Averting Web Identity Crisis
Averting Web Identity Crisis
In Craig Gorens book, the customer is king, even if that means his staff will be required to integrate with multiple Web-based frameworks. Thats one reason the president and chief technology officer of Centerpost Inc., in Chicago, said his company will support any identity management system customers want to use, even if that means his staff must manage multiple Web-based frameworks. Got an ID and a password from Microsoft Corp.s Passport? No biggie. How about one from America Online Inc.? Not a problem at Centerpost, which provides a Web-based service that allows clients such as UAL Corp. to communicate with customers via voice and data on wired and wireless hardware.
"The Holy Grail has long been the concept of single sign-on," Goren said. "But its easy for technologists to forget that the whole point of single sign-on is to make it easy on the end user."
Making life easier for customers may be the principal reason IT leaders such as Goren are increasingly jumping on board with single-sign-on and digital identity management products such as Passport. But its not the only reason. As enterprises begin to launch online applications as Web services, theyre realizing its critical to have an integrated repository of information that can tell them whom theyre doing business with. Not only can that information improve security by keeping bad guys out, but it can also help enterprises customize online services based on a users online history and stated preferences.
But theres a catch. Because high-profile, consumer-oriented single-sign-on frameworks such as Passport and AOLs ScreenName service dont yet interoperate, and because others such as the Sun Microsystems Inc.-led Liberty Alliance are just beginning to roll out, enterprises interested in taking advantage of single sign-on for the Web today must make a decision: either bide their time and wait for authentication services to become interoperable with accepted standards and a loosely coupled federation of trust (something IT managers predict could take 18 months or more); cobble together a federated single-sign-on capability using open standards such as SAML (Security Assertion Markup Language) on their own; or, like Centerpost, support any and all approaches.
Even if you decide you can wait, experts advise that now is the time to start developing an identity management architecture and strategy so youll be ready to act once single-sign-on frameworks such as Liberty mature. That means deploying user authentication software internally, consolidating directory services, and creating delegated administration and self-service processes.
"Get your house in order first, no matter what strategy you decide on," said Dan Blum, an analyst at The Burton Group Corp., in Midvale, Utah. "You need to crawl before you can walk. Once you can manage your own identities, youll be much more effective at projecting that information to the rest of the e-business world."
In fact, its inside the enterprise where the real payoff from identity management and single sign-on will first be seen. In a recent survey conducted by Meta Group Inc., of Stamford, Conn., IT managers said consolidating stores of internal employee and external customer ID information would enhance productivity by 24 percent and efficiency by 25 percent. Single sign-on would also decrease help desk calls by 33 percent, managers said.
A number of vendors offer software products that enable enterprises to get a start on deploying their own single-sign-on capabilities in support of Web-based applications. These products, which enterprises can use to manage the digital identities of employees, customers or suppliers, include Netegrity Inc.s SiteMinder, RSA Security Inc.s ClearTrust, Oblix Inc.s NetPoint, Entrust Technologies Inc.s GetAccess, OpenNetwork Technologies Inc.s DirectorySmart and Symantec Corp.s Webthority.
Even most enterprises that deploy their own nonfederated identity management systems will eventually want to tie in to one or more of the increasingly popular federated services from Microsoft, the Liberty Alliance and AOL. Microsofts Passport (the authentication piece of the companys .Net My Services framework), with some 200 million accounts, is a single-sign-on service built on Kerberos 5.0 that provides identity management and authentication for Internet users. Liberty Alliancewhich has more than 40 enterprise members, including Sony Corp., American Express Co. and Citigroup Inc.is expected to release a specification for an open, distributed, single-sign-on solution built on federation, meaning multiple Liberty systems could interoperate. In addition, AOL has its ScreenName service, focused on unifying identity and access across AOL Web sites.
While each of these systems is expected to share some underlying Web technologies, they wont interoperate for a while. Experts say which ID management framework or frameworks IT managers choose to support first will depend in large part on the technologies underlying their enterprise architectures.
Although there has been some movement toward interoperability among identity management frameworks, the big frameworks will probably remain separate for some time, experts say.
In December, AOL became a member of Liberty Alliance and announced that its 31 million subscribers would have user IDs and passwords compatible with any specification released by the organization. In response, Microsoft, which has yet to join Liberty Alliance, announced it will release next year the first stage of its next-generation Passport services, called TrustBridge. TrustBridge will allow customers with Windows .Net servers or other Kerberos-based systems to have federated single sign-on using Kerberos tunneled over Simple Object Access Protocol Web services.
"Were sort of moving toward this polycentric identity environment, where initially the services will not interoperate, but ultimately theyll be pressured to do so by large-enterprise customers who will not want to support too many mechanisms," The Burton Groups Blum said. "There needs to be a common denominator single-sign-on solution across federated business-to-business environments. Theres a possibility they could all interoperate, but theres a whole lot of work to finish."
Above the Fray
Above the Fray
In the meantime, a few companies such as Centerpost are working to support multiple authentication systems. Centerpost recently signed a deal with Microsoft that will allow its Passport users to opt in if they want to receive airline itinerary and other information in the form of .Net alerts over standard e-mail. The authentication is secured using the HTTP Secure, or HTTPS, standard, Goren said.
