According to Burton Group, identity federation can be defined as ‘the agreements, standards and technologies that make identity and entitlements portable’. There are three main federation models – simple (point-to-point), hub and spoke (uni or bi-lateral) and circle of trust (many-to-many).
Today, most federated identity implementations are limited to point-to-point, also known as pairwise, deployments either between different business units or business partners with existing relationships. According to Gartner’s ‘Hype Cycle for Identity and Access Management Technologies, 2005’, federated identity management is defined as an emerging technology which is ‘Climbing the Slope’, with estimated market penetration of one to five per cent of target audience during 2005.
The success of the next wave, likely to consist of industry-specific federations and the stage following that, whereby federations are achieved across industries and between organisations with little or no past history, depends heavily on a number of factors. Not least on proving that the business benefits of federation are achievable, and that the potential pitfalls and barriers can be overcome.
In a recent survey conducted by my company, participants were asked whether they planned or had already embarked upon a federation solution and if so what was their primary business use case. Over half (51 per cent) stated that integrating applications across business units or divisions was their primary motivation. Some 12 per cent claimed that providing access to outsourced services was the main business driver and a further 12 per cent were application service providers wanting to streamline the delivery of services. Of the remaining respondents, 7 per cent were developing a customer-facing portal and needed to enhance the end-user experience and 4 per cent wanted to connect with supply chain partners. No-one was attempting to cross sell with third-party products and services.
The potential benefits of successful federation projects are numerous and include facilitating core business models, increasing security and control, decreasing costs, simplifying the user experience and creating a repeatable solution that allows the benefits to be reaped several times over. Federated identity allows new applications, such as secure collaboration, to flourish in certain industries. This can help generate revenue opportunities by helping businesses to win new and retain existing customers and to expand the value of client relationships. Early adopters also have the opportunity to gain competitive advantage over those who are late to realise the benefits.
There are several common pitfalls businesses must consider if they are to make the most of federation projects. In many cases there is far too much emphasis on the technology issues – e.g. getting tied up in the implications of using one standard as opposed to another. While technology is clearly key, the business benefits must be the main thrust of any business case. In some instances the business case is simply not clear enough and organisations have adopted an ‘if we build it, they will come’ strategy. Given the relative immaturity of identity federation, more needs to be done to ensure that business units, partners and fellow industry players fully understand the potential benefits and risks of federation projects, and have the necessary intelligence to embrace and support federated communities.
Too often, federation projects suffer from poor motivation/co-ordination with business partners. This may be because the complexity of the options available has been underestimated and is usually caused by a lack of a clear business case. Another fundamental flaw can be that the operational and potential legal risks are seen to outweigh the benefits. A good way of avoiding this is to ensure that the legal and risk teams are consulted at the beginning and not the tail end of the project.
When developing a business framework, the business opportunity must be meaningful and realistic. The various units of an organisation must be brought in from the beginning and need to understand precisely what it is that they are being asked to embark upon and why. The same is true for partner organisations. Short-term milestones need to be identified in order to justify the investments that are being made – creating small goals and over-achieving them is a valuable strategy. It may sound obvious, but revenues or cost savings must also demonstrably exceed the cost of the project itself. Another key element to any successful federation project is making the solution repeatable. Organisations must avoid complexity for the sake of complexity and start simple, creating a template for the next project using open standards wherever possible.
The role of the legal and/or risk teams is key to ensuring the success of any federation project. Appropriate levels of trust and liability must be established before embarking on the project, which inevitably means involving and securing the buy-in of legal representatives. Most parties will accept some level of risk as part of the cost of doing business, but the benefits must be seen to outweigh it.
Getting the deal done means starting small and breaking the project down into manageable, repeatable parts. Bring the legal team in early and don’t accept ‘liability hysteria’, try and break it down into real life corollaries. Analyse the appetite for risk from partners and seek explicit assumptions of risk from users if at all possible. For customer facing applications, review privacy policies and adjust them if necessary and make sure you have polled customers to determine how likely they are to feel the benefit. In some cases it can also be beneficial to look into insurance options to ensure the organisation is covered if the worst should happen.
Looking to the future, there can be no doubt that federation is here to stay and adoption will increase amongst those organisations for which it makes good business sense. Like-minded parties will find each other and create trusted communities amongst themselves, which will eventually expand to include companies they may not have an existing relationship with. Yet widespread federation will only happen in conjunction with clear understanding of the benefits and evidence that the advantages outweigh potential risks.
The standards debate will undoubtedly impact the viability of making federation a reality and they must continue to evolve in order to facilitate implementations. We may also see the insurance industry offering products to limit liability when federation hits the main stream. But before any of this can happen, it is the visionaries and early adopters creating and realising business cases today who will pave the way for the dynamic federation of the future.