Federated ID Management: The Time is Now
Legal Expert Makes the Case for Federated Strategy It's been on the "to-do" list for many organizations, but now is the time to begin in earnest the migration to federated identity management.This is the counsel of Tom Smedinghoff, a partner at Chicago-based law firm Wildman Harrold. In an exclusive interview, Smedinghoff says there has been international recognition of the importance of federated identity management, and this concept is taking hold at the electronic level. Instead of websites and businesses identifying and authenticating every individual or business that they deal with, "We are starting to look at third-party identity providers to provide the identification that is needed to make the transaction work," Smedinghoff says.
When the Obama Administration did its Cyberspace Policy Review last May, one of its key recommendations was that the U.S. needs to build an identity management vision and strategy for the nation. This level of attention at a national level is what Smedinghoff thinks is attracting a lot of attention both domestically and internationally as a key solution to really scaling electronic commerce and electronic business activities to a higher level.
A separate national security advisory committee report to the President on identity management strategy at about the same time mirrors the Cyberspace Policy Review recommendation, he says. The General Services Administration, for example, now has a pilot project underway to allow citizens to interact with government agencies electronically using various forms of identification and electronic identification such as open ID, InfoCard and processes set up by another entity called The Kantara Initiative.
Four Hurdles
There are challenges facing industry and government when it comes to the implementation of federated identity management projects. The legal challenges are divided into four categories:
- Privacy and Security -- First and foremost is the sort of the general issue of privacy and security. "When we do identity management, we are collecting a lot of information about individuals. We are then storing and communicating that information to a third party, and so there is a fair amount of concern about what level of security are we providing for that information, and what are the various entities doing with it," he says.
- Legal Liability -- Another big legal issue Smedinghoff sees is liability, "particularly for identity providers who are concerned that when they go through the process of identifying somebody and then make that identification available to a third party -- what is their liability if they are wrong?"
- Frameworks and Rules -- "We need everybody who is participating to know what everybody else is responsible for doing, and need some assurance that they really are going to do it correctly, or if they don't that there is some sort of enforcement mechanism," he explains. There are organizations beginning to set up various contractual frameworks to deal with this issue.
- Existing Laws and Complications -- "There are all kinds of existing laws in a variety of areas that touch on the identity management processes. And as you do this across borders, of course, it complicates it even more," he says. When organizations are setting up an identity management process, they need to be cognizant of those existing laws and obviously make sure that the system complies.