Identity federation: The challenges and gains

For a number of years the basic access to applications and data over the Internet has existed; however, the ability for users to easily and securely access services from multiple security domains within an enterprise or from multiple companies has undoubtedly remained a challenge.

Indeed, optimising the coordination of business with trading partners has long been a dilemma faced by both local and global companies.

However, in light of the growing maturity of Internet, Internet-compliant technology and standards, companies can now overcome their coordination effort challenges; realising mass integration between trading partners in an affordable and effective manner.

And without sounding too optimistic, mass integration can ultimately enable companies to reduce costs, create revenue opportunities and provide greater convenience and choice for their users.

The ubiquitous network (the Internet) and high-scale transactional applications already exist. Therefore, they can and should be further leveraged to drive cost and time out of doing business. Federation standards and the security systems that implement them were invented explicitly for this purpose.

The reality is that none of the abovementioned gains will be realised if information exchange is not conducted in a secure manner. For example, a government agency could risk damage through a leak of a citizen`s private information. A financial institution might incur financial penalties and brand degradation due to unauthorised trade or withdrawal.

Like most IT efforts, federation needs to have security as a front-of-mind item. Ultimately, a balance must be found between letting business in and keeping risk out.

In a federation scenario a key way to address these security challenges is to integrate partnering companies` security systems so that user, security and entitlement information can be shared in a defined and controlled way between partners in a trusted business relationship.

Integrating applications across independent security domains is defined broadly as "federation". And the sharing of these digital identities to enable federation is defined as "identity federation".

While identity federation holds an almost idyllic promise, the reality is that industry standards and specifications, such as SAML, Liberty Alliance and others can only go so far in resolving issues that are inherent when two or more organisations attempt to integrate their systems and business processes.

And yes, these standards go a long way to make security infrastructure work together but ultimately they will not resolve business issues that are inherent in federation.

Early federation adopters will need to resolve the following issues and probably others:

* Legal and contractual issues around trust - since federation implies that one-party depends on the security systems and practices of another party, any enabling contract needs to define what is required, what is expected, how liability is dealt with.

* What happens when things go wrong, who does the user call - if a user cannot get what he needs for whatever reason, there needs to be a call centre or helpdesk that is equipped to help them and a process for managing customer issues that might originate with the federation partner.

* What government regulations may apply? How can the partners ensure that they are complying.

* Who pays for the federation - given that by definition federated applications are shared and both sides often gain some benefit, it is not unreasonable to expect that both sides might need to pay for the federation to occur.

* Privacy policy compliance

* Rights to audit federation partner - given that one-half of the security system of the solution is housed at a business partner, getting access to their audit data (assuming they have it) is something that would have to be negotiated up-front.

Undoubtedly, federation can work, but in order to realise its full potential companies must consider the above. Indeed, going into a federation project without addressing the business issues is a recipe for a disaster.

The best advice is to pick your best, most motivated partner first. Get all aspects of your federation, both business and technical issues, right with them and then expand to more partners as time, demand and resources allow.