Managing Identities Online: Assuring Good Identities

Public-sector CIOs can no longer rely only on traditional methods of creating user identities. Today's interactions between federal, state and local agencies and their contractor and supplier partners are becoming increasingly complex and time-critical. Important information assets are at stake, as well as the success of external collaboration efforts.

In the past, the typical approach to enabling users - from employees to contractors - access to necessary resources has been done through the creation of separate accounts for each user on each individual application. This approach becomes costly and time consuming as applications proliferate internally, and is no longer supportable when engaging with stakeholders outside of an organization's four walls.

Within an enterprise identity management framework, many agencies have attempted to consolidate their internal accounts - typically using Microsoft's Active Directory, or a similar system - to simplify user access. This strategy has eased the administrative burden for internal staff but also has failed to address the key issue for the most rapidly growing use case: providing access to external users.

Access for partners, citizens, contractors and other agencies remains cumbersome and risky. In response to growing demand for third-party collaboration and information access, agencies are creating accounts to grant external user access - even though these users are likely to have digital identities set up by their own employers - and the proliferation of accounts for external users is leaving agencies exposed to potential security breaches.

What happens if the business partner no longer employs these users? What if they've changed roles and shouldn't have access to a particular system? From an IT perspective, there are too many users from too many constituencies whose movements and permissions must be monitored and maintained. To secure business collaboration in a federated community of agencies, suppliers and partners, it's critical that enterprises trust the identity claims of other entities. For this reason, many CIOs increasingly rely on federated identity credentials for identity assurance.

A federated credential is a unique identifier approach that allows the authentication of users no matter where they travel -- physically or virtually -- throughout the federated community. Updates from the constituents about user status, role and authorizations are provided in a federated model where organizations - typically employers - "vouch" for the authenticity of the individual's identity because the constituent's employer is best positioned to maintain that employee's critical data in user account.

This data becomes the gold standard used by organizations participating in the federated system. The approach minimizes the complexity of activities each party's IT department must perform, while at the same time delivering credentials that promote cross-enterprise interaction without compromising security and sacrificing visibility into key business processes.

Federated Building Blocks
The highly sensitive nature of the information that governments and their contractors safeguard means agencies must have assurances that the information is made available only to authorized personnel. This raises the bar on the strength and robustness of identity and access management mechanisms being deployed - setting the stage for federated identity management.

In response to these and other concerns, the federal government has established a number of relevant regulations and standards over the past decade to promote efficient, secure cross-enterprise communication and information sharing:

• Homeland Security Presidential Directive 12 (HSPD-12) mandates that federal agencies integrate physical and logical access to improve the ability to authenticate individuals. The objective is to enhance security against potential terrorist threats while reducing identity fraud. For example, employees can be issued badges with their name, photograph, biometric and digital credential. The badge can be examined by a security guard for initial authentication, swiped to allow entry to authorized locations in facilities and plugged into a computer USB port to provide logical access to authorized applications.
• Federal Information Processing Standard 201 (FIPS 201) provides a common framework for credentials issued to federal employees and contractors. In essence, it helps define the technical approach for HSPD-12 implementation.
• Electronic Signatures in Global and National Commerce Act Congress passed ESIGN to spur e-commerce and e-government by clearing legal barriers to electronically signed transactions. It enables the replacement of paper-based, manually oriented processes and interactions that are often too slow and cumbersome with streamlined, automated processes that use electronic signatures.
• National Institute of Standards and Technology 800 (NIST 800) provides the framework for physical, procedural and policy controls to meet federal security requirements for protecting government assets.

While standards establish a baseline, federated identity management requires a community of interest to work in a practical, cost-effective and scalable manner. The combination of real-world events and legal rulings has led to trends at the federal, state and local levels that are encouraging the formation of communities that use federated credentials for identity assurance. Some of the more important trends include:

• Development of first-responder programs and similar initiatives that inherently rely on strong intra- and inter-agency communications.
• Commitment to control identity fraud under even the most complex and challenging circumstances.
• Creation of independent organizations that facilitate the fabric of trust needed for the federation. For example, the Federal Public Key Infrastructure (PKI) Bridge handles this function for federal agencies; while the Aerospace and Defense Commercial PKI Bridge run by CertiPath does so for non-federal entities.
• Establishment of federated identity cross-credentialing systems for more targeted cross-enterprise communications environments.
• Participation in the Liberty Alliance organization through activities such as the Electronic Authentication Program. Liberty Alliance is a public/private consortium that focuses on current and emerging issues in identity assurance.
• Improvement in information sharing at the federal level via Executive Order 13388 (Further Strengthening of Terrorism Information to Protect Americans), the Intelligence Reform and Terrorism Prevention Act of 2004 and the Multi-National Sharing initiative.

