IAM for the smaller enterprise

My clients find identity solutions to be complex and costly to implement.  For mature and/or large enterprises, these issues are simply a cost of doing business — and compliance or online strategic drivers are usually sufficient to fund and launch an IAM initiative.

For the smaller enterprise there appear to be two paths followed: do nothing or do it poorly.  When done poorly, shoddy IAM implementations  can result in poor credential management, lousy availability and inappropriate access controls.

So how does a smaller company or organization deal with identity properly? How can users be efficiently identified online without building expensive, custom solutions? What service levels and supports are possible for a login service when staff go home at 5pm? How can niche needs like strong authentication be met without excessive server license costs and complex implementations?

Enter the cloud.  Cloud-based IAM service providers are maturing and there are a number of solutions that offer the smaller organization solutions.  For example:

• Symplified offers a full IAM service that promises plug-and-play integration with surprising depth, including support for mobile devices and apps.
• PhoneFactor has a slick and secure solution for two-factor authentication that can be licensed on a per-use basis.
• TransUnion have a robust identity proofing service for the critical process of confirming the identity of an online visitor.

Using one or more of these solutions allows for rapid deployment of IAM for smaller organizations.  The cost savings are considerable and services levels are beyond what most companies could hope to provide on their own.  There still remains integration work — applications need to be ‘plumbed’ to inter-operate with the cloud solutions — but all the heavy-lifting of designing and configuring a solution is eliminated.

The maturation of cloud IAM solutions means an increased number of companies can implement secure and compliant solutions without the long lead-times and high cost of traditional product-based offerings.  In this age of rampant data breaches and increased focus on compliance, this is a welcomed development.

Mike

Federated Identity project

I’ve been scoping a Federated Identity Management project for a few months now.  The implementation will include public users and business partners, and will support tens of thousands of users.

We are looking at a number of use cases with this design, including:

• a low level of assurance with minimal shared attributes, and
• a higher level of assurance with sufficient shared attributes to support a split profile.

The challenges are going to be related to privacy (the client is in the public sector) and legal issues.  My focus for the next month will be to try and tackles these issues — or at least get a start on them — before we get too involved with defining the technical solution.

Mike

Fed ID and legal considerations

I recently came across this article from E-Commerce Times (via a Paul Madsen tweet) that is worth a read.  It provides a good high-level summary of legal considerations for federated identity implementations.  A quote:

“Many of the legal issues arise when things go wrong, such as incorrect identification, faulty authentication, or misuse of personal data…”

While it is US-based, it highlights many of the issues that we will face with Canadian implementations.

Mike

We are what we eat

A few years ago, I had a developer on my team who was famous for injecting the phrase ‘we need to eat our own dog food’ into client meetings for various appropriate or inappropriate reasons.  Okay, most of the time it was inappropriate and I don’t really think he knew what he was saying…

The expression means to use the products we make, and according to Wikipedia, it was based on a dog food commercial:

The idea originated in television commercials for Alpo brand dog food; actor Lorne Greene would tout the benefits of the dog food, and then would say it’s so good that he feeds it to his own dogs.

News from Microsoft last week indicates that the company is prepared to move forward with Geneva Beta 2 as its own production solution for federation with business partners.  Up to 59 applications used by almost 30 partners will be depending on Geneva for identity services.

While not earth-shaking news — Microsoft have frequently used early versions of their own products — it is encouraging to see for those organizations that are eyeing Geneva to support upcoming federated identity initiatives.

(As for the handsome fella pictured above, that would be my own brown lab, Sam…  If you are reading this Sammy, your food is safe.  Remember, if you are careful to always protect your online identity, no one has to know you’re a dog…)

Mike

Federation: SAML, Open ID and InfoCards

I came across a very succinct summary of these technologies and the scenarios they support over at Matthew Gardiner’s blog:

Information Cards provide a very elegant system for use cases which require and/or benefit from explicit user participation. With Microsoft’s impending release of supporting server side tooling, it will be an important force in Web identity management for many years to come. However, for applications for which explicit user participation is unnecessary or counter-productive – simple Internet SSO being the goal – SAML remains the best choice. OpenID’s focus remains on easing access to applications for which assuring true user identity is not really necessary.

Even better is the link to the IEEE Security and Privacy whitepaper The Venn of Identity.  Pretty much a must-read if you are interested in Federated Identity.

Mike