| NOT
LONG AGO, subcontractors working with a major U.S.
manufacturer felt a lot like they were walking England’s
Hampton Court labyrinth, where, famously, “The main
path is not made clear in any way.” Even the most trusted
subcontractors had to navigate a maze of directories,
domains and authorization levels before gaining access to
everything from project blueprints to the company’s
supply-chain channels. Secure? Yes. Efficient? Not always.
But as work began on the company’s
next big project, a new competitive reality set in, and the
corporate brass sought ways not just to save money, but to
make their information based construction and procuring processes
more straightforward. Enter federated identity management.
With the new federated identity infrastructure,
hundreds of subcontractors and suppliers could log on to secure
systems with a single password and gain access to all the
files, blueprints and applications for which they had authorization
— without the company giving up an ounce of security.
How’s the gambit flying? According to analysts at the
Burton Group, a Utah-based IT research firm, this manufacturer
has gained countless efficiencies, which have quickly yielded
significant RO I— and a competitive edge.
How does federated identity management work?
Strong authentication and authorization protocols enable businesses
to simply and seamlessly move users between broad domains
and applications without the litany of passwords that haunts
most working professionals today. Currently, most Internet
commerce is static, with costs and complexities standing in
the way of many potentially lucrative cross-business partnerships.
In contrast, federated identity management offers nearly limitless
scalability, reaching across business and, one day, possibly
directly to consumers.
Indeed, for about 100 early adopters across
the world, federated identity’s promise is that someday
all computer users will be able to merge all their Internet
identities, whether they’re JimQ at an auction site
or JamesPublic at their 401(k) site, into one. It’s
easy to see how users could benefit, but consider the business
possibilities. Not only can federation dramatically reduce
the helpdesk carousel of forgotten passwords and hints within
the enterprise, but it’s already helping large supply-chain
management firms realize huge cost savings by cutting out
hordes of middlemen, directory managers and complicated, built-fromscratch
authentication systems.
Top
Although these opportunities
are balanced by formidable challenges of legality, and even
the emergence of “confederated identity”—a
worry that headstrong competing standards may waylay broad
buy-in, at least over the next five years— security
analysts say the time is now to address this new junction
in Internet commerce. An identity crisis fueled not just by
security concerns but by impatient users is confronting a
growing number of web-based firms. Already, federation is
becoming a boardroom buzzword from Paris to Peking, chiefly
because it confronts nagging problems with Internet commerce
and potentially solves security and trust issues so that managers
can spend more time dreaming up new business synergies and
partnerships.
The auspice of federated identity
cuts into the deepest psychology of Internet use and to the
most basic issues of access. Commonly, users will navigate
away from sites if they no longer remember their password
and can’t find the Post-It® note where it was written.
“Right now, companies
know they’re losing business because of the password
blues,” says Dan Blum, research director at The Burton
Group. Federated accounts basically put in a password identifier
— for example, in a national clothes retailer linking
to a brand-name shirt maker.
Top
THE POWER OF ONE
There are many gains to be made from federated identity, including
things as simple as lower call-in volume; one study showed
an 85 percent drop in customer calls after the company went
to a secure single sign-on model. But the greatest benefit
is federation’s potential to make even low-volume partnerships
between companies cost-effective by providing a secure, low-cost
and nearly seamless way to couple services across the Internet
and across business boundaries.
“What we’ve done
with federation is enable companies to bring more partners
online, offer more products and services, and generate overall
revenues,” says Jason Lewis, vice president of product
management and marketing at RSA Security. “Simply put,
federated identity reduces friction in doing business.”
Indeed, there are a growing
number of federated scenarios, from the mundane to “A
Brave New World”:
REVENUE
GENERATION Among the prime early adopters
of federation are large insurance companies that underwrite
policies for independent agents all over the world. One large
national car and personal insurance underwriter, for example,
wanted to be more agent-friendly and decided to expand its
product offerings. Federation made sense, providing the harried
agents with a single sign-on system with which to access the
expanded offerings. Today, the system seamlessly links agents
directly to partners’ web services to sell annuities
and IRAs, all while making it appear as if the agent is dealing
solely with the underwriter. Sales and service both are improved
— a win-win for the company and agents alike.
