Thomas Board can give a perfect example of why higher-education CIOs listed security and identity (ID) management as their No. 1 strategic concern in a 2006 Educause survey.
As director of information system architecture at Northwestern University in Evanston, Ill., Board worries about granting data access and issuing IDs to as many as 1,000 researchers from around the country working on grant-funded projects with Northwestern faculty.
"They are difficult to issue with a high level of trust," he said.
Northwestern is about one-third of the way through replacing its internally developed campuswide ID management infrastructure with Sun Microsystems' Identity Manager, Board said, and the number of applications that required IDs and passwords grew faster than the university's IT department could keep up with them. "We started out a long time ago providing access to modem pools and e-mail," he said. "Since then, the ID system we created has become the basis for access to all sorts of applications with varying levels of sensitivity, which forced us to look for a better service than we could create. We had to buy our way out of the problem."
To cope with outside researchers accessing its network, the university is now considering joining a higher-education "identity federation" called InCommon, in which institutions vouch for each other's users. Identity federation is broadly defined as agreements, standards and technologies that make identity portable across organizational boundaries. "With identity federation, a school like UC Berkeley would handle the vetting process of their researchers for us," Board said, "and eliminate that bureaucratic overhead and some degree of risk."
The evolution of distributed computing and the Internet have forced both public- and private-sector CIOs to focus more attention on ID management infrastructure issues. IT organizations are finding that partners, customers, employees and contractors all need access to their Web-enabled services, and CIOs are starting to recognize that they must be active participants in setting standards and working on interoperability issues.
The ID management software market is expected to grow to more than $8.5 billion by 2008, according to a 2005 study by the Radicati Group. In the private sector, regulatory requirements such as the Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act (HIPAA) in health care are driving forces behind tighter controls and access to audit trails. Public-sector CIOs are grappling with disparate silos of identities across applications and agencies. The poster child for this problem is the employee's computer keyboard covered with four or five yellow sticky notes with passwords scribbled on them.
Governments must cross these boundaries both for internal government functions and provide more services to constituents. Most agencies have taken the first steps toward unifying and strengthening their identity infrastructure. "CIOs everywhere are concerned about the cost and hassle of maintaining multiple identities," said Nalneesh Gaur, a principal with Diamond Management and Technology Consultants. In addition, a well implemented ID management platform is a deterrent against identity theft, a concern for IT executives at all levels of government.
But beyond improving security, CIOs are starting to see potential efficiency gains. For instance, many organizations are moving to "single-sign-on" capability, so that once employees or constituents have logged into one application, they can move through other applications on the network without having to remember additional passwords or log on again. Applications can also be linked so that as a person's government ID is created, it is immediately added to other databases the user should have access to.
"It really is cheaper, better [and] faster to do authentication at an enterprise level rather than for each application," said Dan Combs, president of Global Identity Solutions in Falls Church, Va. "Just at the level of password changes, your costs could be spread across 10 applications, and you'd see a dramatic cost reduction." Call center costs related to ID authentication are huge, he added, and those could be cut by 50 percent to 60 percent.
Combs tells public-sector CIOs that a sophisticated ID infrastructure can create efficiencies. "You don't need me to come down to the government office to give me a hunting license," he offered as an example. With the appropriate ID verification, Combs said, difficult things become easier, and the government becomes a much better facilitator of business transactions.
Moving Toward Federation
If improving security and easing employee access are important, identity federation is the larger aim for many CIOs. Organizations traditionally have been hampered by the need to control access, noted Roger Sullivan, vice president of business development for Oracle Corp.'s ID management solutions. "I couldn't grow my business synergistically because I couldn't manage identities beyond my own organization's control," he said. "But now I can do that by entering into mutually beneficial relationships around identity just like other business relationships."
Sullivan is also vice president of the management board of Liberty Alliance, a nonprofit group of corporations, government agencies and vendors working on open interoperability standards. "The major motivator for Liberty was to see that open standards prevailed," he said, "and that the field wasn't locked up by some vendor's proprietary standard, which is what Microsoft's Passport started to look like."
Industry solutions are coalescing around the Security Assertion Markup Language (SAML) 2.0 standard, and the Liberty Alliance and other standards groups are working to verify interoperability between products. "We have seen an explosion in interest in the government sector," Sullivan added, "so we've recently created an e-gov[ernment] special interest group that is truly global. It is led by people from the Danish government, from New Zealand, and from the United States."
But if the benefits of moving forward with identity infrastructure projects are clear, the pitfalls are plentiful. On the technology side, although vendor solutions are maturing rapidly, they can require a fair amount of integration work, which means hiring consultants or devoting IT staff time.
And the bad news is that technology is the easiest part of the equation. ID management solutions cross organizational boundaries, transforming processes and requiring cultural changes. They could also lead to turf wars over who controls access to data.
"CIOs will have to take a good look at the issues they want to address and prioritize them," Diamond's Gaur noted. The time and effort needed for implementing a solution are considerable, so planning is crucial, as is setting appropriate expectations. "You must determine what problem it solves," he said, "and develop a phased plan for rolling it out."
CIOs should involve the heads of organizations, such as human resources, communications and IT security, early in the planning process. "A very distributed and autonomous organization will require significant coordination and planning," Gaur said.
Organizations working on federation have even more complex issues to navigate, including questions of liability. "There's a roaring chasm you need to be aware of around business policies and trust," Sullivan said. "I'm relying exclusively on your organization to verify that Joe Smith really is a professor who is permitted to see student records. What if you're wrong?"
