The rapid proliferation of threats to corporate data has spawned various different approaches to information security. It has been said that whoever has access to the data, holds the keys to business. So it is not surprising that identity management, both within an organisation and outside its boundaries, has risen up the IT security agenda.
Identity management systems have long been available as a means to authenticate and track who is accessing data, for what purpose and when. But the increasing complexity of the IT security and compliance environment that firms now have to operate in, coupled with the need for organisations to connect to multiple business partners and customers, has made federated identity management a more attractive option for securing access to systems and data within and across organisational borders.
Federated identity management has evolved with the maturing of the internet and the rise of web-compliant technology and standards to the point that effective co-ordination and mass integration between trading partners and customers is now achievable and affordable and indeed necessary for many firms. This federated approach to managing user identities can enable businesses to substantially reduce costs, create new revenue opportunities, and provide greater convenience, choice and control for its users, according to industry experts.
“There has been an increased emphasis on managing the areas of access provisioning and directory management dynamically,” said Neil Macehiter, service director of IT consultant and analyst Macehiter Ward-Dutton. He added that as a result identity management and related standards have climbed the corporate security agenda, with IT chiefs under growing pressure to ensure their businesses “can authenticate new users more easily and give them access to functionality held within proprietary systems from outside the firewall”.
Standards available to facilitate this approach include the Liberty Alliance Identity Federation Framework (ID-FF), which involves at least three elements: an identity provider, such as a telecoms company; a service provider, such as an online retailer, financial institution or government agency; and a user agent, such as a browser or a wireless mobile handset. ID-FF is often used to link systems using a browser-based scenario.
But even ID-FF relies on other standards, such as Security Assertion Markup Language (SAML), which is used to enable browser-based federations. This is an open, application-level framework for sharing security information over the internet. SAML is widely supported and implemented as a federation standard.
Other identity standards include Web Services Federation Language (WS-Federation) and Web Services Security specification (WS-Security), which are vendor specifications. WS-Security defines how to attach signature and encryption headers, as well as providing profiles that specify how to insert different types of binary and XML security tokens into WS-Security headers.
WS-Federation is designed to standardise the way firms share user and machine identities among multiple authentication and authorisation systems spread across corporate boundaries. The standard is heavily backed by Microsoft, and the vendor has made available Active Directory Federation Service, which supports WS-Federation, as part of its Windows Server 2003 R2 update.
But whether federated ID management is facilitated through standards based on internet and browser technologies, proprietary systems or document workflows, or even two-factor authentication, which involves using a separate device to confirm the identity and password are held by the authorised user, it has to be underpinned by the same best practices, according to John Madelin, head of BT’s UK security practice.
“Words like appropriate, measured and reasoned should be those one has in mind when looking at federated identity to provide some level of identity and access management, as well as compliance assurance,” Madelin said. “Large-scale federated identity management deployments are still in their relatively early stages. In real life, most organisations have multiple directories so that consolidating them, categorising access rights and introducing automation through the lifecycle of provisioning user access rights can bring benefits of enhanced security and user satisfaction.”
From his own experience at BT, Madelin sounded a note of caution. “To achieve true single sign-on can be an almost impossible aspiration in an environment of dynamically changing and distributed applications,” he said.
Madelin advised companies thinking about moving towards federated identity management to do so on a case-by-case basis. “Taking small increments in terms of project scope can have a huge impact on business buy-in to federated identity technology investment,” he said.