Identity Federation Rules and Process

Linda ElliottPresident, PingID Network

Electronic Authentication PartnershipWashington, DC

February 12, 2004

Copyright PingID Network, 2003

Identity Federation

The Linking of Identity SystemsThe Linking of Identity SystemsEnables Cross-Boundary Security & Convenience

Copyright PingID Network, 2003

Thinking about the Issues

Issues and component parts Technical Federation Standards:

Liberty Alliance, SAML, WS-*, Shibboleth

Certificates and Certificate Policy: Private industry (Verisign, Entrust), Identrus

Privacy: ISTPA, Liberty Alliance

Contracts are most common approach to formalizing specifics Existing business alliances augment contracts New federations attempt bilateral agreements

Copyright PingID Network, 2003

Don’t Underestimate the Challenges !!

Dan Farber in his article on ZDNET referring to Tony Scott, CTO of General Motors (10/19/03):

"The technology challenges, according to Scott, weren't significant, but the unforeseen business issues turned a three-month project into a year of hurdling social obstacles, such as coming up with agreements among the parties within the federation on enforcing compliance, liability definitions, dispute resolution procedures and auditing requirements"

Copyright PingID Network, 2003

Identity Federation Issues

1. Which standards and which versions for my business ? (that’s the easy part)

2. How to establish trust with federation partners ?

3. How to manage risk and liability ?

4. How to control costs ?

5. Will it scale ?

Copyright PingID Network, 2003

An Identity Network is the Solution

An Identity Network provides …

Minimum standards to establish Confidence Established Interoperability Test bed for new partners and new function Rules and regulations to control Risk and

Liability Procedures to handle disputes Programs to address Risk Management Services to facilitate use, solutions, control

Copyright PingID Network, 2003

Members: Own & Govern the Network Operating Regulations: Defined by Membership Mutual Confidence: Minimum Standards and Reviews Risk of Identity Fraud: Management programs based on

Pooling of breach data Analysis of data Security & transactional activity monitoring

Liability : Definition and control Defined liability conditions Dispute resolution procedures, based on rules

Programs: for compliance Compliance with industry-specific regulation, ie Health Federation specific agreements, processes

Legal Framework

Copyright PingID Network, 2003

As the need for Federation expands…

Adding New Partners to any Federation… Avoid negotiating new agreements on technology, process,

risk, and liability Expand to new partners and provide new services quickly

and easily Create effective risk management processes through

Pooled expertise on breaches Network-wide deployment of risk techniques Network alert mechanisms to provide early warnings

Take advantage of interoperability tools to avoid re-tooling

Copyright PingID Network, 2003

Network Overview

Shared Legal FrameworkShared Legal FrameworkStandards | Risk | Liability | Quality | Disputes | Brand