However, trust between organizations is difficult to establish because organizations often have very different, sometimes competing priorities. Even within government agencies, the jurisdictional concerns make such collaboration difficult – and that is compounded in a competitive environment. Leveraging identities across organizations in some type of federation requires common policies and common processes that are adopted and implemented consistently – and that there is a legal framework governing the Federation.
These are difficult issues to resolve, but the establishment of federations in which identities are trusted would be an important step forward in making it easier for individuals to understand and manage their digital identity. And in the absence of a federation that trusts identities issued by another authority, the number of identities that make up an individual’s overall digital identity, will continue to expand.
What are the key issues we have to deal with when implementing identity management? How can they be resolved?
There are a number of issues that need to be addressed when implementing an identity management solution – much of these can be grouped around administration and deployment, security and lifecycle management of the identities.
One of the first issues in the implementation of an identity management solution is the establishment of trust for the identities. The ability to properly vet the individual before issuing the identity creates a foundation for trust – and the potential extension of the trust framework. The development of a common acceptable framework to issue an identity is an important factor in establishing that underlying trust.
In terms of administration it’s important that an identity management solution can be centrally administered so that policies can be implemented consistently and efficiently throughout the organization. From a security perspective, if central policies cannot be implemented consistently or enforced then it undermines the overall system.
It’s also important that an identity management system provides flexibility to apply different types of identities to different types of users. This reflects the fact that not all users are equal – that different roles may perform different types of transactions, with different risk levels. An effective identity management system will support many different authentication types, which in turn can support different security levels – such as one-time passwords versus digital certificates.
Based on your experience, what's the quality of the software used to work with open identity standards? What are the missing ingredients?
There’s a lot more acceptance today of the products that are using and leveraging open identity standards than was the case 3 to 5 years ago. However, to a large extent many of the projects that are being implemented are very slow to develop and are very basic applications. As an example, being able to leverage a Google ID across multiple sites is convenient to users and a significant step forward than what has been the case to date, however the applications supported are not high value. The standards that have been developed in this area allow for more robust or stepped up authentication, but to date there has not been a significant movement to leverage this.
What's your take on government adoption of open identity technologies?
The government has provided a major impetus to the adoption of open identity technologies and to a large extent has led the way. They have been involved in standards-based federated models for many years, based largely on PKI using x.509 certificates.