 |
|
|
|
|
|
|
|
|
|
|
Speaking at Digital ID World General Motors chief technology officer Tony Scott detailed the difficult path to delivering a federated identity solution. Federated identity management, which supports multiple entities connected within a circle of trust, is one of the major initiatives growing out of Web services that will provide substantial benefits to corporations and consumers. The technology challenges, according to Scott, weren't significant, but the unforeseen business issues turned a three-month project into a year of hurdling social obstacles, such as coming up with agreements among the parties within the federation on enforcing compliance, liability definitions, dispute resolution procedures and auditing requirements. GM's project used the open standards for federated network identity services developed by the Liberty Alliance to extend single sign-on capabilities from the company's employee portal to an external benefits provider. Among the lessons learned, Scott highlighted the importance of organizational trust. "How can we trust that the partner's security is as good ours? If you are going to do it, allow time for organizational trust elements to happen at several levels, in particular for auditing and security in terms of how it's done and how it lines up with what we do," Scott said. He also pointed to the need to resolve up-front issues regarding who bears the cost of the infrastructure and how problems are escalated, as well as to engage in scenario planning for provisioning new employees, changes in status, and session time outs. "We have a lot of joint ventures, Internet service providers and people who go on leave where their status changes and it may not allow them to maintain access, so we created an elaborate set of use cases," Scott said. "We were shocked at the number of use cases. We also had some interesting dialog around time outs and coordinating that with our existing security policy." In addition, differences in how the United States and the rest of the world look at identity and privacy can impact deployments. In the U.S., the Gramm-Leach-Bliley Act (GLB) and the Health Insurance Portability and Accountability Act (HIPPA) must be accounted for in establishing a federated identity network. Acclimating users to new usage patterns and obtaining buy-in from business partners were also part of the critical path to a successful deployment. "We wanted to create a global phone book for employee self service, with features like showing the organization structure, phone numbers and office locations of employees. It took about a year to get regulatory approved from the EU [European Union] and others," Scott said.
Standards skirmishes Jamie Lewis, president and research chair of the Burton Group who also participated on the panel, noted that the architectural differences between the two specifications are minimal. Both define mechanisms to allow different entities to federate, brokering trust of identities, attributes and authentication between participating Web services. He viewed the dispute over what will become the standards as a political issue, the two powerful players IBM and Micorosoft (WS-*) as a "cartel in action." Simon Phipps, Sun's chief technology evangelist, called the WS-* a sleight-of-hand operation in which IBM and Microsoft are determining standards and then asking a standards body to bless it. Phipps, as well as Michael Barrett, president of the Liberty Alliance and vice president of Internet strategy at American Express, support a more open forum similar to the Liberty Alliance to develop standards. Brian Arbogast, corporate vice president Identity, Mobile and Partner Services Group MSN and Personal Services Division, pledged that his company simply wants to produce the best possible open standards for customers, and that large group consortia aren't necessarily the best way to draft standards specifications. Lewis labeled the friction a "political war," and predicted that markets will force convergence and reasonable coexistence in the next three to five years. It's hard to disagree with that perspective. IBM and Microsoft are like members of the United Nations that have veto power, but that doesn't mean unbridled abuse of veto power. On the current horizon, SAML is in the lead and gaining momentum with lots of early adoption, Lewis said. SAML, an XML-based framework for exchanging security information, is core to the Liberty Alliance effort, and the WS-* group has pledged to support it in its Web services specifications. Microsoft announced that it would support SAML tokens, and IBM is shipping SAML as part of its solution. Liberty is in early adoption phase, with the standards effort driven in part by enterprise customers and product implementation underway in consumer facing applications. Lewis described WS-* as broad in scope, and building a high value set of standards that people will buy into. His advice is that the industry politics shouldn't get in the way of enterprise deploying federated identity networks today, and that longer term WS-* and SAML will become dominant. But the Liberty Alliance has strong momentum going forward, and hopefully the two sides will do what's in the best interest of customers in providing interoperability.
Ping Identity Durand said he would likely apply a BSD-style license for SourceID, rather than the General Public License (GPL) that underlies the more open Linux community. "We are using open source to accelerate adoption of the concept and to potentially increase our market share," Durand said unabashedly. "We are allowing companies to play with the code--a perpetual free license to play," Durand said. "We will build a layer on top for small and medium size businesses in a commercial version with installation, managed services and other facilities built in. If you want to turn on the managed services, you need to join the PingID network." In addition, Ping Identity is addressing the non-technical issues that plagued GM's Tony Scott attempt to create a federated identity network beyond the corporate firewall. The company has developed the PingID Network, a member-owned, technology-neutral identity network that provides businesses with a legal and business framework to smooth the process of developing contracts between partners. While all the promises of transparent access, legal safety zones and privacy protection from the various standards and practices aspirants sound a bit idealistic, PingID takes its cue from a well-known and successful networked partner infrastructure: the ATM banking system. As ATMs grew more popular, banks interconnected systems regionally to provide customer convenience. The next step was to extend the partner network more globally. It became unmanageable for banks to individually or even regionally negotiate ATM partner relationships. The problem was resolved by creating a third-party network of national and international ATMs guided by a set of common operating rules and legal covenants, such as standardized procedures, risk management, dispute resolution and mutual confidence parameters. According to Durand, Ping Identity has defined shared services as well as common legal agreements, liability shifts and limits, participation requirements and dispute resolution procedures. Basically it's a template for creating a trust network based on the emerging Web services standards. Ping Identity's model is unique, at least for now. The company has about 15 members (Durand was unwilling to disclose the names) so far, and a five-year management agreement with each member. Durand said the company has seen interest, in terms of downloads of the SourceID federation gateways, from auto manufacturers, health insurers, telcos and governments such as the EU. According to Durand, the revenue from the management contracts is trivial. Ping Identity expects to make its money from its managed services, such as audit logging of identity-related transactions to ensure that programs and polices agreed upon by the PingID network are enforced. As part of its contract with members, Ping Identity has first right of refusal for its value-added managed services, but PingID members have the right to substitute managed services from another vendor, Durand said. "We will sell managed Web services on a subscription model, like minutes on a cell phone," Durand said. Durand has stacked the deck of Ping Identity with key executives from the banking industry, including Linda Elliott, a former Visa senior executive in charge of Visa's global transaction network, and Bill Reid, a former Visa and Microsoft senior executive, as well as Kirby Slunaker, who was part of the initial senior management team that founded the Visa/PLUS ATM Network service, which today has more than 840,000 ATMs in over 150 countries. The company recently garnered $5 million from General Catalyst Partners, a venture capital firm, and private investors to start its ramp up. Whether Ping Identity succeeds remains to be seen, but the company has the right idea. Durand and investor Jeremy Allaire of General Catalyst Partners (and a creator of the Web development platform Cold Fusion) told me that it would take five to ten years to realize their vision. That's quite a different perspective from the dot.com days. Ping Identity appears to be taking the right first steps in solving the problems that GM and almost every other enterprise are facing in creating federated identity networks.
You can write to me at dan.farber@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.
|
|
|
|
|
|
