In Depth

The Truth About Federated Identity Management

When it comes to setting up federated identity management, the security benefits (and potential drawbacks) are not what you might expect

By Sarah D. Scalet

October 01, 2006CSO

Aramark, the $11 billion food-service company, would seem an ideal candidate to trailblaze federated identity management—a process that allows business partners to automatically access each other's computer systems—without requiring multiple layers of passwords.

Aramark has the right kinds of clients: universities and Fortune 500 corporations with multimillion-dollar annual catering accounts (and big IT budgets). It has the right kind of e-commerce business model: Every week, employees from 250 companies at 425 locations log on to Aramark's proprietary Web-based software, MyAssistant.com, where they order everything from sandwiches and brownies to conference rooms and microphones. And Aramark has the technical know-how: It has actually already implemented the technology, using a tool from Ping Identity. This year, at one customer's request, Aramark began allowing 4,500 of the customer's employees to log on to MyAssistant simply by being logged on to their own company's network.

So why haven't Aramark's other business partners signed up?

Turns out that Aramark, which can make such a strong business and security case for federated identity management, also provides a good demonstration of how few companies are actually ready to forge such close ties—and take such a bold security step—with their business partners.

On the positive side of the ledger, "It takes the onus of security away from us and puts it on the client organization, where it belongs," says Steve Erickson, VP of IT for business services at Aramark (which recently agreed to be acquired by a group of private-equity investors who include the company's CEO), about Aramark's implementation of the technology. "They're the ones who know when an employee leaves their organization. That inherently makes our application more secure, because we can trust the fact that, in the case of this one client, anyone coming into our application is coming in through their network."

However, Erickson also notes, "We've made it known to new customers that we have the capability; everybody's heads nod up and down, but the difficulty lies in taking it to the next step. We've only been in serious discussions about it with three different organizations in the past year. That just makes me think it's a relatively immature market."

Maybe, but it just as well could mean that for all the potential benefits of federated identity management, it may never take off beyond a few niche applications. Indeed, companies are wise to be cautious before jumping onto the federated identity management bandwagon. History is littered with supposedly revolutionary communication methods that sputtered and failed from too few adopters—picture telegraphy, the 1964 World's Fair Picturephone, the satellite telephone. It's anything but certain that federation will ever reach a critical mass, where enough people have it that everyone wants it.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Welcome to the age of Service-Oriented Security (SOS)

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

Simplify your data center with Juniper Networks. View the webcast

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Efficient - Flexible - Compliant

Digital Identity Protection and Data Security Get Personal

Solving Online Credit Fraud Using Device Reputation

Secure your virtual and physical environments with the same software

Any company can promise identity protection. Only Debix can prove it

Envision Identity-Based Access Control for the Datacenter

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Enabling Compliance with Converged Mainframe Security and Storage

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Understanding Data Location is Imperative for Data Loss Prevention

5 Steps to Secure Outsourced Application Development