The Internet puts banking, shopping, investing and much else right at our fingertips. But as we all do more online, the need to log onto multiple sites, often remembering different user names and passwords, begins to rival finding parking spots at the mall in frustration quotient.
If managing multiple identities can be annoying to consumers, it’s a costly headache for businesses, as they get more serious about e-commerce and the convenience and cost-savings of managing the supply chain electronically.
From this reality has emerged an industry initiative to create a simple and secure means of managing online identities so that all parties involved can know who they’re dealing with, and how much to trust each other. Manufacturers who hope to take advantage of e-commerce today and be prepared for the coming wave of Web-based services tomorrow must first lay a foundation built on identity management, say industry experts. The motivation is simple: money.
Cost and friction
“The sense of urgency is this: You have Web-based applications—they are mostly supply chain related in manufacturing—and the lack of a means of reduced sign-on leads to a lot of different accounts that users have to maintain,” says Dan Blum, vice president and research director of The Burton Group, a Midvale, Utah-based research and consulting firm. “Each one comes with a help desk and some maintenance, so there is both cost and friction associated with account proliferation.”
“We think this is going to have big implications for the manufacturing community long-term,” adds Derek Brink, director of authentication products at RSA Security, Bedford, Mass., a major identity management systems vendor. “It will significantly reduce their cost of operations.”
The process of getting to this simple and secure identity management state is a complex one, involving multiple forums and standards (see sidebar), as well as the usual array of conflicting vendor viewpoints. Fortunately, as with a hot dog, it’s not necessary to acquaint yourself with how something is made to enjoy its results.
One of the first pieces to the identity management puzzle is a set of specifications called Security Assertions Markup Language (SAML), which provides an eXtensible Markup Language-based common platform for exchanging security information online. XML is the widely acknowledged language of e-commerce. The first version of SAML was adopted in November 2002, by the Organization for the Advancement of Structured Information Standards (OASIS) consortium, a global e-commerce standards group.
The SAML specs define both inbound and outbound messages used to authenticate a user’s identity. The idea is that a company would implement SAML to create a single federated identity for its employees to use in all business. That identity includes SAML-defined assertions, which are sets of one or more facts about either a human user or a computer.
There are three kinds of SAML assertions. Authentication assertions establish a user’s identity. Attribute assertions contain relevant facts about the user, such as job status, credit line or citizenship. Authorization assertions identify what the user is allowed to do, such as access a database or make a purchase.
The federated identities can then be used in multiple ways.
“I believe it can have a big impact on the way a company does business,” says Rich Taggart, director, enterprise technology architecture integration and standards, for General Motors Corp. “Most employees will have five to a dozen different online identities in their personal and professional lives. Used internally, for things like health benefits, or managing retirement accounts, identity management lowers costs for the employer and has benefits for the employee.”
If, for instance, your company has outsourced its 401(k) plan to one firm and its health care management to another, employees would have one log-in to access the Web sites of each, and would automatically have access to only what they are allowed to see, as long as all parties had implemented SAML-based systems. If a company adds another benefits partner, the same federated identities can be used, as long as the new partner has implemented SAML.
A federated identity is different from other identities just as a drivers’ license or passport is different from a credit card that has a photo on it, says Prakash Ramamurthy, vice president of products and technology at Oblix, Cupertino, Calif., which makes SAML software. “Both of them have your name and photo but you can’t use the credit card as proof of identity at the airport,” he says. “The driver’s license has a more authoritative source.”
One big cost savings would be the great reduction in lost passwords, which are generally considered the most time-consuming problem at any IT help desk, says Ramamurthy. “It takes anywhere from 45 percent to 70 percent of the help desk time just to deal with lost passwords, and that’s a big expense,” he says.
But the bigger impact of federated identities is in enabling e-commerce and easier collaboration among partners and supply chain management.
“Today, if you want to hook up your ordering system to a partner’s system, you may be more likely to do custom application integration,” says Randy Heffner, analyst with the Giga Information Group, Cambridge, Mass. “But as you want to connect to more people, and as you want to do application-to-application connections, which is what Web Services are all about, then the cost effective way to do that is through an Internet single sign-on that uses a standard data transfer.”
