Authentication? A Done Deal: Contrary to some of the wheel-reinventing heard around the rooms at the recent Identity Ecosystem Steering Group kickoff meeting in Rosemont, electronic authentication was solved about four years ago. The InCommon-NIH “Tao of Attributes” workshop officially signaled that the new frontier was attribute management in all its fuzzy dimensions. Often overlooked by the Usual Suspects (of which I am one) has been the banking and online retail industries’ highly successful use of non-credential-based, sort of-two-factor transactional trust models for authenticating users to online services. Another sign that the authentication problem has been successfully resolved is the plethora of proposed International Standards efforts in this area. . To the extent that the Identity Ecosystem Steering Group eschews standards-setting and drives for implementations, we will be able to gauge its potential for success. But I digress…
A Fun Time for the Meeting Addicted: The current frontier, on which the Usual Suspects have been laboring like Dr. Frankenstein on his Creature, is how to authorize user access to relying parties without the messy involvement of carbon-based life forms. To do this, we are harkening back to a process addressed by NIST years ago, which they called Role-Based Access Control. Of course, since everything old is new so long as its name is changed, we’re not calling this effort Son of RBAC, we’re talking XACML or metadata profiles or Rex the Wonder Dog. Nonetheless, it’s all the same: how to format an attribute, how to exchange it, how to know how to trust it, how to know who to trust for an attribute and finally, how to make calculated, real-time authorization decisions that will stand up to appropriate risk management review. My last count shows there are four “community of interest” working groups chewing on this piece of rawhide: one OIX work group, two FICAM work groups and at least one Internet2/InCommon group. Kantara is debating starting up yet another one and is likely to do so. And this count doesn’t even include agency-internal initiatives related to health IT and whatever the telecom industry, the SmartGrid folks, and their regulatory colleagues are talking about to themselves. Oh, it’s a Fun Time for those addicted to meetings.
The Rush to be Second: Nobody questions the need to bring attribute assertions and attribute management into play to further e-services and e-commerce. Nobody who’s part of the discussion pileup questions the ROI for deploying authentication and attribute management services, but the business operators who run those services, both in the private sector and in the government sector, are generally less than enthusiastic. Why, even when a positive ROI can be demonstrated? First of all, most (not all) of the business operators don’t believe the analyses. They see two things only: first, the burden of jumping into the unknown and changing business processes with the usual attendant risks including substantial upfront costs; second, this stuff is pretty arcane to the average business operator, especially one who’s still struggling to understand online risk assessments and risk mitigation, identity management and electronic authentication. That said, these folks are generally willing to be third in line to adopt, so long as they can see at least two comparably-sized implementations, sniff them, examine their books and get the nod from senior management.
Silly Season…Again: This is where federal agencies can have the most impact, as what the National Strategy calls “early adopters.” A few are out there, but it isn’t more than a handful, and some of those are huddled in a self-made silo. Mostly, agencies are ignoring Office of Management and Budget direction and hoarding their cash against possible Congressional sequestration in January. Agency managers are also waiting to see what the outcome of the November elections will be before doing anything more than keeping the motors idling. For those not familiar with the Washington, DC, climate, this is the Season of Paralysis. It happens every four years about this time, which by itself is a good reason why the private sector needs to offer up “early adopters” instead of waiting for government.
That said, some important government initiatives in this space continue to make themselves felt. More about some of this next time.