Implementing a federated solution also makes sense from a cost perspective. When agencies assume the responsibility for provisioning accounts for their partners' and suppliers' employees and contractors, they must manage these "outside users" as they would their own. IT departments in most agencies spend a great deal of time and effort accounting for their own users. Having to track the status of outside users who may change roles or jobs - given that partners may not have the ability or discipline to provide timely, accurate updates - further increases risk and cost. According to research conducted by AMR, for every account an enterprise manages, it spends $15 per year in help desk costs, in addition to draining IT staff time. As the number of collaboration scenarios grows, the numbers can add up quickly.

All of these factors point to the use of federated credentials, which balance the need to share more information with the need to protect valuable data - helping agencies provide accountability for activities that are highly distributed and exploding in scale.

 
Federated Benefits
Federated information sharing addresses all chief concerns accompanying electronically sharing sensitive information: interoperability, information security, cost control and quality of service.

The federated solution solves interoperability problems by leveraging trust relationships to accept a user who has already been authenticated by a trusted partner. For authenticated users, this opens the door to a single sign-on and access to any authorized application in any domain, as well as portability of identity information across security domains. Users no longer bear the burden of remembering separate passwords for every single application.

Multi-organization account management is no longer a worry, because federation supports the implementation of standards that ensure security policies are enforced, and that authentication is strong and accurate. In addition, federation provides a framework where users are only authenticated once but can be authorized as appropriate by the enterprise providing the desired service or application. Organizations no longer need to apply security policies across multiple organizations and worry about keeping information private when exchanging data about users from a variety of sources.

Cost control is contained in a federated environment by automating and centralizing identity management tasks, and eliminating expensive and redundant manual processes. A trusted partner's authentication of a user's credentials is sufficient, and authorizations can be mapped to those trusted credentials, further reducing overhead. Without federation, IT departments face the near-impossible task of managing the rapidly accelerating number of identities along with ever-increasing infrastructure costs.

Quality of service is achieved through federation where access is simplified through single sign-on for multiple applications hosted in multiple domains. Because identities are managed and authenticated where they are owned, new services can be introduced more quickly. Without federation, streamlining authentication between internal applications and those requiring access by partners is cumbersome and likely not delivered with any degree of quality of service.

Above all, in a federated community, information can be shared with users beyond their traditional boundaries, new services can be delivered efficiently to the extended user community and agencies can effectively collaborate with partners to broaden their reach.

 
Questions CIOs Should Ask
The benefits of establishing a trusted community that supports federated identity assurance are clear. However, government CIOs must ask and answer a host of business and management questions about how to proceed, and identify the most appropriate solution. The most critical questions fall into five categories:

• Leadership - Has the agency created an information-sharing vision, and has that vision been shared internally and with external partners? Is there a culture that recognizes and rewards forward-thinking solutions for information sharing to address the growing national security and homeland security concerns?
• Information Sharing Requirements - What other agencies require that information and credentials be shared? Are federated credentials and related systems compatible, and can the Federal PKI Bridge be used? Are there other entities -- such as federal, state, local governments, partners and suppliers -- who also belong in the federation?
• Governance - Are the mechanisms in place to monitor others in the community to ensure they are adhering to policies and procedures? How easily can information sharing be terminated when no longer required with select partners? Is the legal framework established to support the technology solution? Is an auditing accreditation scheme in place, and can auditors execute audits properly?
• Certification and Standards Compliance - Are the vendor solutions under consideration certified by either the National Institute of Standards and Technology (NIST) or General Services Administration authorities? What is the track record of these vendors in addressing standards and maintaining compliance with federal mandates such as FIPS 201 and NIST 800?
• Operating Environment - What impacts will the federated solution have on the current operating environment? Are legacy applications prepared to support digital credentials, and are these applications "open" for integration? How much time will implementation take, and what will it cost?

No matter how well the solution performs in theory, CIOs must have the confidence that it will succeed in practice.

 
An Essential Choice
If public CIOs want to stay ahead of the game and comply with federal mandates, federated credentials are essential for cross-enterprise identity assurance and secure business collaboration in a connected community of trusted parties.

Furthermore, the everyday benefits of such a solution are significant. In addition to delivering improved, more responsive communications with other constituents and meeting regulatory standards like HSPD-12 and FIPS 201, CIOs can create, track and maintain federated credentials in a single location. In this environment, users are authenticated once via single sign-on and granted authorization to applications based on their roles and privileges. As a result, users are more satisfied because they don't have to remember numerous passwords, and navigation between applications is seamless, which also reduces stress on IT and help desk operations. Applications are more secure and reporting and auditing functions are improved.

With federated credentials, interoperability, information security and quality of service rising, costs are falling - enabling CIOs to achieve control, compliance and confidence.

Vijay Takanti is vice president and security program director for Exostar.