PROCESS
EFFICIENCY For supply-chain managers in big
industries like automobile manufacturing, federated identity
management is already coming online — with dramatic
results. Hundreds of companies feed into the auto trade —
leather stitchers, injection molders, detailing shops and
tire manufacturers all take orders over the Internet. The
problem? It’s the same old supply chain with a racy
new veneer. With federated identity management, supply-chain
managers can revolutionize their business: by getting rid
of a wasp’s nest of subdirectories and authorization
checkpoints, subcontractors can now easily tap into the supply
chain’s many nodes and move goods seamlessly and with
greater accuracy. Efficiency is gained throughout the system,
especially from a great improvement in ease of use.
IMPROVED
CUSTOMER SERVICE While many people bristle
at the notion of another national initiative, a federated
government Internet could bring broad benefits. Say a carpenter
in Utah is having trouble with his city-run trash pick-up.
Meanwhile, he also has a question about his taxes, a government
loan, and wants to see about a couple of outstanding parking
tickets, which are handled by a subcontractor. Through a federated
system, the carpenter could get all these issues addressed
in one electronic visit, through a single sign-on experience
that would get him into whatever bureaucratic nook he needed
to visit. For its part, the government would realize substantial
savings — as long as citizens were comfortable enough
with the admittedly Orwellian issues of surveillance and the
omnipotence of identity profiles. Already in Belgium, government
leaders have perhaps the boldest plan of all: they’re
in the process of giving every Belgian a single identity to
access government services, from local business investment
offices to national tax returns.
GEN-NEXT
APPEAL Certainly “mass adoption”
of federated identity is several years away, but researchers
say a tipping point can be reached fairly quickly, with perhaps
the greatest buy-in from younger citizens, who have already
introduced instant messaging to the business culture. It’s
an easy leap for young people to imagine being able to use
a single identity to access music online or move across chat
groups and forums. What’s more, Nokia’s hip new
phones, available as soon as next year, include a federated
system aimed directly at younger users, allowing them to buy
ring tones, listen to the radio and play stakes poker all
from different vendors, all with a single password. (A user
“shadow” will trail each cell phone user’s
selection and invisibly complete the transaction.) While younger
users are generally early adopters of all things Internet,
they’re not always bullish enough when it comes to security,
analysts say. Again, federated identity could be a social
“it” movement—and security-wise, the better
choice.
RESPONSIBILITIES,
RISKS AND RESULTS Like so many other web innovations,
federated identity grew out of proprietary systems that are
often costly and complicated. Today, companies are creating
internal and external systems that allow users to move easily
between domains and across business applications. Already,
there are a slew of federated identity standards, including
SAML/Liberty and WS-Federation, both of which are being tested
by thousands of potential adopters across the world. This
challenge of integrating federated identities will most likely
be resolved by some kind of “gateway” protocol
that would easily link up disparate standards.
Top
Still, vexing concerns remain
for early adopters from both technology and business standpoints:
WEB
SECURITY Who is responsible for a federated
identity? One need not be a complete paranoiac to imagine
a hacker cracking one password and having a mother lode of
access tumble out of it like quarters out of a slot machine.
This is where issues of strong authentication and access management
become paramount. “The risk is that you’re putting
more eggs in one basket, so if someone figures out how to
crack your one identity, they can get into anything,”
says The Burton Group’s Blum.
B2B
TRUST Trust is the bedrock of every capital
transaction. To be sure, federated identity will test the
small print of business partnerships. After all, if Company
B accepts an authorized user from Company A, Company A had
better be sure that user hasn’t left the company and
is now accessing Company B from a new job. But proponents
say that built-from-scratch authentication templates are slowly
being replaced by standard forms that can be more easily adjusted
— and accepted — by company lawyers. When it comes
to legalities such as liability, business practices must be
modified to address the new online approach to traditional
business transactions.
However, some industry analysts
believe these factors will decrease under federation. Since
access in most cases is controlled by the company employing
the user, security can be certified through employment records.
On the other hand, complexity quickly broadens as the user
definition does. Companies that must trust a broader array
of people—for example, a college’s student body—can
opt to hide much of their data behind tougher authentication
gates.
