The Promise of Federated Identity Management
by Fran Howarth, Principal
Identity management technologies are hot and implementations are picking up pace. Companies that have invested in identity management are reaping the benefits. They are seeing reduced administrative costs and burdens, improved productivity for staff, reduced security costs and vulnerabilities, and an improved ability to comply with industry and government regulations.
Identity management implementations profoundly change and improve the way IT works. They affect all parts of a company?s communications infrastructure and ultimately they touch all applications, technology platforms, messaging systems and operating systems. There can be no surprise then, that such deployments present a significant challenge and full implementations are long and arduous. Hurwitz & Associates has not yet come across any company that has yet managed to implement identity management wall-to-wall throughout the organisations ? although that is where many are heading.
The reality today is that many organisations start with a point solution ? typically to automate an inefficient and expensive process such as managing passwords. They may then move on to tackling a provisioning project and then perhaps tackling single sign-on, coupled with strong authentication, to remove security headaches caused by users having to remember multiple user name and password combinations ? which many write down and leave near to their computer, despite the guidelines they are given.
SOA and ID Management
Once projects such as these have been implemented, companies are closer to having identity management embedded in their organisations, with identities mapped to virtual directories and policies managed from a centralised point to allow all parts of the organisation to be controlled. The basic foundation is in place.
Over time, if current software trends are anything to go by, companies will migrate to a Services-Oriented Architecture (SOA). A SOA allows the components of enterprise business applications that perform a specific function, such as raising an invoice, to be called on from other applications in real time. From a security perspective, this requires that identity credentials be tied to each transaction. It also paves the way towards the ultimate goal of providing software as a service in a fully secure manner.
?Software as a service? is an attractive idea because it holds out the promise of software integration between organizations across supply chains. And this in turn introduces the idea of federation.
The Federated Environment
A federated environment can best be thought of as a computing environment (an extended network) that embraces business partners as well as internal company resources. In such environments, it will be advantageous to allow IT users to use the resources, in particular the applications, of business partners. However, any such usage must be closely controlled. Among other things it will require identity management technology both for authorization of access and for authentication between the organizations involved. This means that two (or perhaps even more) identity management systems will have to swap information and guarantee that a user has been authenticated and is authorized to use whatever service is being made available.
Companies leading the charge in this area are generally those with large extended networks, perhaps including a large number of third-party service providers, suppliers, dealers or resellers, and even customers. A SOA environment provides the ideal scenario in which to achieve efficient federation.
At present, many companies are simply kicking the tyres of federated identity management. Nevertheless, there are already a significant number of projects in progress although most are early endeavours that have got little further than the proof of concept stage. We already noted that it will be a while before most organizations have full implementations of identity management within the organization and so naturally it will be even longer before federated identity management deployments encompass entire enterprise networks ? but the process has begun.
Many of the deployments that are currently in place are being used for authenticating transactions and authorising access for processes that are largely internal in nature ? such as enabling employees to more easily access services such as healthcare insurance provision or pension benefits. But we also see evidence of companies extending these deployments to encompass business partners.
The Hurwitz Research Program
Over the course of the next couple of months, Hurwitz & Associates will be conducting research into the current state of federated identity management with a view to analysing the promise that it holds. We are talking to both technology vendors and end-user organisations to identify the key areas of technology involved and best practices identified by early adopters. If any technology vendor or end user of federated identity management technologies would like to be included in this research, we would welcome them getting in touch.