When specifications are released by Liberty Alliance, Goren said, his company will write APIs to integrate with it as well. The idea is to give all users single-sign-on ease of use, whether they have Passport or Liberty IDs.
"We need to support 100 percent of our users, whether theyre aligned with AOL or Microsoft," Goren said. "Giving them a choice of authentication is what our customers are looking for. Im not going to alienate an entire customer base because I want to take sides in a vendor political battle."
But corporations such as Centerpost that are willing to support all major single-sign-on systems are in the minority. At automobile industry e-marketplace Covisint LLC, in Southfield, Mich., Dave Miller, chief information security officer, doesnt have time to wait the year and a half he thinks it will take for interoperability among identity management systems. Nor does he want to manage multiple authentication systems.
Instead, Miller has chosen to deploy a federated single-sign-on system himself that allows employees from automobile manufacturers and suppliers to access Covisints B2B portals. By building his system on emerging Web security standards, Miller said he hopes it will one day tie in to large single-sign-on services such as Passport.
To reduce the number of user names and passwords members must use to access disparate applications such as catalogs and auction sites housed by member suppliers and manufacturing heavyweights such as DaimlerChrysler AG, Ford Motor Co. and General Motors Corp., Miller has deployed RSAs ClearTrust 4.7 software. Covisint manages digital identities and provides single sign-on for users. Miller is also using the software as the basis of a federated single-sign-on system he is building.
"There are a lot of applications that OEMs and suppliers were not willing to give access to because they felt it was part of their competitive advantage," Miller said. "However, they still want the concept of the user being able to go to one spot and using only one ID and password to gain access to applications based on policies in a secure fashion. Our own federated model allows us to pass credentials from our site to participating sitesfor example, between Ford and DaimlerChrysler."
Using ClearTrust and Oracle Corp.s Oracle8i relational database on the back end, Miller built his single-sign-on system around the emerging SAML security standard. Using an open standard such as the XML-based SAML allows Miller to prepare for future interoperability among other Web sites or services such as Passport or Liberty that might one day support single sign-on using the same open standards.
"The industry is in the infancy of creating a standard that will do cross-domain authorization, but companies that have a need for this right now will develop their own solutions in the short term," Miller said. "Because I dont know which service will win yet, our plan is to move toward a standard implementation with a simple, straightforward way of passing credentials."
So far, Miller has deployed this federated single-sign-on system for Ford and is deploying it for DaimlerChrysler. Miller said this system enables administrators at the automobile manufacturers to easily close out user accounts that give access to Fords applications, for example, as well as any Covisint applications when an employee leaves.
Miller said the system has also proved successful in encouraging users to come up with secure password schemes. Miller requires that passwords be changed every 30 days and requires numerals and two uppercase letters in each one. He is now exploring the use of user-based certificates with passwords to further secure his authentication system.
While companies such as Covisint have a pressing need to deploy single sign-on, others such as CUNA Mutual Group, a subsidiary of Credit Union National Association Inc., in Madison, Wis., can afford to take a wait-and-see approach, holding off on building their own federated single-sign-on platform or signing on with Passport or another service until standards and interoperability develop.
But even at CUNA, Steve Devoti, manager of directory services, is planning a strategy for Web-based single sign-on by beginning to reduce the number of log-ins required of users. Devoti is doing that by reducing the number of directories he supports. While he currently manages 12 directories, he hopes to whittle that number down to three: one for employees, one for B2B partners and one for consumers. The reason? Devoti said the fewer applications users need to sign in to, the easier it will be to move to single sign-on and reduce management hassles.
Devoti has deployed Oblixs NetPoint access management software along with Microsofts Active Directory to handle identity management and authentication. CUNA Mutual, which sells financial services products through credit unions, provides 50 Web-based applications to credit unions, allowing members to pay claims, check on the bond worthiness of an employee and access fraud protection programs. All the applications are protected by a home-grown system using Active Directory as the repository for the information, as well as the NetPoint product for single sign-on.
The Burton Groups Blum said companies such as CUNA Mutual that can afford to wait are smart to do so. He added that companies would also be wise to gradually replace legacy systems with new applications that use general-purpose sign-on mechanisms such as public-key infrastructure, SAML, Kerberos and Active Directory, instead of using a rip-and-replace strategy.
Devoti said he knows that in the future, credit unions may want to support authentications from Passport or from members of Liberty Alliance. That means they will ask him to accept the same user IDs and password combinations to provide seamless access to brokerage systems that CUNA hosts. This is the key reason he is developing his Web single-sign-on strategy with open standards such as SAML and XML in mind. Devoti also said he purchased the NetPoint access management product because of its ability to accept Passport authentications. The product provides CUNA with authentication modules for HTTP basic authentication using Secure Sockets Layer channel encryption, passwords through Web forms and database authentication.
"As an IT manager who needs to be forward-looking and try to predict what well need to do in the future, I know we will probably need to work with facilities from Liberty Alliance and Passport," Devoti said. "My hope is that open standards will be adopted for the communication of security assertions. As the world becomes more seamless, we cant afford to lose more control over what our customers are seeing or doing."