Are we heading for Identity Management Federation (Part 2)

by [Published on 13 Nov. 2013 / Last Updated on 13 Nov. 2013]

In this article we will cover federation and the benefits of true federation and how this area is starting to evolve.

If you would like to be notified of when Ricky Magalhaes releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the first part in this article series please go to Are we heading for Identity Management Federation? (Part 1).

Introduction

In the previous article we covered familiar authentication methods and what constitutes two and multifactor authentication. We also covered the different token types.

With more authentication methods than ever before, previously we noted that hardware has progressed to a point that can facilitate complex authentication processes.

Federated cloud and authentication

Federation could be the way forward. Leveraging our established authentication databases that already exist and form part of intermeshed authentication systems that are always available and reliable, build a compelling argument. Federation solves the issue of inconvenience and ease of use. Enabling a single sign on (SSO) for users to logon to different sites without sharing their credentials with every site is authentication moving in the right direction. Fewer passwords need be dealt with and strong authentication can become more pervasive.

Ultimately it will probably culminate in biometric and contextual authentication that checks many unique user elements to authenticate you. This is still maturing so it’s not yet defined and agreed as a global standard.

Federated credentials let users choose strong credentials through a federated identity provider. Federated credentials were initially used within corporations so that colleagues could use their own logins to access business resources on multiple systems without having to login multiple times using different credentials. A good example of this is using MSN/Hotmail credentials with MS Lync to be able to use the corporate Lync with private credentials. Very convenient system. Federation also allowed for one Lync system to be connected to other Lync systems forming a super cloud of Lync systems so that an employee of one company could easily communicate with another companies Lync system. These days the trend is for some online companies to allow users to login using their social media credentials.

With the global move to the cloud, a federated cloud is likely to be the next obvious progression, it has begun to evolve but the feeling is that it will accelerate now as credentials are becoming more centric to security. The cloud is available to everyone and is everywhere and in our industry we have noticed that authentication can be a pain for dev teams to implement so why not use someone else’s system to do the security. It boasts ultra-low inactivity and is instantaneous with low latency to highly available systems and often one or more large providers can be used in conjunction with internal credentials for DR. The idea is to connect multiple in-the-cloud services with a single-sign-on authentication solution.

Identity federation is one of the ideas that cloud computing is bringing to reality more rapidly than if the cloud did not exist. It is a single authenticated user identity that is accepted as binding across a wide selection of systems.

Who is doing it?

At the moment my team has seen a massive influx of requests from universities and educational entities to use federated access control. Not only are the education institutions federating with each other but also with industry that they are close to. It feels like the start of global identity management systems that solves this authentication conundrum.

The concept of a federated cloud is a good one. The idea sounds simple enough however the implementation is much more challenging. With standard committees in agreement that issues will exist. If a company owns a customer’s directory they have a huge advantage in owning the rest of the networks infrastructure as vendors prefer to feature their own solutions to the detriment of others.

A federated cloud will benefit both end-users as well as providers but the journey to a streamlined federated cloud for providers and users is challenging. It requires collaborative determination from all parties involved. For the federated cloud to work we need to be able to determine trust so that the risk for each transaction can be managed.

Challenges facing cloud federation

  • It becomes difficult for service providers to determine which load to share and how to share the load
  • It is difficult to deploy and migrate virtual machines with flexibility and speed
  • Service load would need to be coordinated amongst service providers for optimal end- user performance
  • A common authentication system would need to be established
  • Cloud providers would need to ensure data and app security
  • Cloud providers would need to ensure secure connectivity between clouds
  • A system is required for easy management of applications within the federated cloud. Administrators would need tools that would work across all clouds for management and monitoring of applications used. This is challenging as most cloud providers have their own unique set of management tools.
  • There is a need for guidelines to be laid out by standard bodies and industry confederations with regards to the architecture and technology standards needed to support the federated cloud
  • The cost of implementing this without skills is still relatively high and if done in isolation can become prohibitive.
  • System is mostly no onsite.

Benefits acquired from a federated cloud

  • Local infrastructures are connected globally through a federated cloud bringing the global marketplace into reach.
  • Lower total cost of ownership
  • Authentication solution that is sure to use best practise and be more available than anything that could be provided in-house.
  • Use of key standards for authentication to become more congruent and standardised.
  • Users have access to all applications and services, accessible via a single sign on authentication method
  • Users have the option of utilising multiple clouds for different applications as required by business needs. Certain clouds could be used for applications that might require higher security and others that might require scalability. Flexibility is increased.
  • Costs are reduced by running certain business applications in the correct cloud environment
  • Profits are maximised through servicing more customers using existing infrastructure

Below are some common authentication standards that are prevalent and becoming more common.

Ref: https://www.oasis-open.org and http://www.authenticationworld.com

SAML

Secure Assertion Markup Language. A widely adopted method of accepting user authentication between different enterprises.

MicroID

MicroID is a new Identity layer to the web and Microformats that allows anyone to simply claim verifiable ownership over their own pages and content hosted anywhere.

OpenID

OpenID is an open, decentralized, free framework for user-centric digital identity that uses URI (also called a URL or web address) as a means of identity authentication. 

SXIP

A commercially available product that offers users the ability to control their own identity information and authentication in use with blogs and other applications.

Shibboleth

A protocol establishing identity trust between enterprises. This was developed as part of the Internet2 initiaitve. It is used in some universities.

INames

A new service offering a centralized user controlled identity data store as well as providing authentication trust between enterprises

The above will give you a good view of what’s out there but note that this is a discipline that is evolving and will normalise based on what is used more. Eventually this area will condense into one or two platforms. The key is to back the right solution now so that your organisation is future proofed.

Conclusion

Federation is rapidly evolving just on varying scales at the moment. Some cloud service providers are starting to join forces to improve their individual prospects for long term growth and sustainability. Amazon is a great example of federation; they have a global online sales site through which orders are placed with companies throughout the world.

Federated identity may vary from organisation to organisation but we all share the same end goal. We need to provide more services with no added expense. We need secure, user friendly authentication for a broad range of applications, working within a diverse community of users on a variety of devices and platforms.

For the federation to become reality, we need standards committees and governments on board and commitment from service providers, vendors and partners.

For cloud computing to expand and succeed federation is necessary. We want to take advantage of all the cloud capabilities but without the complexity and risk. A federated cloud environment encompassing external and internal clouds will enable organisations to meet user and corporate demands with the flexibility not otherwise possible.

Future authentication must be more effective than today’s passwords but as easy or easier to use.

If you would like to be notified of when Ricky Magalhaes releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the first part in this article series please go to Are we heading for Identity Management Federation? (Part 1).

Featured Links