ID Specs and Reality Checks for OASIS

News Analysis: Conference highlights varied needs for reliable ID systems technology.

IBM and Microsoft Corp., along with a small fleet of partners, will submit in September three new security specifications to OASIS: WS-SecurityPolicy, WS-SecureConversation and WS-Trust.

The submission of these specifications continues a tradition, started in 2002, where IBM and Microsoft first announce the evolution of their Web services security work at Burton Groups Catalyst Conference North America, held in July.

The three specifications submitted to the Organization for the Advancement of Structured Information Standards, or OASIS, further define the process of working with security tokens, brokering trust relationships, securing messaging, establishing security context and defining security policy assertions—basically, how Web services can establish a trusted relationship and then carry out reliable communication inside the trust domain.

The announcements at the conference came at the same time that attendees were voicing concerns about identity management. Many attendees raised the issue that the growth of SOA (service-oriented architecture) will depend on the reliability of user identity.

/zimages/4/28571.gifClick here to read about OASIS SOA committee.

Jamie Lewis, CEO and research chair at Burton Group, used the term "user-centrism" to describe how people manage—in a much more proactive way—their online life, identity, interaction with one another and the companies with which they do business. In large part, said Lewis, user-centrism depends on securing data in transit and transactions at the point of execution so that business conducted in the ether has the same credibility as face-to-face transactions.

Security concerns expressed at the Catalyst Conference were clearly motivated by fast-maturing privacy and audit legislation, including HIPAA (Health Insurance Portability and Accountability Act), the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act.

"You look at the newspaper and see the breaches at ChoicePoint [Inc.] and CardSystems [Inc.], you see the severe impact of phishing on e-mail, and its clear that we are reaching a critical mass," said Lewis.

/zimages/4/28571.gifRead more here about the respone of credit card vendors to the data breach at CardSystems.

Many of the trends that eWEEK Labs has seen in new and updated identity systems focus on remedying fundamental problems, including establishing unique identity. Indeed, in case after case presented at the conference, senior executives outlined how theyve used technology to establish a single unique identifier for each employee of their companies.

Establishing unique identity may remind some IT managers of horrific PKI (public-key infrastructure) projects of the late 1990s—projects that often generated more implementation problems and costs than productivity gains.

This comparison likely doesnt hold true in todays IT environment, however. For one thing, metadirectory and newly emerging virtual directory technologies obviate the need for the rip-and-replace implementation methods that PKI so often required. Instead of changing directories, databases and built-in application user identity systems, its now feasible to simply integrate with the authoritative identity sources and use a security-oriented identity management system.

As well as solving the identity management problem inside the enterprise, IT managers will need to implement account provisioning for users coming in from the Internet. "If we dont fix these problems, we are going to have some severe entropic effects," said Lewis. "The systems of the Internet have enormous potential to build virtual places, but people may be too scared to visit these virtual places."

While vendors and senior executives interest in identity management is being driven in large part by regulatory mandates, savvy IT managers should use this interest to launch projects that also improve business efficiency and security. The Catalyst Conference was chock-full of suggestions on how to do this. More information is at

Technical Director Cameron Sturdevant can be reached at

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.