In the simplest terms, a federated identity allows a user to access various web sites, enterprise applications and cloud services using a single sign-on. Federated identities are made possible when organizations agree to honor each other’s trust relationships, not only in terms of access but also in terms of entitlements. Establishing “ties of federation” — agreements between parties to share a set of policies governing user identities, authentication and authorization — provides users with a more convenient and secure way of accessing, using and moving between services, whether those services reside in the enterprise or in a cloud.
Federated identity policies go hand-in-hand with strong authentication policies. Whereas federation policies bridge the trust gap between members of the federation, strong authentication policies bridge the security gap, creating the secure access infrastructure to bring all members of the community together.
The federation of identity and authentication policies will eventually become standard practice in the cloud — not just because users will demand it as a matter of convenience. For organizations, federation also delivers cost benefits and improved security. Companies can centralize the access and authentication systems maintained by separate business units. They can reduce potential points of threat, such as unsafe password management practices, as users will no longer have to enter credentials and passwords in multiple places.
For federated identity policies to become more widely used, the information technology and security industry will have to knock down barriers to implementing such policies. Thus far, it appears the barriers are not economic or technological, but trust-related.
Federated identity models, like the strong authentication services that enforce them, are only as strong as their weakest link. Each member of the federation must be trusted to comply with the group’s security policies. Expanding the circle of trust means expanding the threat surface where problems could arise and increasing the potential for single points of failure in the community of trust.
The best way of ensuring that trust and security are preserved within communities of federation is to require all community members to enforce a uniform, acceptable level of strong authentication. Some IT industry initiatives are attempting to establish security standards that facilitate federated identities and authentication. For instance, the OASIS Security Services Technical Committee has developed the Security Assertion Markup Language (SAML), to facilitate web browser single sign-on. SAML appears to be evolving into the definitive standard for enterprises deploying web single sign-on solutions.
As rapidly as the cloud is developing, a cybercrime-driven “dark cloud” is growing even more quickly in parallel. In the past, the dark cloud has been used by cyber criminals to lead consumers to infection points where a Trojan or other piece of malware is downloaded to their machine. For fraudsters, the emergence of private clouds represents an opportunity to kick open the doors to the enterprise. If establishing trust relationships is essential for getting productive participants into the cloud, fraud prevention is essential for keeping “the bad guys” out.
One of the most essential forms of fraud prevention is identity protection: ensuring users actually are who they claim to be. Fraud prevention and identity protection are among the most challenging and fast-changing disciplines within information security. Emerging threats arise at an ever-growing pace.