Presentation on theme: "Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004."— Presentation transcript:
Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004
Copyright PingID Network, 2003 Identity Federation The Linking of Identity Systems Enables Cross-Boundary Security & Convenience
Copyright PingID Network, 2003 Thinking about the Issues Issues and component parts Technical Federation Standards: Liberty Alliance, SAML, WS-*, Shibboleth Certificates and Certificate Policy: Private industry (Verisign, Entrust), Identrus Privacy: ISTPA, Liberty Alliance Contracts are most common approach to formalizing specifics Existing business alliances augment contracts New federations attempt bilateral agreements
Copyright PingID Network, 2003 Don’t Underestimate the Challenges !! Dan Farber in his article on ZDNET referring to Tony Scott, CTO of General Motors (10/19/03): " The technology challenges, according to Scott, weren't significant, but the unforeseen business issues turned a three-month project into a year of hurdling social obstacles, such as coming up with agreements among the parties within the federation on enforcing compliance, liability definitions, dispute resolution procedures and auditing requirements"
Copyright PingID Network, 2003 Identity Federation Issues 1.Which standards and which versions for my business ? (that’s the easy part) 2.How to establish trust with federation partners ? 3.How to manage risk and liability ? 4.How to control costs ? 5.Will it scale ?
Copyright PingID Network, 2003 An Identity Network is the Solution An Identity Network provides … Minimum standards to establish Confidence Established Interoperability Test bed for new partners and new function Rules and regulations to control Risk and Liability Procedures to handle disputes Programs to address Risk Management Services to facilitate use, solutions, control
Copyright PingID Network, 2003 Members: Own & Govern the Network Operating Regulations: Defined by Membership Mutual Confidence: Minimum Standards and Reviews Risk of Identity Fraud: Management programs based on Pooling of breach data Analysis of data Security & transactional activity monitoring Liability : Definition and control Defined liability conditions Dispute resolution procedures, based on rules Programs: for compliance Compliance with industry-specific regulation, ie Health Federation specific agreements, processes Legal Framework
Copyright PingID Network, 2003 As the need for Federation expands… Adding New Partners to any Federation… Avoid negotiating new agreements on technology, process, risk, and liability Expand to new partners and provide new services quickly and easily Create effective risk management processes through Pooled expertise on breaches Network-wide deployment of risk techniques Network alert mechanisms to provide early warnings Take advantage of interoperability tools to avoid re-tooling