CTO Blog

CTO Blog

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

Secure ID – gets a work around with support from key vendors

Category : Security

A secure ID is one of the key underlying systems for most in-house IT systems, but as we move into a Web 2.0 world, does this go far enough? We really need a federated ID that is still secure for in-house systems, but also enables the IT department to contemplate Web 2.0-style interactions which are increasingly driving a lot of the new business value. Of course there is nothing new about this, but it’s a lot easier to describe the requirement than to deliver the solution. Everyone has some level of an ID solution already, and federation means getting lots of different people and enterprises to agree on a common interest being as important, if not more important than their own interests. The wish list has been in place for some time now, as well as some of the basic ingredients to build on, so we are now in the boring but critical phase of real ‘nuts and bolts’ work. I assume it’s for this reason that the announcements of real success didn’t hit the headlines too far after the ‘sexy’ announcement that the problem was being address. So what and where have we got to now? Microsoft just announced beta 2 of its ‘cloud’ (suppose they had to add the term cloud, but it’s not just about clouds, federated IDs are just a fundamental requirement) ID management product: code named Geneva. There is a full write up on the Microsoft Blogs at MSDN. What got me excited is that Microsoft had not previously been too enthusiastic about supporting an approach based around Security Assertion Mark-up Language, SAML. Instead, they have wanted to base ID on their own approach to the W3C Web Services Specification – Federation, sometimes known as WS-F. Others in the Industry have been in general agreement over the adoption of SAML, but now in Geneva beta 2 not only is there full support for SAML, but there are also some really good examples to prove that it works with four important partners: SAP, Sun, Novell and CA. That means we have five major software providers actually demonstrating they really can make the basics of an interoperable ID work. But hidden in this statement is something pretty important. The interoperability is achieved by what I will call a ‘sensible compromise’, though of course there are critics who say that Geneva is using SAML in the wrong way. You can read up on this in detail at the NetworkWorld blog which states ‘Microsoft Geneva could be genius, but sceptics abound’. SAML is actually in two major parts: an open token called the SAML Assertion; and the profiles with ancillary information that manages the tasks of sign on, etc. In Microsoft’s approach to WS-F, the separation between the two parts is complete and allows a number of different, but recognisable security tokens - such as Kerberos - to be used. The positive side is that this makes it possible for an enterprise using the Microsoft version of WS-F to work with a number of different enterprises that already have some security token management scheme in use. The negative side is that the token is supposed to be a SAML Assertion to ensure that a full and correct WS-F implementation is in place between the two enterprises. Actually, SAML is a lot more complicated than this, and I should point out that there is SAML SPLite to make the use of the standard easier. In particular, it’s worth knowing that the US Government has a defined specification for support SAML which some claim to be the ‘guide’ to use. However, to get any standard between enterprises in place requires enough early adopters in the first wave to drive the less enthusiastic to join in on the basis of peer pressure and align with the new expectation. At the root of this is the argument on cost and ease of adoption. So to me this looks like a sensible and very workable way to achieve a wider adoption of secure IDs, an increasingly necessary aspect for both online business and ‘Everything as a Service’, XaaS and - of course - there is also the fact that some top providers of ID and Sign On capabilities have joined in, to prove it works. No doubt there will be some posts saying that half-hearted support for any secure standard is no good, but to me, taking the sheer scale of the Microsoft footprint in the market and the other elements in the Geneva platform including a Framework for making .Net developed code ‘aware’ of the Microsoft WS-F capabilities, plus some real abilities to interact with some other key players, it’s a change worth noting.

About the author

Andy Mulholland
Andy Mulholland
Capgemini Global Chief Technology Officer until his retirement in 2012, Andy was a member of the Capgemini Group management board and advised on all aspects of technology-driven market changes, together with being a member of the Policy Board for the British Computer Society. Andy is the author of many white papers, and the co-author three books that have charted the current changes in technology and its use by business starting in 2006 with ‘Mashup Corporations’ detailing how enterprises could make use of Web 2.0 to develop new go to market propositions. This was followed in May 2008 by Mesh Collaboration focussing on the impact of Web 2.0 on the enterprise front office and its working techniques, then in 2010 “Enterprise Cloud Computing: A Strategy Guide for Business and Technology leaders” co-authored with well-known academic Peter Fingar and one of the leading authorities on business process, John Pyke. The book describes the wider business implications of Cloud Computing with the promise of on-demand business innovation. It looks at how businesses trade differently on the web using mash-ups but also the challenges in managing more frequent change through social tools, and what happens when cloud comes into play in fully fledged operations. Andy was voted one of the top 25 most influential CTOs in the world in 2009 by InfoWorld and is grateful to readers of Computing Weekly who voted the Capgemini CTOblog the best Blog for Business Managers and CIOs each year for the last three years.
1 Comment Leave a comment
What's up all, here every person is sharing these experience, so it's fastidious to read this website, and I used to pay a quick visit this webpage every day.

Leave a comment

Your email address will not be published. Required fields are marked *.