ID Specs and Reality Checks for OASIS

 
 
By Cameron Sturdevant  |  Posted 2005-08-29 Print this article Print
 
 
 
 
 
 
 

News Analysis: Conference highlights varied needs for reliable ID systems technology.

IBM and Microsoft Corp., along with a small fleet of partners, will submit in September three new security specifications to OASIS: WS-SecurityPolicy, WS-SecureConversation and WS-Trust.

The submission of these specifications continues a tradition, started in 2002, where IBM and Microsoft first announce the evolution of their Web services security work at Burton Groups Catalyst Conference North America, held in July.

The three specifications submitted to the Organization for the Advancement of Structured Information Standards, or OASIS, further define the process of working with security tokens, brokering trust relationships, securing messaging, establishing security context and defining security policy assertions—basically, how Web services can establish a trusted relationship and then carry out reliable communication inside the trust domain.

The announcements at the conference came at the same time that attendees were voicing concerns about identity management. Many attendees raised the issue that the growth of SOA (service-oriented architecture) will depend on the reliability of user identity.

Click here to read about OASIS SOA committee. Jamie Lewis, CEO and research chair at Burton Group, used the term "user-centrism" to describe how people manage—in a much more proactive way—their online life, identity, interaction with one another and the companies with which they do business. In large part, said Lewis, user-centrism depends on securing data in transit and transactions at the point of execution so that business conducted in the ether has the same credibility as face-to-face transactions.

Security concerns expressed at the Catalyst Conference were clearly motivated by fast-maturing privacy and audit legislation, including HIPAA (Health Insurance Portability and Accountability Act), the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act.

"You look at the newspaper and see the breaches at ChoicePoint [Inc.] and CardSystems [Inc.], you see the severe impact of phishing on e-mail, and its clear that we are reaching a critical mass," said Lewis.

Read more here about the respone of credit card vendors to the data breach at CardSystems. Many of the trends that eWEEK Labs has seen in new and updated identity systems focus on remedying fundamental problems, including establishing unique identity. Indeed, in case after case presented at the conference, senior executives outlined how theyve used technology to establish a single unique identifier for each employee of their companies.

Establishing unique identity may remind some IT managers of horrific PKI (public-key infrastructure) projects of the late 1990s—projects that often generated more implementation problems and costs than productivity gains.

This comparison likely doesnt hold true in todays IT environment, however. For one thing, metadirectory and newly emerging virtual directory technologies obviate the need for the rip-and-replace implementation methods that PKI so often required. Instead of changing directories, databases and built-in application user identity systems, its now feasible to simply integrate with the authoritative identity sources and use a security-oriented identity management system.

As well as solving the identity management problem inside the enterprise, IT managers will need to implement account provisioning for users coming in from the Internet. "If we dont fix these problems, we are going to have some severe entropic effects," said Lewis. "The systems of the Internet have enormous potential to build virtual places, but people may be too scared to visit these virtual places."

While vendors and senior executives interest in identity management is being driven in large part by regulatory mandates, savvy IT managers should use this interest to launch projects that also improve business efficiency and security. The Catalyst Conference was chock-full of suggestions on how to do this. More information is at www.catalyst-conference.com.

Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
 
 
 
 
Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at cameron.sturdevant@quinstreet.com.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel