January 2, 2008 By Vijay Takanti
Public-sector CIOs can no longer rely only on traditional methods of creating user identities. Today's interactions between federal, state and local agencies and their contractor and supplier partners are becoming increasingly complex and time-critical. Important information assets are at stake, as well as the success of external collaboration efforts.
In the past, the typical approach to enabling users - from employees to contractors - access to necessary resources has been done through the creation of separate accounts for each user on each individual application. This approach becomes costly and time consuming as applications proliferate internally, and is no longer supportable when engaging with stakeholders outside of an organization's four walls.
Within an enterprise identity management framework, many agencies have attempted to consolidate their internal accounts - typically using Microsoft's Active Directory, or a similar system - to simplify user access. This strategy has eased the administrative burden for internal staff but also has failed to address the key issue for the most rapidly growing use case: providing access to external users.
Access for partners, citizens, contractors and other agencies remains cumbersome and risky. In response to growing demand for third-party collaboration and information access, agencies are creating accounts to grant external user access - even though these users are likely to have digital identities set up by their own employers - and the proliferation of accounts for external users is leaving agencies exposed to potential security breaches.
What happens if the business partner no longer employs these users? What if they've changed roles and shouldn't have access to a particular system? From an IT perspective, there are too many users from too many constituencies whose movements and permissions must be monitored and maintained. To secure business collaboration in a federated community of agencies, suppliers and partners, it's critical that enterprises trust the identity claims of other entities. For this reason, many CIOs increasingly rely on federated identity credentials for identity assurance.
A federated credential is a unique identifier approach that allows the authentication of users no matter where they travel -- physically or virtually -- throughout the federated community. Updates from the constituents about user status, role and authorizations are provided in a federated model where organizations - typically employers - "vouch" for the authenticity of the individual's identity because the constituent's employer is best positioned to maintain that employee's critical data in user account.
This data becomes the gold standard used by organizations participating in the federated system. The approach minimizes the complexity of activities each party's IT department must perform, while at the same time delivering credentials that promote cross-enterprise interaction without compromising security and sacrificing visibility into key business processes.
Federated Building Blocks
The highly sensitive nature of the information that governments and their contractors safeguard means agencies must have assurances that the information is made available only to authorized personnel. This raises the bar on the strength and robustness of identity and access management mechanisms being deployed - setting the stage for federated identity management.
In response to these and other concerns, the federal government has established a number of relevant regulations and standards over the past decade to promote efficient, secure cross-enterprise communication and information sharing:
While standards establish a baseline, federated identity management requires a community of interest to work in a practical, cost-effective and scalable manner. The combination of real-world events and legal rulings has led to trends at the federal, state and local levels that are encouraging the formation of communities that use federated credentials for identity assurance. Some of the more important trends include:
Implementing a federated solution also makes sense from a cost perspective. When agencies assume the responsibility for provisioning accounts for their partners' and suppliers' employees and contractors, they must manage these "outside users" as they would their own. IT departments in most agencies spend a great deal of time and effort accounting for their own users. Having to track the status of outside users who may change roles or jobs - given that partners may not have the ability or discipline to provide timely, accurate updates - further increases risk and cost. According to research conducted by AMR, for every account an enterprise manages, it spends $15 per year in help desk costs, in addition to draining IT staff time. As the number of collaboration scenarios grows, the numbers can add up quickly.
All of these factors point to the use of federated credentials, which balance the need to share more information with the need to protect valuable data - helping agencies provide accountability for activities that are highly distributed and exploding in scale.
Federated information sharing addresses all chief concerns accompanying electronically sharing sensitive information: interoperability, information security, cost control and quality of service.
The federated solution solves interoperability problems by leveraging trust relationships to accept a user who has already been authenticated by a trusted partner. For authenticated users, this opens the door to a single sign-on and access to any authorized application in any domain, as well as portability of identity information across security domains. Users no longer bear the burden of remembering separate passwords for every single application.
Multi-organization account management is no longer a worry, because federation supports the implementation of standards that ensure security policies are enforced, and that authentication is strong and accurate. In addition, federation provides a framework where users are only authenticated once but can be authorized as appropriate by the enterprise providing the desired service or application. Organizations no longer need to apply security policies across multiple organizations and worry about keeping information private when exchanging data about users from a variety of sources.
Cost control is contained in a federated environment by automating and centralizing identity management tasks, and eliminating expensive and redundant manual processes. A trusted partner's authentication of a user's credentials is sufficient, and authorizations can be mapped to those trusted credentials, further reducing overhead. Without federation, IT departments face the near-impossible task of managing the rapidly accelerating number of identities along with ever-increasing infrastructure costs.
Quality of service is achieved through federation where access is simplified through single sign-on for multiple applications hosted in multiple domains. Because identities are managed and authenticated where they are owned, new services can be introduced more quickly. Without federation, streamlining authentication between internal applications and those requiring access by partners is cumbersome and likely not delivered with any degree of quality of service.
Above all, in a federated community, information can be shared with users beyond their traditional boundaries, new services can be delivered efficiently to the extended user community and agencies can effectively collaborate with partners to broaden their reach.
Questions CIOs Should Ask
The benefits of establishing a trusted community that supports federated identity assurance are clear. However, government CIOs must ask and answer a host of business and management questions about how to proceed, and identify the most appropriate solution. The most critical questions fall into five categories:
No matter how well the solution performs in theory, CIOs must have the confidence that it will succeed in practice.
An Essential Choice
If public CIOs want to stay ahead of the game and comply with federal mandates, federated credentials are essential for cross-enterprise identity assurance and secure business collaboration in a connected community of trusted parties.
Furthermore, the everyday benefits of such a solution are significant. In addition to delivering improved, more responsive communications with other constituents and meeting regulatory standards like HSPD-12 and FIPS 201, CIOs can create, track and maintain federated credentials in a single location. In this environment, users are authenticated once via single sign-on and granted authorization to applications based on their roles and privileges. As a result, users are more satisfied because they don't have to remember numerous passwords, and navigation between applications is seamless, which also reduces stress on IT and help desk operations. Applications are more secure and reporting and auditing functions are improved.
With federated credentials, interoperability, information security and quality of service rising, costs are falling - enabling CIOs to achieve control, compliance and confidence.
Vijay Takanti is vice president and security program director for Exostar.
You may use or reference this story with attribution and a link to