolved can be found in the analogous history of the evolution of ATM and other financial networks.
For hundreds of years, the banking industry was characterized as a local or regional business. With the advent of ATM’s, it became possible to extend a bank’s presence to allow cash withdrawal 24/7 from a much greater number of locations. While this enhanced consumer convenience, it also created a problem, namely, how could individuals remove cash from ANY ATM, even if that ATM was not sponsored by the individual’s bank.
To resolve this issue, banks began to regionally establish ATM relationships with other banks, and to invest in connecting their systems electronically through dedicated links to one another. While this solved some of the problems, at least locally, it didn’t resolve how the traveling individual withdrew funds from an ATM in another state or country.
Once more, it was becoming increasingly cost-prohibitive for banks to negotiate and establish what appeared to be a never ending number of electronic relationships with other banks.
In response to this problem, national and international ATM networks were established to respond to this “PeeringNth” degree dilemma. By establishing a set of common operating rules and regulations, these new independent third party ATM networks were able to address the quality control issues surrounding minimum requirements and standardized procedures while at the same time reducing a requirement for every bank to communicate directly with every other bank (by offering transaction clearing house services).
At the core of many of these networks was a member-owned corporation that provided for a fair and equitable governance structure, affording its membership an opportunity to define for themselves the operating rules and minimum requirements with which they would engage one another.
Enter the PingID Network – An Identity Network Operator
The PingID Network is a member-owned, technology-neutral identity network, the first of its kind designed to provide the necessary business and legal framework for the accelerated development of wide-scale identity federation.
The rapid adoption of identity services in the absence of formalized inter-company business processes, procedures and standards will result in a patchwork of isolated solutions and a growing and inefficient replication of unmanageable legal agreements. An organized effort is required to represent the best interests of the business community and the end-user at-large. This is accomplished by establishing the business process standards which are required to ensure security, reliability and interoperability.
By joining PingID, member-companies are afforded an opportunity to instantly engage all other Network members in quality assured identity-based interactions.
Member Services Include
• Standardized business / legal agreements for federation
• Standardized interoperability rules and dispute resolution procedures
• Shared services for enhanced interoperability and identity interchange
Member Benefits Include
• Reduced cost of federation – standardized agreements, shared resources and pooled knowledge make widespread FIM affordable across all market segments.
• Reduced complexity – as peering becomes standardized, it reduces a requirement to maintain one-off relationships.
• Increased interoperability – a standardized business framework combined with enhanced identity interchange services improves interoperability.
• Improved ability to comply with privacy legislation – by providing services which help individuals manage their privacy preferences, enterprises are better equipped to deal with existing and new privacy legislation.
• Improved trust – by providing enhanced services which enable distributed trust, companies can engage one another with increased confidence.
• Improved framework for resolving new issues – by providing defined procedures for resolving emerging issues, companies can spend less time focusing on identity and more time focusing on their business.
Conclusion
Businesses are challenged with two seemingly opposed trends, the need to increase access to information and the need to maintain security. As firewalls become increasingly semi-permeable, companies are forced to re-examine their approach towards security. New digital identity constructs are serving to help solve this dilemma, allowing known entities to access information with confidence, but new infrastructures are required to manage these identities. Corporations are now beginning to invest in identity management solutions to help them manage users, roles and permissions but these solutions do not address many of the issues that result from inter-company identity services (identity federation) such as shared sign-on.
As companies enter into an ever-increasing number of electronic relationships which involve identity, there is a commensurate need for a common business framework that will provide for an adherence to consistent end-user handling, a means for dispute resolution and a baseline for privacy compliance.
Through common business frameworks, pooled resources and shared services, companies can efficiently and with confidence engage one another in wide-scale federated identity services.
The PingID Network is one such common business framework, designed to accelerate identity federation, improve confidence through quality assurance and minimum standards and reduce costs through shared services within a fair and equitable member-owned governance structure. The PingID Network lays the foundation needed for quality-assured, wide-scale identity federation, enabling enhanced interoperability and improved reliability, security, and process efficiencies.
Download Whitepaper (PDF - 594k)
End of Whitepaper
(C) Copyright 2002-2004, Ping Identity Corporation
 
Created 12/9/2002; 5:38:25 PM. Updated Sunday, August 29, 2004 at 7:05:03 AM
(C) 2008 Andre Durand - Federated Identity Management
|
