Linux in Action: Understanding Federated Identity Management Business Drivers
What's Federated Identity Management (FIM)?
Actually, we should be asking how important is FIM. It's the linchpin of digital convergence and probably one of the most important technologies of the modern era. Soon, we will begin to swim in digital television, multifunctional phones, devices of all kinds, and at the core of making all these things work together with our computer networks and the Internet lies identity management. At the core of identity management lies federation.
People use FIM to refer to a system that allows individuals to use the same user name, password or other personal identification to sign on to the networks of more than one enterprise in order to conduct transactions. You might see it referred to as single sign-on (SSO).
Partners in a federated identity management (FIM) system depend on one another to authenticate their respective users and vouch for their access and privileges to services. Each partner involved relies on the other for verification. The partners comprise a circle of trust.
For example, a federated system allows a company such as AT&T to build a service where dozens of third-party suppliers come together for one-service offering. I use AT&T's voice over IP service myself. As it turns out, nearly every service on the system comes from a third-party, including billing, activation and management of the VoIP telephone adapter, voice-mail, call filtering, e-mail, caller ID, three-way calling, call forwarding, fax and modem support, call waiting and so on.
Without AT&T's federated identity management system, each service provider would require you to have a separate ID and password. A company will have to trust its partners to vouch for their own users. Each partner must rely on the other partner to say, "This user is okay; let them access this application."
Linux practitioners should start preparing for the emergence of new products and services requiring FIM for many reasons. Mostly, because identity management has become required in many organizations.
Talking Points - HSPD 12
Homeland Security Presidential Directive (HSPD) 12, dated August 27, 2004, established a policy for a common identification standard for federal employees and contractors. In the directive, the White House established these talking points:
In response to HSPD 12, the National Institutes of Standards and Technology (NIST) Computer Security Division initiated a new project for improving the identification and authentication of federal employees and contractors for access to federal facilities and information systems. Federal Information Processing Standard (FIPS) 201 started the clock for agencies to implement common smart card-based ID cards, among other identity management procedures.
FIPS 201 lays out the technical and operational requirements for the system and card. HSPD 12 requires agencies to have their access systems in place, "to the maximum extent practicable", by October 25, 2005.
Some people feel that meeting that deadline is likely to be a challenge. Although NIST is not responsible for implementing the standard, Jim Dray of NIST stated, "I don't think it's going to be possible for most agencies to continue doing business as usual and comply." People at the Office of Management and the Budget (OMB) remain optimistic.
Red Hat Linux, Novell, IBM and Identity Management
The main commercial Linux vendors may wind up providing infrastructure and provisioning to the various agencies that must meet the standard of FIPS 201 and related documents. You could say that the President of the United States created a sense of urgency in the federated identity management sector by suggesting that wide variations in identification technology people use to gain access to secure facilities exist and need to be eliminated.
That's the essence of Red Hat's entry into this market. For more information on Red Hat's product, take a look at its product page.
The new FIPS 201 standard requires replacing the former Government Smart Card Interoperability Specification (GSCIS). The new standard requires DOD, for example, to re-deploy applications on 2.2 million computers and update 3.5 million Common Access cards. And, that's only one implementation.
With all of the scrambling to comply with the President's standard, many vendors find themselves scrambling to help agencies meet their deadlines. You can count on IBM and its partners Red Hat and SUSE to benefit from those efforts.
Other Compliance Issues Pushing the Envelope on FIM
In addition to FIPS 201, other federal regulations have created a need for identity management. Again, with IBM having a significant lead in the market, Linux will see its share of business. Let's take a look at the primary drivers in the compliance area.
Healthcare Insurance Portability and Accountability Act (HIPAA)
HIPAA regulations provide for the protection of healthcare information. Control of access to information systems has become big business in the health care industry. Fines of up to $100,000 and prison terms of up to five years for noncompliance make HIPAA compliance a big concern.
