The case for federated ID management
Simon Perry, vice president of security strategy at CA, discusses the current identity management landscape and the benefits to firms of improving their existing security practices by taking a federated approach to identity
IT Week: There have been a number of high-profile incidents that have pushed IT security into the spotlight recently, including the data breach at TK Maxx and the release of the House of Lords internet security report. Do you think these factors are raising the profile of identity management within firms?
Simon Perry: I think the fundamental issue is that over the past 10 years we’ve seen the establishment of an economy based on valuing information. So there’s a lot of focus today on who can get access to the information that is, personally identifiable information, like banking information or the trade secrets of an organisation. There’s more focus today on controlling who gets access to what information and what they do with it.
How are UK companies doing in terms of their approach to identity management compared with organisations around the globe?
There has generally been quite a lot of progress. The banks rate fairly highly, while the public sector is also getting there. We’re seeing good projects focused on joined-up government services, which cannot succeed without effective identity and access management. The one area where perhaps the UK lags behind is breach notification. One of the issues highlighted in the House of Lords report is that companies here in the UK do not have a requirement to notify customers if there is a breach of data that results in their personally identifiable information, such as name, address and credit card details, being exposed.
One of the examples you mentioned was joined-up e-government. Is the public sector ahead of the private sector in identity management?
I wouldn’t say that, but we are seeing a lot of focus within the European Union on taking a government service and making it available to constituents over the internet. And there’s also an effort to move from running a lot of different government service silos and joining those up so that someone can perhaps go to a single government web site and access a different sort of government service, whether it be around drivers licences or social benefits, for instance. Governments are putting a lot of effort into investigating federated identity management as a means of supporting this approach.
What is federated identity management?
What that really means is that each of those government departments will continue to operate as a silo and will continue to provide a lot of services via the internet. But there would perhaps be a single government portal where you as a citizen would come and authenticate through. And in that way, you could use that same digital identity to access multiple government departments at the back end.
Can you give any concrete examples of federated identity in action?
A good example is a high street bank with an internet banking system. In order for you to use internet banking, whether to transfer money, check your balance or pay bills, you need to be authenticated with a user ID or password. But imagine if that same bank also provided a whole series of other services to customers that the bank itself did not actually provide. That could be insurance for motor vehicles, house and contents insurance, or other financial packages. The bank offers those services to you via its web site, but in fact those services are provided by a business partner of the bank. Now each of those services also requires you to authenticate to them. Without federation, what would happen is that you would hit the bank’s web site, you would authenticate to the internet banking web site and they could advertise that these other services were available. But if you tried to access them, you would have to have a different user ID and password. So, for an end user you get this incredible complexity of different user IDs and passwords that you have to remember as you traverse all these different internet domains.
What are the advantages of a federated approach?
With federated identity management what could happen is that you could authenticate to the bank and then it, on your behalf, would assert your digital identity to its business partners. And those business partners would trust that digital identity coming down the line. As a consumer, you would seamlessly pass through and actually access multiple domains in the back end. But to you, it all looks like one web site so, in effect, you get single sign-on and one digital identity.
Are there also benefits for businesses?
What that means to the business, to the bank, is increased competitiveness and differentiation through the ability to offer white-labelled services to you as a customer. There’s a lot of business benefits around it and one of the interesting things around federation is that it almost turns security on its head, because all of a sudden security is not a disabler. In fact, it becomes an enabler for how you actually roll out and offer new services to your customers.
Are firms currently using this approach as a selling point to gain more customers?
Those vendors that are doing it today certainly are seeing federated identity management as a platform for their future adoption and continued rollout of internet services. But I don’t want to give the impression that everyone is implementing federated identity management today, but it will take off throughout 2008 and 2009.
Which areas are firms focusing on to improve the protection of sensitive information and user identities?
What we’re seeing is an enormous amount of focus on what I would call the “bread and butter” of identity management, which really comes down to platform hardening, whether that be Unix, Linux, Windows or mainframes. Firms are also looking at web access management projects, to actually put in authentication services for some kind of internet or intranet site, and there’s also a lot of focus on user provisioning projects. Creating an ability to generate an audit trail, so that firms can not only control who gets access to the data, applications and information stores but can also generate a whole series of reports afterwards, is also a key concern. This means that if the auditors or other companies that you’re working with come and ask, “Who got access to that application and what did they do?” you’ve got all the reports ready to answer them.
In the picture you are painting, it seems trust has an important part to play for identity management to work.
We did some research recently and found that there is a level of distrust among consumers. They’re certainly concerned about data breaches like the TK Maxx incident. So that’s in the back of their minds. And one of the things we’re finding is that, over time, people are not just looking for the best price of goods and services from a web site and they’re not just looking for brand association and loyalty; they’re actually beginning to consider whether a company with whom they are going to share their credit card data and other personal information would keep that information safe. So there’s an element of trustworthiness that’s beginning to infiltrate buying decisions.
How important is trust at the business level?
In the internet banking scenario, if you are the bank and I am the insurance company, you are authenticating those customers that you then send down the wire to me. I need to trust that all of your processes and systems are secure and that your procedures are correct, because I also need to trust that identity. You’re doing the authentication of the end user on my behalf. One of the things that we’re seeing is that there is a requirement today for you to have a standard way of expressing your security capability to me as an organisation. So we’re seeing increased adoption and certification to industry standards like the ISO 27000 series, which allows for the certification and independent examination of your IT security.
You mentioned standards as a way for firms to be able to attain the level of trust required. Does that make industry standards an important feature of federated identity management?
I think industry standards play a huge part. I’ve been in the IT industry for over 20 years and I’m really pleased that in the past 10 years, we’re seeing a real push around the adoption and growth of standards. This is something that CA has been quite active in over the past few years, working with various industry bodies to make sure that not only our products conform to the standards that are available, but that the standards themselves are widely adopted and rich in what they express. In the federated world, my organisation could be secured with CA technology and yours could be secured with open-source technology. My technology would need to talk to yours and standards are what enable that.
How expensive and complex is it to achieve a federated identity model?
I would describe identity and access management as a journey. Now, it doesn’t really matter where your final destination is. Perhaps it’s to get to the point where you are federating with business partners, either on the receiving end of the identity or on the providing end. Federation may not be the end-game for a lot of organisations. For some it’s good enough to save money and improve processes and security by simply focusing on the provisioning of the lifecycle of a digital identity. For some it’s good enough to make sure they’re locking down their platforms, intranet and internet sites with web access management. For some there is a requirement that’s either driven by regulatory bodies or legislation: for those firms, just to put in auditing and access control technologies may be the requirement. So where people get to and where they stop is less important than the fact that they should really approach this as a multi-stage model.
How long does a typical federated identity management project take?
In some cases that process change or re-engineering that is required can be a far more significant aspect of the project than the actual implementation of the technology. You really need to approach federated identity management as a 12-month or perhaps two-year, multi-stage, multi-disciplinary project, which is bigger than IT. It has to touch and involve the business and its sponsorship. It has to involve business process re-engineering, as much as it does technology deployment.