Home » Identity & Access » Federated IDM

The Truth About Federated Identity Management

When it comes to setting up federated identity management, the security benefits (and potential drawbacks) are not what you might expect

"It's clear when we look at our business demands that federation might provide value," says Chris Gervais, a senior research analyst at Partners HealthCare in Boston, which is evaluating the technology. "But then we have to find someone else to federate with. It's like the problem with the original telephone. It doesn't matter if you have a telephone. It only matters if someone you want to call has a telephone."

What Federated Identity Is All About

Federated identity management isn't a security project, per se. But because federated identity management is all about access, it presents a huge opportunity for security leaders. "It's an enabling technology as opposed to a preventative one, like firewalls," says Bryan Palma, founder of consultancy Ponica (and former CISO of PepsiCo). Because identity management is about letting the right people in, rather than keeping the wrong ones out, Palma says, "it's a place where CISOs can positively impact the business." That's the payoff that CSOs should keep in mind as they sort through the attendant challenges.

Federated identity management requires a complex set of technologies and business processes, but the goal behind it is simple: to automatically share identity information across administrative boundaries. For CSOonlines look at the basics of identity management, see "Identity Management in the Real World." http://www.csoonline.com/read/110104/idmgmt.html

Those boundaries can be between service providers and their customers, as the Aramark scenario demonstrates. One classic example is American Express, whose corporate customers can allow their employees to access travel and expense-management services without an additional log-in.

The boundaries can also be between manufacturers and their customers. Boeing, for instance, has joined with—or "federated" with—airline customers. Mechanics at, say, Northwest, can seamlessly access the most up-to-date maintenance manuals stored on Boeing's servers.

A third kind of boundary is between a company and its outsourcers. One of the earliest instances of this type of federation was at Fifth Third Bank in Cincinnati, which decided to outsource some HR functions but still wanted employees to have easy access to benefits information.

Finally, federation can even connect organizations to themselves. The University of Texas system is in the midst of a large federated identity management project that will link administrative functions at all its far-flung campuses.

From the end-user perspective, all of this amounts to Web-based single sign-on. The user doesn't have to introduce himself to another computer network; his computer (with the help of the enterprise) introduces him to another computer network, by sharing a set of credentials in an agreed-upon format. It's authentication, automated.