Home » Identity & Access » Federated IDM

The Truth About Federated Identity Management

When it comes to setting up federated identity management, the security benefits (and potential drawbacks) are not what you might expect

"It's improving security by not exchanging more information than is truly necessary," Goodman says. What's more, the setup makes it easier to audit who has access to what, because all that information is stored in a central place.

Of course, single sign-on can also, in effect, give freer reign to anyone who manages to compromise the network. That's no small concern, given how damaging insider attacks can be. But this is part of the security trade-off that CSOs will need to help evaluate: Are the security problems that federation solves bigger than the ones it may introduce?

More than anything, federated identity management is about relationships, which always involves weighing risks. "You have to assume that you can tolerate the risk of building that relationship with a third party," says Gee, the consultant. "In a sense, there could be no security benefits, but you're building a business relationship that makes sense for your business."

Building trust, not technology, is often the hardest part of any implementation. Even within one university, Goldsmith has found this to be a challenge. "All the institutions have their own personalities, and now we're trying to have the institutions trust each other," he says. "It's Institution A saying, 'I have a relationship with Institution B, and I will trust them.' As we go forward, that's the only way it's going to work."

A Case for the Business

In August of this year, Craig Burma, principal and director of the Milliman Benefit Resource Center, was putting the finishing touches on a new federation project. Burma says he vividly recalls the project's beginning: the day that one of Milliman's biggest clients—a top 10 brokerage firm—asked him to provide seamless access to Milliman's pension services for the brokerage's customers.

No wonder the memory is so vivid: That day was only 60 days earlier.

"I'm probably a little giddy right now because we're at the end of it," says Burma, whose company, among other things, provides outsourced pension administration services that are resold by financial services companies. "It's been a long haul."

The brokerage called Milliman and said it was trying to close a deal with a new account. The brokerage would be managing its new customer's employee retirement plans. But the potential customer wanted its employees to be able to access pension information—which the brokerage had outsourced to Milliman—without needing another password. To do this, Milliman would have to set up a federation that took the identity information that the employees provided to the brokerage, and then use that information to pass on pension information.