Ramamurthy cites the instance of an airplane manufacturer that needs to provide documentation on the aircraft it has sold to an airline so that the airline’s mechanics can access information for repairs or replacement parts. In the old days, piles of manuals were needed at every airport. But today, the manufacturer can keep the documentation online. Using federated identities, the mechanics can log into the airplane manufacturer’s portal and be immediately identified as an individual who can only access information used for repair.
An individual at the same airline that has purchasing authority would be enabled, under the federated identity, to order supplies. In this way, the aircraft manufacturer can open up electronically to enable closer collaboration with a customer and maintain security of the site.
SAML is also viral—in a good way, says Blum. “Say that one company, such as GM, requires its trading partners to use SAML,” he says. “Once you set up to use it with one company, you can use it with others that the first company uses. When people see the benefits, then they want to use it with others, and it spreads.”
GM is looking at SAML for its supply chain management because the other approach—“one-off proprietary systems to link us to individual partners”—is too expensive, says Taggart.
No big deal
Unlike many technology upgrades, identity management doesn’t require a major investment in new hardware or disruptive changes in networking. New software is needed and processes must be set in place for establishing federated identities and maintaining them.
Software using the initial SAML specification is available today from multiple vendors including Oblix and RSA Security , as well as Baltimore Technologies PLC, CrossLogix Inc., Netegrity Inc., Novell Inc., Sun Microsystems Inc. and IBM’s Tivoli Systems.
“One thing companies should definitely be doing today is asking vendors about their plans with regard to Web Services and federated identities,” says Deepak Tenasia, chief technical officer at Netegrity, in Waltham, Mass. “A lot of products that support SAML are out now. The large scale deployment is starting to happen.”
Depending on the size and complexity of the enterprise, deployment could take from a couple of days to a couple of months, says Blum.
That initial deployment is just the beginning, however. The next major step is toward Web Services, which is primarily computer-to-computer or application-to-application communications that promise to automate many processes that today require human initiation or intervention, such as ordering and restocking parts or other goods, issuing notices and more.
In the meantime, there is still significant work to be done on future versions of SAML and other aspects of identity management. One of the complexities of that process involves the lack of agreement on how Web Services should take place going forward. Two of the major vendors in the space, IBM and Microsoft, are developing their own Web Services security road map, as part of the WS stack of software that includes WS Security, WS Trust and WS Policy. In July, they announced a WS-Federation specification.
The Liberty Alliance, a group of 170 companies and government units, has been working on an open ID-Federation framework that could well wind up competing with what IBM/Microsoft develop.
“It’s not clear yet whether they are on a collision course or whether this is just a bumpy road,” says analyst Heffner. “I could certainly make a case that the Liberty framework competes with what Microsoft and IBM are developing.”
Liberty is farther along in its development and—unlike the IBM/Microsoft initiative—relies on an open standards approach that doesn’t lock any company that wants to use its specifications into a single vendor or a single approach.
“What we envision is that companies will be able to buy software off-the-shelf to support this, or use a third-party service bureau, or write their own code,” says GM’s Taggart, who is vice-president of The Liberty Alliance Management Board. For that matter, he adds, the alliance is always open to new members who want to have input on the ongoing specifications. “We realize that it is confusing for the industry, which wants to see convergence around this. We’re urging other manufacturers to speak up.”
The Burton Group’s Blum advises clients to deploy SAML now and keep an eye on what Microsoft and IBM are doing but wait until their work has gone into standards. His other cautionary note about SAML and federated identities is a reminder that no technology is a substitute for careful management of company records and data.
“In terms of security, this could be a wash,” Blum says, “because you are now relying on another company to maintain authentication records and you have to be able to trust that company.”
Ramamurthy of Oblix pushes the notion that any SAML deployment include ability to delegate administrative capabilities to local branches or organizations so that personnel churn can be quickly accounted for in the identity management software.
Even a relatively straightforward process has its drawbacks in time and money, and analyst Heffner believes that manufacturers must evaluate whether their current need for online collaboration warrants upgrading to SAML and federated identities. The decision should be made purely on financial considerations, he says. “If I’m a company that has 100 customers and I generally communicate with two people at each customer, then I’m not sure it’s worth it. But when you get up into higher numbers, then there are definite benefits.”
GM’s Taggart sees many within the manufacturing community beginning to test the SAML process as they look to greater automation and lower cost.
“This can be leveraged for small businesses as well as large ones,” he says. “That’s a real benefit of an open standard.”