The road to identity management: How to know who's who and what's what

Providing secure, efficient and controlled access to information is critical. Companies must be structured so the right people have easy access to the information required to make smart business decisions.

Corporate executives also must track and control who has access to what information in order to comply with demanding regulations like the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. Added to these security pressures is the fact that businesses are being required to do more with less to remain competitive while also ensuring high-quality customer service.

To address these challenges, executives are turning to identity management as a method for minimizing security risks, controlling costs and maintaining service levels while also sharing information with employees, customers and partners across the virtual enterprise.

As identity management increases its critical role within organizations, two emerging concepts are approaching their respective tipping points -- federated identity and radio frequency identification (RFID).

Federated Identity: Who Is It

Federated identity helps businesses establish a virtual network, or "circle of trust," through authentication (of an identity) and single sign-on across domains. The vision is that users and their identities are grouped and trusted across many boundaries such as those with partners, customers and third-party contractors.

Companies are looking at federated identity as a way to deploy new services for their customers quickly, easily and at a lower cost. For example, a mobile telecommunications company can offer its subscribers news, messaging, ring tones and games from multiple third-party providers. Federated identity authenticates and authorizes access to levels of content based on a subscriber's service contract. The potential results are new revenue opportunities and increased customer loyalty.

Deploying federated identity requires coordinated planning and execution to get the various identity management applications to exchange information correctly. As a result, federated identity faces several hurdles before it becomes widely deployed.

The technology is available to make federated identity a reality, but quite often the business policies to support it are not in place within an organization. The goal is for one company to be able to understand and trust information from another company, regardless of their identity management applications.

For example, a wireless service provider can share federated identity information with retail vendors, such as Starbucks, so that as a user travels on business, he can be alerted of nearby store locations through a cell phone. Another example is a health care network using federated identities across multiple companies, which includes the passing of private data.

These two examples have very different levels of security associated with them and therefore very different transaction values. Companies must determine cross-business agreements and policies that will provide true business value and securely allow federated identity to unfold.

One promising solution is the creation of federated identity standards, such as those from the Liberty Alliance, which make it possible for a user to log on through an identity provider, authenticate him and access resources that stretch beyond the operating environment. The Liberty Alliance is helping to facilitate the adoption of federated identity by bringing these issues out among a broad array of companies and driving business guidelines. For example, 401(k) and vertical industry guidelines are published by Liberty to provide a foundation from which corporations can build. As companies build open IT architectures and adopt federated standards, they will be able to use these standards to expand their virtual enterprise with partners and customers.

A year ago there were three competing federated identity specifications; Liberty ID-FF 1.1, Security Assertion Markup Language (SAML) 1.0, and WS-Federation. Having multiple specifications has prevented companies from deploying federated identity as they wait to see which would gain the most industry support. As with all new technology, companies want to protect their investment and hopefully ensure their interoperability with the emerging federated identity standard.

Recently, Liberty contributed its federated identity specification to SAML so that going forward, Liberty will leverage the SAML 2.0 specification for federated identity. The remaining convergence between SAML and WS-Federation is a critical milestone to enable federated identity deployments.

As these specifications continue to converge, and as companies create their business guidelines for federated identity, we will see more deployments and start to realize the business value. With discussions around huge scale, multiple-service federated identity deployments, our current expectations are exaggerated -- we simply are not that far along.

Remember when banks first started using ATMs? ATMs started by allowing access to accounts from any branch of one bank. Then various banking networks developed, and now almost all banks are linked to a global ATM network, enabling you to withdraw money at almost any ATM worldwide.

This one-step-at-a-time approach should be adopted by companies in deploying federation. The bottom line, however, is that companies should start now. For example, begin by rolling out a pilot project with an internal application of federated identity and take some small steps now in order to realize the future benefits.

RFID: What Iis It?

