Federated ID Management: The Time is Now

Legal Expert Makes the Case for Federated Strategy It's been on the "to-do" list for many organizations, but now is the time to begin in earnest the migration to federated identity management.

This is the counsel of Tom Smedinghoff, a partner at Chicago-based law firm Wildman Harrold. In an exclusive interview, Smedinghoff says there has been international recognition of the importance of federated identity management, and this concept is taking hold at the electronic level. Instead of websites and businesses identifying and authenticating every individual or business that they deal with, "We are starting to look at third-party identity providers to provide the identification that is needed to make the transaction work," Smedinghoff says.

When the Obama Administration did its Cyberspace Policy Review last May, one of its key recommendations was that the U.S. needs to build an identity management vision and strategy for the nation. This level of attention at a national level is what Smedinghoff thinks is attracting a lot of attention both domestically and internationally as a key solution to really scaling electronic commerce and electronic business activities to a higher level.

A separate national security advisory committee report to the President on identity management strategy at about the same time mirrors the Cyberspace Policy Review recommendation, he says. The General Services Administration, for example, now has a pilot project underway to allow citizens to interact with government agencies electronically using various forms of identification and electronic identification such as open ID, InfoCard and processes set up by another entity called The Kantara Initiative.

Four Hurdles
There are challenges facing industry and government when it comes to the implementation of federated identity management projects. The legal challenges are divided into four categories:

  • Privacy and Security -- First and foremost is the sort of the general issue of privacy and security. "When we do identity management, we are collecting a lot of information about individuals. We are then storing and communicating that information to a third party, and so there is a fair amount of concern about what level of security are we providing for that information, and what are the various entities doing with it," he says.

  • Legal Liability -- Another big legal issue Smedinghoff sees is liability, "particularly for identity providers who are concerned that when they go through the process of identifying somebody and then make that identification available to a third party -- what is their liability if they are wrong?"

  • Frameworks and Rules -- "We need everybody who is participating to know what everybody else is responsible for doing, and need some assurance that they really are going to do it correctly, or if they don't that there is some sort of enforcement mechanism," he explains. There are organizations beginning to set up various contractual frameworks to deal with this issue.

  • Existing Laws and Complications -- "There are all kinds of existing laws in a variety of areas that touch on the identity management processes. And as you do this across borders, of course, it complicates it even more," he says. When organizations are setting up an identity management process, they need to be cognizant of those existing laws and obviously make sure that the system complies.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.