The Truth About Federated Identity Management
When it comes to setting up federated identity management, the security benefits (and potential drawbacks) are not what you might expect
October 01, 2006 — CSO —
Aramark, the $11 billion food-service company, would seem an ideal candidate to trailblaze federated identity management—a process that allows business partners to automatically access each other's computer systems—without requiring multiple layers of passwords.
Aramark has the right kinds of clients: universities and Fortune 500 corporations with multimillion-dollar annual catering accounts (and big IT budgets). It has the right kind of e-commerce business model: Every week, employees from 250 companies at 425 locations log on to Aramark's proprietary Web-based software, MyAssistant.com, where they order everything from sandwiches and brownies to conference rooms and microphones. And Aramark has the technical know-how: It has actually already implemented the technology, using a tool from Ping Identity. This year, at one customer's request, Aramark began allowing 4,500 of the customer's employees to log on to MyAssistant simply by being logged on to their own company's network.
So why haven't Aramark's other business partners signed up?
Turns out that Aramark, which can make such a strong business and security case for federated identity management, also provides a good demonstration of how few companies are actually ready to forge such close ties—and take such a bold security step—with their business partners.
On the positive side of the ledger, "It takes the onus of security away from us and puts it on the client organization, where it belongs," says Steve Erickson, VP of IT for business services at Aramark (which recently agreed to be acquired by a group of private-equity investors who include the company's CEO), about Aramark's implementation of the technology. "They're the ones who know when an employee leaves their organization. That inherently makes our application more secure, because we can trust the fact that, in the case of this one client, anyone coming into our application is coming in through their network."
However, Erickson also notes, "We've made it known to new customers that we have the capability; everybody's heads nod up and down, but the difficulty lies in taking it to the next step. We've only been in serious discussions about it with three different organizations in the past year. That just makes me think it's a relatively immature market."
Maybe, but it just as well could mean that for all the potential benefits of federated identity management, it may never take off beyond a few niche applications. Indeed, companies are wise to be cautious before jumping onto the federated identity management bandwagon. History is littered with supposedly revolutionary communication methods that sputtered and failed from too few adopters—picture telegraphy, the 1964 World's Fair Picturephone, the satellite telephone. It's anything but certain that federation will ever reach a critical mass, where enough people have it that everyone wants it.