The Best ID Plan? Wait and See

ID management fracas forces IT to move slowly.

Theres no arguing that without identity management, Web services will not reach its full, formidable potential, which research group International Data Corp. predicts could be an industry worth $21 billion by 2007. Enterprises that are serious about identity management are already examining the issues theyll need to address to successfully roll out an identity management framework. (See eWEEK Labs March 3 report on identity management at

The Business Behind Identity

The Liberty Alliance Projects Business Guidelines document highlights four major business requirements to consider in

the deployment of wide-scale identity federation. They are:

  • Mutual confidence The processes and tasks business partners must undertake to set minimum quality requirements, certify the other party has met those requirements and manage the risk of exposure
  • Risk management The best practices and procedures business partners must identify to guard themselves from risks, including losses due to identity fraud due to the exposure of identity information and insecure processes or data
  • Liability assessment The process for determining in a networked environment what parties will bear which losses under what circumstances and how to resolve disputes
  • Compliance The alignment with agreed-upon standards, policies and procedures and how that compliance is governed, including compliance with local privacy requirements

More information can be found at

Source: The Liberty Alliance Project

The Burton Group Catalyst Conference, held recently in San Francisco, showed that the major players in the ID management arena are still far enough apart to warrant that IT managers proceed with caution in plotting courses toward managing identity.

Two competing announcements held center stage at the conference. In the first, Microsoft Corp. and IBM unveiled Web Services- Federation, the fifth of seven specifications designed to help enterprises secure Web services. The specification uses XML to describe how disparate applications will share user and machine identities spread across multiple corporations.

Not to be outdone, the Liberty Alliance Project released Liberty Alliance Business Guidelines, which outline business requirements needed for wide-scale deployment of federated network identity (see chart). It was the first of three documents the Liberty Alliance plans to release.

The Liberty Alliance has made impressive headway during the last year in winning the hearts and minds of corporate IT. In the first 100 days of its availability, there were 1,000 downloads of SourceID Java, an open-source Java tool kit enabling Liberty Alliance (Phase 1) identity federation and federated single sign-on, said Eric Norlin, an editor of the Liberty Alliance Business Guidelines and director of communications at Denver-based Ping Identity Corp., a Liberty Alliance member.

More than 70 percent of those who downloaded the guidelines were not affiliated with the Liberty Alliance, Norlin said.

The Liberty Alliance has gained traction (including a membership of more than 170 corporations) since its inception, but eWEEK Labs recommends that enterprises examine the road maps presented by both the Liberty Alliance and IBM-Microsoft before committing to either. Prudently, many companies are deploying pilots of both frameworks.

At the Catalyst Conference, analysts including Jamie Lewis, CEO and research chair of The Burton Group, said the need exists for a single identity framework. And representatives from both groups said they are open to working with one another to make it a reality. (However, both groups continue to take potshots at their rivals camp.)

In fact, Arvind Krishna, vice president of security products for IBMs Tivoli unit, told eWEEK Labs that IBM and Microsoft would have to compromise at some point to completely fill technical gaps in the identity management space.

The Liberty Alliances Norlin said he believes a convergence will occur. Although his group had not examined the WS-Federation specification by press time, he said the specification might be the first step toward a single identity management framework.

We recommend that, in the next few months, IT managers carefully examine trial deployments of both frameworks to determine which one best fits their goals and security architecture. IT managers will want to consider the business issues brought up by the Liberty Alliance document, regardless of whether they plan to deploy the Liberty Alliance framework. These issues arent just process-related or technical but are also tied to business processes including legal considerations and geography. The European Union, for example, handles privacy differently from Japan.

Whether this years conference announcements were the first step toward convergence is a question that might not be answered until next years conference.

Senior Writer Anne Chen can be reached at anne_chen@