“Imagine linking users
from an aircraft manufacturer to a steel supplier, and now
imagine those giants trying to figure out who will own the
liability and how the liability is going to be shared,”
says RSA Security’s Lewis. “It’s a discussion
of a whole different magnitude.”
At the same time, proponents
of federated identity have to be ready for this discussion.
The concept merges security with business profits in an unprecedented
way. Moreover, computer users around the world increasingly
hedge their bets on security. Aware of scoundrels in dark
digital alleys, they’re willing to take certain risks—including
the possibility of having their single identity hijacked.
Today, most identity thieves literally have to steal passwords
on Post-its to get at someone’s digital account information.
According to Blum, we’re
on the cusp of a shift in how secure the Internet seems to
its users and how seamlessly identity federation can —
and ostensibly will — be incorporated into the computer
culture. The Burton Group estimates that about 100 federation
projects have been launched throughout the corporate world,
with thousands of others actively investigating it for their
firms. See “The Articles of Federation,”
below. For a growing number of organizations, seamless
movement across the web’s invisible boundaries is reaping
benefits today. The technology is already available. The real
challenge to federated identity management is for the back-office
lawyers and senior executives to work out the fine print.
“While the technology
is only moderately complex,” says RSA Security’s
Lewis, “the trust and policy issues are harder.”
Top
THE ARTICLES
OF FEDERATION
FOUR
GOOD REASONS WHY YOUR COMPANY SHOULD EXPLORE FEDERATED
IDENTITY |
|
 EASIER
TO DO BUSINESS. If you’re a paint
company executive, you know that much of your revenue
comes from decisions made by the paint salespeople at
the hardware store. So how do you curry favor on the
shop floor? A paint supplier with vision could offer
salespeople a bevy of help and services from one site.
With one simple sign-on, a paint salesman could not
only order buckets of paint for a customer, but also
recommend and buy a design book (traditional Swedish
wall painting schemes, perhaps?), buy custom palettes
and even hire a local crew—all with one password.
 IMPROVE
THE CUSTOMER EXPERIENCE. Your customer
can’t remember her password to access the sales
racks at your online shoe shop? Too bad—for you.
The customer will go to the mall; you’ll lose
the sale. For webbased businesses, single sign-on strategies
will “translate to dollars,” says Dan Blum,
research director at The Burton Group.
 CUT
COSTS. The early returns from federated
identity are encouraging. Helpdesk calls alone are known
to decrease by up to 85 percent. Directory management,
too, can be automated, lowering IT costs by cutting
payroll drastically. And then there are the costs of
innovation: one national mortgage firm stood to lose
$500 million a year in revenues if it didn’t heed
a client’s demand to federate.
 COMPETITIVE
ADVANTAGE. Because of the cost of identity
management and the complexity of managing identities
across domains, many businesses shy away from virtual
partnerships that could benefit them or their common
customers. But with federated identity, companies can
enter these partnerships, deploy more applications and
provide a higher level of customer service. “It
may lead to [customers] selecting you because you have
the ability to work with them properly,” says
Blum.
|
|
RSA SECURITY’S SOLUTION:
FEDERATED
IDENTITY MANAGEMENT
While many early adopters of identity federation
are reaping benefits ranging from decreased helpdesk
calls to increased B2B synergies, the pitfalls
of the new technology are real and well documented
in the business press. On the technology side,
businesses have to worry about vouchsafing their
users’ identities across different web domains—not
an easy task. On the ledger side, managers are
concerned about the legalities and responsibilities
of federation for various partners. RSA Security
is making the process a lot easier with RSA®
Federated Identity Management, an evolutionary
standards-based system that is already bringing
identity federation to reality. The RSA Federated
Identity Management solution basics are:
ONE PASSWORD
Authenticated web users can move easily between
web services and applications, and can link business
partners in revolutionary ways.
ALONG FOR THE RIDE
Web servers trace users’ identities back
to a centralized service to glean additional attributes,
e.g., an employee ID number, purchasing power
or account balance.
PERSONAL SECURITY
GUARD Users’ identities
are accounted for through a centralized source
of authentication information, so partners and
other web services know whom they’re dealing
with. |
|
By Patrick Jonsson
Illustration by Marc Rosenthal
Top |
