The Case for Federated ID Management
So says Tom Smedinghoff, partner at Chicago-based law firm Wildman Harrold. In an exclusive interview, Smedinghoff discusses:
Smedinghoff is a partnerÂ at Wildman Harrold, where his practice focuses on the new legal issues relating to the developing field of information law and electronic business activities. He is internationally recognized for his leadership in addressing emerging legal issues regarding electronic transactions, information security, and digital signature authentication issues from both a transactional and public policy perspective. He has been retained to structure and implement e-commerce, identity managementÂ and information security legal infrastructures for the federal government, and national and international businesses including banks, insurance companies, investment companies, and certification authorities. He also frequently counsels clients on the law relating to first-of-their-kind electronic transactions, privacy,4Â information security legal matters, and e-commerce initiatives. At the same time, he has been actively involved in developing legislation and public policy in the area of electronic business at the state, national, and international levels.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Tom Smeddinghoff, a partner at Wildman Harrold, a Chicago law firm. Tom, thanks so much for joining me.
TOM SMEDINGHOFF: Thank you.
FIELD: Just to get us started, why don't you tell us a little bit about your work and the firm and, of course, your work around federated idea management.
SMEDINGHOFF: Well. sure. I actually have a law practice that focuses very heavily on electronic business activities of all sorts, and we deal quite extensively with data privacy, data security, electronic transactions and those kinds of things. And as part of that, we get involved quite extensively in a variety of different identity management issues ranging from security compliance for access control to PKI systems and pulling those kinds of systems together, as well as sort of the newer forms of federated identity management, which are starting to really come into their own.
FIELD: Well, Tom, let's talk about federated identity management. It's a topic and a conversation that people have been having for years now, but in 2010 what's new here?
SMEDINGHOFF: Well, I think in part what we are seeing is a real, both national and international recognition of the importance of federated identity management. Maybe if I could back up for just a second and talk a little bit about what it is that we are dealing with here, I think that might be instructive as we go through. The best example I like to use is the process that you go through when you board an airplane at the airport and you go through security. The TSA could go through a process of identifying all passengers, issuing them some sort of a credential or an identification document and then maintaining a database, so as passengers go through they would check them against that database and so forth.
But what they do instead is really a whole lot more efficient and a whole lot more economical, and that is to rely on an identification process done by somebody else -- in this case it is a government entity typically that issues driver's licenses at a state level or passports at the federal level. But by relying on this sort of identification of a third party, it is much more economical, much more efficient and works better for everybody involved and of course the passengers don't need to carry an extra identification document.
This concept is taking hold at the electronic level. Where instead of websites and businesses identifying and authenticating every individual or business that they deal with, we are starting to look at third-party identity providers to provide the identification that is needed to make the transaction work.
And this is really what I think is attracting a lot of attention both domestically and internationally as a key solution to really scaling electronic commerce and electronic business activities to a higher level. And so what we are seeing, for example, is that when the Obama Administration did its Cyberspace Policy Review last May, one of its key recommendations was that we need to build an identity management vision and strategy for the nation.
He had another national security advisory committee report to the President on identity management strategy at about the same time that come up with a very similar recommendation. And so now we have the Administration working on a process to develop what they are referring to as a national strategy for secure online transactions.
And we are also seeing a fair amount of activity in this area. The General Services Administration, for example, now has a pilot project underway to allow basically citizens to interact with government agencies electronically using various forms of identification and electronic identification such as open ID, InfoCard, and processes set up by another entity called The Kantara Initiative, and we see this in various industry groups, as well as in the pharmaceutical area, in the aerospace industry, in the financial industry and so forth.
So, I think we are going to see a lot of activity and a lot of focus on looking at various ways to really leverage the identity management processes that we need for sort of a safe and secure electronic commerce process.
FIELD: Well, Tom, you did a good job sort of pointing out why organizations need to care about this now, but let me ask you: What are the challenges to implementing a federated strategy?
SMEDINGHOFF: Well, there is a lot, and that is something that you can't really minimize. There are, of course, technical challenges and cost issues and so forth. Where I focus my efforts is on the legal side of dealing with federated identity management. When we look at the legal challenges, I tend to basically put them into four categories. First and foremost is the sort of the general issue of privacy and security. When we do identity management, we are collecting a lot of information about individuals, we are then storing and communicating that information to a relying party, and so there is a fair amount of concern about what level of security are we providing for that information, and what are the various entities doing with it? So ,privacy and security is a key element.
Another big legal issue is liability, particularly for identity providers who are concerned that when they go through the process of identifying somebody and then make that identification available to a third party, what is their liability if they are wrong? And so that is sort of a big unanswered question when it comes to the legal side.
Third, from a legal perspective, in order to make this work we really need rules. We need everybody who is participating to know what everybody else is responsible for doing, and need some assurance that they really are going to do it correctly, or if they don't that there is some sort of enforcement mechanism. We are starting to see various contractual frameworks set up to deal with this.
And then finally there is sort of the overriding concern that comes into play here about existing laws. There are all kinds of existing laws in a variety of areas that touch on the identity management processes. And as you do this across borders, of course, it complicates it even more. So, when setting up an identity management process, you need to be cognizant of those existing laws and obviously make sure that the system complies with the existing laws that are out there.
FIELD: One more challenge I want to run by you, Tom, and that is: How in tough economic times can a security executive build the business case for federated identity management? What do you recommend there?
SMEDINGHOFF: Well, that is always the $64,000 dollar question when it comes to security kinds of issues. I think the biggest driver here is theï¿½well two things; one is, if done properly, it really can provide the trust framework that is needed to make significant kinds of electronic commerce activities really viable. And to the extent that it can open up more opportunities for businesses, I think, it is definitely an advantage there.
The other thing I guess I would focus on is the fact that the efficiencies and the cost savings that can be obtained through identity management processes can really allow businesses to scale their electronic operations much more rapidly and much more cheaply. And again, just to highlight that, I go back to my TSA example at the airport. It is a lot cheaper and a lot more efficient for TSA to rely on the identity credentials they get from the government agencies that issue driver's licenses, for example, than it would be for the TSA to do their thing. And so I think from a business perspective, that does provide some very significant opportunities.
FIELD: Tom, one last question for you. Based on everything that we have discussed today, if you could boil it down, what advice would you give to organizations that are weighing the federated approach now?
SMEDINGHOFF: Well, of course, I am looking at it from the legal side, but a couple of thoughts that I think are important:
I think generally everybody needs to recognize that they need what is starting to be called a contractual trust framework, which is basically a set of agreed upon rules that defines the rights and responsibilities of all of the various parties in an identity management or federated identity management situation.
Because the law that exists today is really very sketchy when it comes to identity management, the parties really need to agree on the rules, and they need to agree on those rules in a way that will give them the confidence that everybody else in the system is going to perform properly.
And then the second thing I would mention, as I alluded to earlier, was that the law isn't very well developed here, but there are a number of varying laws out there that are going to affect the federated identity management system processes. So you need to be aware of those and watch out for them, so that they don't cause you a problem as you work through setting up these kinds of systems.
FIELD: Very good. Tom, I want to thank you for your time and your insight today.
SMEDINGHOFF: Okay, thank you very much.
FIELD: We have been talking about federated identity management, and we have been talking Tom Smeddinghoff, a partner at Wildman Harrold.
For Information Security Media Group, I'm Tom Field. Thank you very much.