But that’s not all; beyond implementing the standards, IT will still have to provide for consistent and uniform risk definitions. “If you don’t have consistent risk definitions, you don’t have consistent risk enforcement,” Willis explains.
Unfortunately, it just isn’t feasible to come up with one set of definitions.
“Depending on who the constituents are, you’ll have different solutions,” Burton Group’s Kampman says. “You’ll have multiple processes coming together … and you have to aggregate them by community—internal users, external users, contractors, and so on.”
Virtualization poses another challenge. “When you’re collapsing the virtual environment to the mainframe environment, you have to manage the virtualized environments as well as the mainframe,” Burton Group’s Glazer says.
A solution to the problem of users having multiple identities to access different applications is at hand, through
OpenID and the Kantara Initiative, two new identity initiatives now being worked on. Membership in the communities for both standards often overlaps, with many enterprises and bodies being represented in both. OpenID is an open, decentralized standard for user authentication and access control that lets users employ one digital identity to log onto many Web services. Log in once, access many services. An OpenID is a unique URL authenticated by the user’s OpenID provider—the entity hosting the URL. Authentication can be made through various technologies, including smart cards, biometrics, or passwords. OpenID providers include AOL, IBM, the BBC, Google, Microsoft, MySpace, PayPal, VeriSign, Yandex, Ustream, Yahoo, and Orange (a European wireless carrier). The OpenID Foundation was established in June 2007 to manage intellectual property and brand marks, as well as foster the growth of OpenID. Board members include representatives from JanRain, Six Apart, Plaxo, Yahoo, Facebook, Google, IBM, Microsoft, PayPal, and VeriSign.
One of the first enterprises to leverage the single sign-on capabilities provided by OpenID is Sears, which is leveraging OpenID as a marketing tool. In July, the retail giant launched the OpenID platform for Sears Communities. Using a single sign-on, this will connect the more than one million visitors hitting Sears’ Websites each month to major social media through MySears and MyKmart sites. Consumers will be able to share information on products, services, and solutions. In the future, consumers will be able to share their posts and product reviews with their Facebook friends.
The Kantara Initiative, meanwhile, is a global organization formed in June after about a year of planning. It aims to bridge enterprise, Web 2.0, and Web-based identity initiatives. Funding comes from the Concordia Project, the Data Portability Project, the Information Card Foundation, the Internet Society, the Liberty Alliance, OpenLiberty.org, and XDI.org.
All output from the Initiative will be based on open standards. Solutions built under the Initiative could be based on one or a combination of several standards. The Kantara Initiative is governed by a board of trustees that includes representatives from Oracle, the Internet Society, AOL, British Telecom, CA, Intel, Fidelity Investments, Novell, NRI, NTT, PayPal, and the New Zealand government.
Where OpenID and Kantara Fit Into IAM and the Mainframe
Because the mainframe focuses on the access, or bottom layer of the identity management cake, its role when OpenID or the Kantara Initiative are brought into the enterprise is to receive the OpenID or Kantara identity, give it the access it needs to work, and then, when the task is over, get rid of that identity.
OpenID and the Kantara Initiative both create a dynamic, standard environment to deal with authentication, Perkins says. “If I wanted to provide identity management to many companies working together, how would I set up a system to work when they don’t have the same hardware, don’t abide by the same policies?” he asks. “You could define everybody in the world by one company’s mainframe or you could set up a system to dynamically create and trust an identity, allow it to be used and then, when it’s no longer required, it goes away.”
With orphan user accounts being a huge security problem, can IT be sure OpenId or Kantara Initiative technologies will ensure identities are erased when no longer needed? “They’re working on it,” Perkins says.
“OpenID, Kantara, and other identity initiatives want to set up standard rules for enforcement, commissioning and deprovisioning identities,” he says. “They do the basic job of handling deprovisioning, but providing more detailed and granular levels of access in the form of authorization haven’t yet been perfected.”
So far, there are no standards for establishing or enforcing granular levels of access, but OpenID and the Kantara Initiative are working on this, according to Perkins. The issue may be moot anyway.
“When you want granular access, you wouldn’t go to OpenID or Kantara, you would go to the company you’re working with and they’ll give you a proprietary manual form of access,” Perkins explains. ME