HIPAA regulations affect business processes, information systems operations and information systems sharing. HIPAA-compliant privacy and security features require structured identity management solutions that we have seen in products such as IBM's Tivoli Access Manager, which runs on Linux and interoperates with a variety of other software platforms.
HIPAA regulations impose requirements to enforce formal security policies and procedures for granting different levels of access to patient information.
Gramm-Leach-Bliley regulations became effective on February 1, 2001. The US Treasury Department issued guidelines interpreting the privacy and security requirements contained in the GLB Act of 1999, also known as the Financial Modernization Act of 1999.
The GLB exists primarily to repeal restrictions on banks affiliated with securities firms. It requires financial institutions--including preparers of income tax returns, consumer credit reporting agencies, real estate transaction settlement services and debt collection agencies--to adopt privacy measures relating to customer data.
The legislation eliminated legal barriers to affiliations among banks and securities firms, insurance companies and other financial services companies. Such affiliations require legal and security safeguards. The Federal Deposit Insurance Corporation (FDIC), Federal Reserve System (FRS), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC) and the Office of Thrift Supervision all regulate some area of Gramm-Leach-Bliley.
The Sarbanes-Oxley Act of 2002 has created numerous logistical, operational and economic challenges for public companies. Sarbox requires CEOs and CFOs of public companies to swear under oath that the financial statements they publish are accurate and complete. This is supposed to protect investors by improving the reliability of corporate financial statements. It imposes stiff penalties for auditors, corporate officers, company directors and others who violate the Act. Every publicly traded company registered under the Exchange Act or that has a pending registration statement under the Securities Act of 1933 falls under the regulations.
If someone fails to comply with Sarbox, he or she can expect stiff penalties, including jail terms for executives. New processes and procedures to ensure compliance may improve efforts to implement identity management and automate many of those processes.
Identity management technology helps automate processes that enable Sarbox compliance. For example, it addresses security processes associated with establishing "adequate internal controls" around financial reporting. By mapping these processes as well as internal security policies to automated identity management, companies can utilize frameworks for improving security and ensuring compliance.
Organizations are continuing to deploy directories such as OpenLDAP in their business. As different applications accumulate data, federated identity management will provide users the ability to access those directories transparently.
Mergers, Acquisitions and Divestitures
The market will continue to consolidate. Companies will buy companies and attempt to merge heterogeneous information systems together. Look at Computer Associates' acquisition of Netegrity as an example. Such acquisitions provide challenges. Federated identity management helps companies merge their work forces.
Secure Web Services
As organizations allow associates into their information systems at the supply and demand side of their food chains, the need for secure identity management emerges. If you want to ensure trusted communities, federated identities provide the most efficient way to do so. Today's identity management solutions support broad security infrastructure initiatives.
Consumers worry about personal information getting into others' hands. Purveyors of Web services have problems similar to credit card companies: they simply know too much about us. As a result, they tend to sell information or tailor product offerings that tempt us to buy things we don't need.
Hopefully regulations will emerge to stop the sharing of consumer information within and among businesses. We'll need identity management systems that help ensure others won't be allowed to look too deeply into our personal lives. Expect legislation to emerge that will help control outside access to our identities while allowing us ease of navigation.
About two years ago, I read an article by Doc Searls discussing a new kind of Web technology called blogs. I went on-line and started looking around at his examples and shrugged. Within a couple of weeks, I purchased some blog software and added it to several Web sites I manage. At the time, I had no idea how quickly the blogsphere would take off.
I have similar thoughts about federated identity management. Although a great deal of activity in this market takes place under the radar of journalists, don't be fooled by their current lack of coverage. Journalists tend to flock to the same stories.
Journalists that ignored Doc Searls' assertions about blogs now use them extensively. I also expect the crowd to begin reporting soon on FIM. Hopefully, you'll be ahead of them.
|Subject||Topic Starter||Replies||Views||Last Post|
|Shibboleth...||mvermeer||0||1,245||Nov 2, 2005 12:29 AM|
You cannot post until you login.