In addition to controlling the "who" of identity, companies will increasingly want to control the "what." We call this managing the "identity of things." RFID is a technology for identifying assets and enabling computer systems to identify objects and their attributes. For instance, this technology allows retailers and manufacturers to track products as they travel from the factory to store shelves -- in essence giving each product an identity that can be tracked.

The results are increased security, accountability and the ability to fulfill orders in real time. In more tangible terms, RFID lowers the cost of inventory tracking significantly. Instead of manually scanning a package, imagine if a company could obtain important information, such as product contents, destination and arrival dates automatically and also reduce the potential for user error -- without much incremental cost.

Due to policies put in place by the U.S. Department of Defense, Wal-Mart Stores Inc. and other companies, which demand that major suppliers place RFID tags on cases and pallets of goods, spending for this emerging technology area is set to explode in the next few years. Wall Street research firm Robert W. Baird & Co predicts growth from $1 billion this year to $4.6 billion in 2007. This presents a fantastic opportunity for those who want to sell to these organizations, but it also presents several challenges for IT managers.

Some of the main challenges surrounding RFID deployment are compliance, information management, security and cost.

Compliance

The majority of companies under compliance requirements are operating in a "slap and ship" mode by tagging cases or pallets of products to meet deadlines but without considering the long-term benefits of RFID. IT managers need to determine how their current supply chain process should be modified to incorporate RFID technology. But where do they begin?

One way for a company to evaluate RFID technology and to ensure that it will meet compliance requirements is through RFID test centers. With high RFID project failure rates (according to Gartner Inc.), testing and piloting RFID outside of the enterprise is a sensible first step. RFID test centers allow IT managers to learn from experts what they need to do in order to meet compliance demands and run trial-and-error tests before investing in and implementing RFID solutions in their native environments. Tests such as proper tag placement can be critical for ensuring the accuracy and consistency of read rates in addition to making it easier for consumers to remove tags, alleviating personal security concerns.

In addition, IT managers and test center experts can develop long-term RFID strategies that best fit with a company's business objectives. For example, The Goodyear Tire & Rubber Co. worked at Sun Microsystems Inc.'s RFID Test Center in Texas to tag its tires and is now planning to use RFID for its future "Tire IQ" system, a RFID-based tire-pressure sensor monitoring system.

Information Management

Information management is another challenge since companies need to make sense of all of the data generated by RFID. Not surprisingly, the solution is software. RFID middleware captures, interprets and integrates RFID-generated data into back-end systems like ERP or supply chain software to make real-time inventory adjustments, trigger purchasing decisions or identify counterfeit products, theft or fraud.

Cost

The bottom-line consideration for RFID is, of course, the bottom line. The cost of RFID tags will vary for each company, depending on the amount purchased. RFID tags have the potential to be a significant line item for major consumer goods companies that ship millions of cases and pallets each year. So, while the evidence is mounting for RFID's value, smart companies considering a move to RFID should make sure there is a payoff that aligns with their long-term business objectives.

Security

In the not-too-distant future, we can use identity management combined with RFID technology to help track products outside of the warehouse, potentially reducing theft and counterfeiting and even tracking corporate assets.

For example, when an employee leaves an organization, he must be deprovisioned from all the systems he had access to. By using identity management, an organization can easily determine which systems the ex-employee had access to and remove access to those accounts. Using RFID combined with identity management, the organization would be able to track assets such as laptops, cell phones, or even company cars to ensure that they are returned. Of course, this is a vision into the future and only one possible scenario for how RFID technology could be combined with identity management.

Already, various forms of identity management are becoming a way of life. Increased usage of federated identity and identity management services is opening doors to e-commerce to a broader range of sectors that previously were not engaged due to security concerns. Some governments are even considering embedding RFID tags into their currency to combat counterfeiting.

It's clear that federated identity and RFID will be important parts of identity management in the future and, as the enterprise continues to extend its reach beyond the "four walls," identity-enabled technology will be on CIO's radar for years to come.

Sara Gates is vice president of identity management at Sun Microsystems Inc., one of the founders of the Liberty Alliance.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon