Cheat Sheet: Federated identity

All together now...

What on earth is federated identity?
In the most basic 'in a nutshell' terms, it is an agreed standard for sharing identity with multiple parties with multiple privileges.

Oh right, that's cleared things up...
OK, so you're not impressed, I can tell. Think of it this way: a company may have business relationships with 1,000 different people or companies - partners, suppliers, staff, contractors and customers - who in turn have their own relationships with one another. Many of them need to share information and transact yet they all have different ways of authenticating with that company and one another - creating layers of complexity when handling multiple relationships.

For instance, if you buy your travel insurance online from a company who has a relationship with the website you've booked with and the airline you're flying with, why not have one method of authenticating your ID with all three, if you trust one of them to share that system with an agreed list of partners. It makes life easier for you and for them. If you like you're picking somebody to vouch for you.

Putting aside any issues you may have about security, think of the ease of using an ATM. That is a snapshot of how federated identity can work, though the systems will inevitably evolve. You have your card and your PIN number and you can access your money from any ATM. If you're a Lloyds customers you use the same form of authentication at ABN-AMRO, Citibank or NatWest machines, home or abroad, which all banks recognise - but it is the integrity of Lloyds' original record of you which is vouching for you - via MasterCard or Visa. In terms of card payments it also gets around the need to have different forms of authentication in every different shop or at every different ATM.

Businesses are now seeking out this ease of transaction.

I think I'm there...
But I'm not done with examples. What about this: in authentication terms it's the equivalent of doing business with people who all speak the same language, as opposed to doing business with people who speak 20 different languages and need 20 different interpreters.

So it's kind of the Babelfish of the ID world?
Let's not go too far down that route.

OK. Well I'm with you so far, enough of the examples...
Excellent. So, ditching the similes, if that central company, let's say the travel website, was to 'federate' everybody's identity - by which I mean unify them along agreed and standardised lines - then, for all involved in that complex web of relationships, issues of identity and access management become far more streamlined. Permissions are then tailored to the identity, so the customer may be able to access the system to review their account while a partner company may be able to get in and make amendments to orders, yet the authentication and process is the same.

So what does this actually mean for accessing a system? We ditch our passwords?
The concept of federation is essentially ID-agnostic. Whether it's old-school passwords, which in this day and age have become mistrusted, or some other form of identification - such as token-based solutions and devices, offered by the likes of RSA, or single-use passwords - the key is uniformity and standardisation.

Not sure I'll understand the answer but what are these 'standards'?
Well this is one of the big stumbling blocks here. As with any tech-based solution, the word 'standards' is something of a misnomer.

The fact that 'standards' is plural gives us a clue that the process isn't going to be headache-free along the way. The problem of course is that there is money to be made here so different bodies and vendors will always promote their approach as the best way to go. However, the Liberty Alliance and SAML are two common standards being talked about, and increasingly they are able to talk to one another.

But, as Andrew Lloyd, VP security at Computer Associates (CA), acknowledges: "Picking a standard is all well and good within the four walls of your organisation but if you don't pick the one your partners or suppliers are using then it won't work. So companies will find they have to do everything."

So when will the technology be sorted out?
It's not so much a question of the technology actually. In many respects the technology is not the issue here. With proper planning and integration the issue of multiple standards can be overcome in a federated approach.

So what is the problem?
You assume there is one. And you'd be right. The problem is a cultural one - who do you trust and what data do you want to share? More thought needs to be given to contracts and legal agreements than to the technology.

So not everybody is going to be up for this?
That's a good question. Standardisation and unity to some are synonymous with insecurity. Even if the fears are ill-founded there are going to be companies who want to keep their identity and access management close to their chest. However, there is major buy-in. Take the example of automotive trading hub Covisint which has relationships with the likes of Daimler Chrysler and Ford.

David Miller, Covisint's information security officer, said the e-hub federates 70,000 IDs for Daimler-Chrysler and 56,000 for Ford. Within that there is a 60 per cent crossover as both companies have partners and suppliers in common.

So what should companies be doing now?
Treading carefully. Roll this out in stages tends to be the advice. First of all, work with your own staff. Then work with your closest and most trusted partners, and make sure you scrutinise your contracts at every step of the way to establish clear liability and responsibility. Remember, you're only as strong as your weakest link so be sure you trust everybody involved in your implementation.

And don't be afraid to admit it isn't for you. If there is no clear business case then it's not worth considering, advises CA's Lloyd: "If this is not adding revenue, helping to hit compliance targets or improving privacy then you shouldn't do it."

Editor's Picks