Perhaps the simplest way to solve this problem is sharing methods of identity management, but the simple things aren't necessarily the easiest to do.
"There still aren't any rules on how to authenticate people," Lewis said. "There also isn't a lot of transparency. It's not that people are hiding things. It's just not easy to find out. The fact that you don't have rules about how to exchange trust between states is a big impediment."
Lewis said the EAP's goal is straightforward -- in the public sector, if one government agency authenticates a user, then other agencies needing to authenticate that same user can rely on and trust the first agency's authentication process.
That exchange of trust between states is critical, Lewis said.
"A state needs a credible process to link individuals to their digital credentials, but then it doesn't ask other states to match that process when they issue credentials, nor does it share how its process works with other states when they're asked to accept a credential," he added. "You're only sharing the outcome -- 'We did whatever our process calls for, and we decided we trust and authenticate this person, and now we ask you to trust our decision.'"
Inclusive vs. Exclusive
While the EAP tackles transparency, another organization known as the Liberty Alliance works to develop open standards for identity management applications.
Formed in 2001, the Liberty Alliance consists of more than 150 companies and organizations -- both government and nonprofit. Products from eight companies recently completed certification testing by demonstrating interoperability.
The alliance began its testing program in 2003, and has since tested 40 ID management products for interoperability. Alliance certification is meant to assure organizations that the products will not require extensive configuring.
Building interoperable identity management products is relatively new to the industry, said Shannon Kellogg, Liberty Alliance board member and RSA Security's director of Government and Industry Affairs.
In part, vendors active in the identity management arena did what any vendor would -- react to market demands. Little incentive existed to create standards for identity management products.
Groups such as the Liberty Alliance and the Organization for the Advancement of Structured Information Standards (OASIS) -- a nonprofit consortium focused on driving development and adopting Web services standards -- started the push toward standards when customers began asking for standards-based products.
"RSA was a founding member of the Liberty Alliance several years ago, and we've also been active in OASIS and on the SAML [Security Assertion Markup Language] spec," Kellogg said. "We thought early on it was critical to drive the standards process while talking to customers. Customers a few years ago didn't necessarily understand and weren't clamoring for federation technologies."
The impetus then was to hold tight to information, and government agencies wanted products that sealed environments against information coming in or going out. The emergence of Web services as a practical toolset coupled with a change in attitude about the importance of information sharing now has customers asking for a federated identity management environment.
In this environment, the same user name and password allow individuals to sign onto the networks of more than one enterprise to perform necessary transactions.
The growth of business-to-business activity, and the need to collaborate on data sharing and information gathering, spurred the change, said Rob Potter, RSA's director of Federal Operations.
"What people have said is, 'Wait a second. We have these silos of access and authentication. Now that we've built this, how do we go out and do exactly