One of the leaders of an ID federation involving New York state school districts said you have to start slowly. "You need to work on creating trust relations before attempting the technology," said Jenine Wech, Web service production manager for EduTech in Newark, N.Y.
EduTech is one of 12 regional information centers (RICs) involved in a federation project launched in 2005 to provide secure application access and sharing across school districts.
Each RIC controls its own technology, but the RICs wanted to share homegrown applications such as DataMentor, which delivers assessment results to teachers in chart format. Using a server gateway product called Pingfederate, the RICs have given teachers access tools they may not have known about before. Wech said participants must discuss the risk level of transactions. "Choose the lowest level and do that first," she suggested. The high-risk transactions will require more conversations about assurance processes and how credentials are issued.
The Feds Move Slowly
With its E-Authentication Initiative, the federal government has undertaken an ambitious effort to transform access to e-government services. To avoid each agency creating its own ID management infrastructure from scratch, this program has worked to define authentication standards and policies across the federal computing landscape. The initiative's goal is to create a standardized approach for online identity verification of citizens, businesses and other governments.
In 2004, the General Services Administration (GSA) created the E-Authentication Federation to move toward ID federation between industry and all levels of government. Agencies can rely on credentials, such as personal identification numbers, user IDs and passwords or public key infrastructure certificates issued and managed by third-party organizations within or outside the federal government. The federation is composed of federal agency applications and identity verifiers that have adopted a set of agreements, standards and technologies to make identity portable across organizations. The Office of Management and Budget has approved the E-Authentication Federation technology as the authentication service component of the Federal Enterprise Architecture. Agencies are starting to use it to build their public online systems, as they work to meet federal security regulations and requirements. For instance, the U.S. Small Business Administration now provides E-Authentication-enabled login service to 12 applications. Yet, as with any huge change at the federal level, progress has been slow. So far, only 19 agencies, 32 applications and six credential providers are taking part.
GSA officials were not available for comment for this story, but GSA representatives offered an explanation for the agencies' hesitation via e-mail. "There are several reasons that agencies have not participated to a greater extent. They are not yet comfortable with the concept of 'federated identity,' and the cost of transitioning legacy systems can also be a barrier."
Global Identity Solutions' Combs said that although the initiative has done an impressive job on policies, rules and standards, it has not yet figured out a workable business model. "Nobody's wanting to pay for it," he said. "Congress basically said that agencies already get funding for identity management and they should pay, but the agencies themselves don't see it that way."
GSA officials say the E-Authentication Program Management Office is working on changing from a mandated to a market-based approach and business model.
At the State Level
State adoption of ID management at the enterprise level is the exception, not the rule. North Carolina, for example, has launched what it has dubbed as a "delegated" ID management system that is currently tied to the state's HR and payroll system. The system serves local governments, businesses, citizens and state workers, encompassing approximately 26,000 users. Eventually the authorization and authentication system will serve nearly a half-million people.
When it comes to managing the ID access of public constituents, Washington state has created two public gateways to state applications. SecureAccess Washington, rolled out in 2004, simplifies access to the growing list of state services accessible via the Internet. A business owner might use three applications at the Department of Labor and Industries and another at Employment Security, each previously with its own password. Now that person can use a single, self-generated user ID and password to gain access to them all. "Our constituents asked for it," said Agnes Kirk, chief security officer in the Department of Information Services. "They see state government as one entity."
For transactions involving higher levels of security such as public health information, the Transact Washington gateway uses PKI and digital certificate technology to identify and authenticate users. Using a single digital certificate, customers can access several secure services offered by state agencies. For instance, an attorney could use it to get immediate access to workers' compensation claims, which previously took as much as 10 days to receive via a written information request.
"We have 420 state applications behind these security gateways, doing everything from collecting revenue to maintaining records," Kirk said. "They get a lot of traffic."
Federation Within a State
Other state governments are beginning to harmonize agency ID management schemes, with the goal of moving toward a statewide ID federation.
Early in 2005, Brian Scott, CIO of the New York State Department of Health, was asked to head up a task force charged with defining a statewide identity management architecture.
"We looked at the horizon," Scott said, "and could see more applications coming down the road, such as shared financial management or human resources, where everyone would need access."
Currently when employees of one agency need access to data in another agency's databases, those issues are worked out in "point-to-point" agreements between the agencies. "Those access issues get solved, but they take a lot of time and effort, and they're a new exercise each time," Scott said. "We thought that a mass agency agreement has got to be a better way to handle it."
A survey of state agencies found a wide range of sophistication concerning ID management. Agencies with business drivers requiring higher levels of security, including tax and health agencies, were furthest along. For instance, Scott's Department of Health was driven by HIPAA regulations to improve its data security and procedures.
The task force developed 46 broad principles agencies must follow in developing their solution. For instance, it specifies that SAML 2.0 will be adopted as the architectural standard for the structure and content of identity assertions used in the federated infrastructure.
Agencies can implement the architecture in their own way with whatever vendors they choose, but they must adhere to the principles and follow open standards that make ID federation possible, Scott said. He expects the state to begin the ID federation experiment with early adopters sometime in 2007, but there is no timeline yet for mandating that state agencies upgrade their infrastructure.
Scott said many policy issues must be worked through. "We don't know yet whether it will be legal issues or fiscal issues, but the greatest amount of work will be on the governance side." He added that other state CIOs have been receptive to the ideas, but they still aren't sure how ID federation will actually work.
"We started at the 50,000-foot level with principles, then the 40,000-foot level with a general strategy," Scott said. "People are waiting to see how this is going to translate to reality on the ground."