The REAL Challenge of Cross Domain IdM
Posted by Brian Milas - CTO on Thu, Feb 26, 2009
Government Computer News published an interesting article on cross domain identity management. The benefits of federated identity are clear, one identity, a single sign on experience, authorization decisions made at the service provider (relying party).
Products and technologies are available today that make these benefits possible. Legal and political challenges are often the more difficult part, in the article, Roger Sullivan states, "Working out the business procedures is 90 percent of the problem".
I'd love to have a single identity that transitions between our corporate servers, 401K provider, travel agent, expense tracking, healthcare, and other systems that we use. Ideally, I'd logon to my desktop and seamlessly transition between the systems.
Take the perspective of the 401K provider. They will require both technical and legal contracts with my employer to make this happen. Then to assure that they are properly managing and vetting identities, they may require periodic audit and monitoring, and they will want to minimize their exposure in the event of a breach. Now repeat this process to reach all the customers of the 401K provider.
Take the perspective of my employer, we'll want to do the same on our end, making sure that the 401K provider, travel agent, etc are properly controlling and managing access. Again, making sure that the company is protected, and the exposure and risk is minimized.
We'll need to deal with these issues soon. In Massachusetts, the upcoming Standards for the Protection of Personal information (MA 201 CMR 17.00) are going to require policies, processes, and systems to be put in place for both business and for services that are outsourced to vendors such as the 401K provider. These are proactive regulation intended to protect personal information (PI) about MA residents. The company will be required to review (and even amend) the legal contracts with vendors who manage or have access to MA PI.