Despite industry efforts to standardise identity management infrastructures, Australia’s end user decisions are still clouded by products with interoperability issues, says Michael Warrilow, research director at analyst firm Hydrasight.
Warrilow says vendors are not doing enough to ensure interoperability. In recent years, larger players have acquired smaller vendors to build out an identity ‘stack’ as part of a broader infrastructure. “Having a good ‘story’ on security and identity helps the major vendors lock in customers,” Warrilow says.
He adds that this lock-in has been focused primarily on internal applications and web front-ends.
“Vendors need to ensure they focus on moving towards efficient means of allowing trust and passage of information between organisations,” he says. “Right now, many organisations are forced to resort to using email to send information, [because] of the minimal identity management required.”
On standards, Warrilow says some — like LDAP — have become “de facto” standards, while others like SAML (Security Assertion Markup Language) have only had moderate uptake.
“What is needed is a way to graduate or increment security, dependent upon the use scenario,” he says. “Web services represents our best hope to improve this situation and create loosely-defined trust relationships to allow improved ‘federation’.”One organisation facing a massive identity management challenge is the New South Wales government, with its efforts to integrate services across departments. A NSW Department of Commerce spokesperson says the agencies are very experienced in the offline identity management of their external clients but there are still many issues involved.
Such issues include the “practical scope of online identity management” and the “variety of needs across large organisations”.
The spokesperson also says the lifecycle costs and benefits of identity management systems “when transactions between individual clients and government service providers are infrequent” are also a problem.
Hewlett-Packard’s CTO for identity management and security, Jason Rouault, says there are standards relating to authentication, but types of authentication typically don’t have standards from a vendor support point of view.
“Each vendor has its own APIs and that’s a big issue, because enterprises that roll out identity management need to support many vendors.
“A new wave of hosted business applications provides a strong case for federation, which also has the ability to share attribute information,” he says. Rouault is working on standards-based identity management with the Liberty Alliance.
Novell’s chief technology officer for identity-driven products, Carlos Montero-Luque, agrees the industry “hasn’t got there yet”, but is moving in that direction.
“It used to be a very locked-down environment with strict requirements [and] that is changing substantially,” Montero-Luque says.
“If the vendor cannot give you a good story for interoperability, then the vendor is asking you to work around them,” he says.