How Identity Rights Can Secure Web Services
With billions of digital identities being created around the globe, concerns about managing identities (and associated rights) are hitting an inflection point for many enterprise IT professionals. A CTO with several F500 firms looks at the rapidly changing landscape for enterprise and B2B security, and offers advice on creating a rights management policy that will comply with your growing use of web services - across your company and outside the firewall.
With billions of digital identities being created around the globe, concerns about managing identities (and associated rights) are hitting an inflection point for many enterprise IT professionals.
Much of the current efforts in securing digital identities have revolved around Identity Management (IdM) - which includes the provisioning, managing and administrating IDs within a company or organizations. The Gartner Group conducted a study of cost/benefits from IdM programs, and found the benefits from managing digital identities in the public and private sectors accrue to both productivity and risk management. Gartner found that while implementation costs for IdM software range from only $5-$25 per user, a company with 10,000 employees that automates provisioning for a portfolio of 12 applications can save about $3.5 million over three years -- and see a potential 295% return on investment.
With numbers like these, IdM projects are climbing to the top of IT technology priorities. Today, one-third (32+%) of large companies plan at least one IdM project in 2005, according to a recent TheInfoPro study.
But, for all the benefits of IdM to intra-organizational activities, to extend these benefits to inter-organzatrional (or B2B) activities, IT professionals need to look to another technology discipline: Identity Rights Management (IrM). The need to conduct transactions using digital identities with entities outside their sphere of control, there are valid concerns over securing the organizational trust boundaries and auditing the transaction.
The task of bridging IdM systems with their associated information and policies, and enabling secure transactions between identified parties is the domain of IrM technologies.
Inside IrM: Frameworks and Mechanisms
To Secure Inter-Organizational Traffic
IrM provides a framework within which entities (people, groups, files, applications, etc.) in disparate organizations can be adapted into digital identities. IrM then provides a mechanism for these identities to be network addressable outside the boundaries of the organization. Finally, IrM provides primitives that allow identities to form links amongst themselves that express relationships and agreements.
This basic Identify, Connect and Control paradigm of IrM is very powerful, and allows modeling of many real world business relationships between digital identities. Using IrM technologies and practices, organizations can leverage their IdM investments into securing various types of real world business models - Service Oriented Architectures (SOA), bilateral data sharing, Communities of Interest (COI), Federated services and many more.
Web Services, which enable componentized services to easily aggregate and provide services over the Internet, is on a collision path with IdM.
IdM is usually a set of carefully crafted custom solutions that have been designed with organizational security foremost in mind. Web Services, on the other hand, are about lowering the cost and efficiency barrier to the creation of new applications. While the Web Services "technology stack" is deep, and contains many standard ways to implement security at various levels, Web Services are very deficient on modeling secure coexistence with non-web services based systems.
IrM provides an inclusive model that allows organizations to secure their web service and non-web service transactions in a consistent and cohesive way.
How IrM Offers Corporate IT a Model for
"Federated Control" over Web Services
It has been axiomatic in the past that business partners need to ensure that their respective application and security infrastructures support common standards, interfaces and approaches.
Only after this condition was met, it was believed, that secure transactions could take place. The one big problem in all this is that a large number of standards exist and any particular combination of them is appropriate for a business. Hence, the assertion that partners must support the same range of standards in order to build a seamless trust environment is moot, in that it does not conform to reality.
A growing view in the last few years has been one of "federated data interchange."
Federated data interchange, for starters, assumes variability of environments and embraces the multi-organizational nature of information sharing and control. IrM technologies revolve around the concepts of control of federated data exchange between organizational domains. Before going any further, a review of what "federation" has come to mean may be helpful.
Federation refers to any environment within which interoperability spans two or more autonomous administrative domains. Typically, it takes place among different networks in a specific value chain. However, it may also be implemented among different units within a large enterprise or government.
Domains may also be associated with various platforms, applications, data repositories and workflow environments. A domain may be regarded as autonomous if it supports unilateral administration of its own users, resources and policies, independent of other domains. A domain does not map to a pre-specified corporate entity, in that, it can map to a department, business unit or the enterprise. Domains in federation choose to interoperate in accordance with business agreements, trust relationships, interoperability arrangements and their respective local policies.
Federated data exchange environments are those in which data owners, controllers and users belong to two or more autonomous domains. The data may reside in relational database management systems (RDBMSs), document management systems or any other content repositories under the control of the respective domains. The data may be in various formats, including XML documents and HTML pages. Typically, federated data environments rely on authentication and access control services provided by the underlying IdM infrastructure, which encompasses control of any interoperability pattern or flow among two or more autonomous data domains.
Federated data interchange patterns may be configured as hub-and-spoke interactions through a central repository or as decentralized flows among several data domains. These interchange patterns may involve request-response, publish-and-subscribe, content aggregation, orchestration and other flows. In order to exchange data across trust boundaries between federated domains, a company should attend to its paradigm for managing rights associated with an identity - i.e. IrM.
IrM environments leverage identities, roles, permissions and - most importantly - policy attributes that are administered under existing IdM environments. The extension of IdM to IrM occurs in the move from managing identities to capturing relationship and authority arrays of data for an enterprise.
For example, a link between an identity representing a set of applications and one representing a set of people can model group or role-based access to services. The link in this case is an electronic instantiation of a service agreement between a publisher and a subscriber. Along this electronic link can flow information regarding policy, credentials, privacy, compliance and auditing that are necessary to both the publisher and the subscriber.
In another example, links between identities representing people in different organizations can model a Virtual Organization (VO). Using the links, IrM can define the resources and associated policy for each identity participating in this VO. This extremely dynamic and adaptive grouping is known as a Community of Interest (COI) and has far reaching implications in modeling interactions such as inter-domain secure file sharing, homeland security threat response and healthcare consortiums.
IrM, as stated earlier, is participatory in securing Web Services environments. This is particularly useful as most companies have growing investments in Web Services platforms, applications, middleware and tools. In particular, many organizations are implementing "federated" IdM environments that utilize emerging standards - particularly WS-Security, Security Assertion Markup Language (SAML), Liberty Alliance specifications and WS-Federation.
The concept of "federated data interchange" will grow in importance. In more prosaic cases, IrM addresses core federated IdM use cases - such as single sign-on (SSO) and role-based access control (RBAC) - but doesn't stop there. IrM environments evolve identities into a more ubiquitous, powerful tool for security and integration throughout service-oriented architectures (SOAs).
In addition to the previously mentioned standards supporting federated IdM solutions, emergent standards that support the move to IrM include: Extended Rights Management Language (XRML), Web Services Description Language (WSDL), and Universal Description, Discovery and Integration (UDDI), eXtensible Access Control Markup Language (XACML) and Open Digital Rights Language (ODRL).
The Five Determining Factors of Identity Rights Management
IrM solutions can be put in place on a tactical or per-project basis without requiring a large infrastructure or architecture buildup. Indeed, this flexibility, combined with its affordability, summarizes the strength and appeal of using Web Services. In order to successfully balance information security risks with security investment, companies should devote adequate attention to the following five determining factors of IrM. Ultimately, the IrM solution will seamlessly allow disparate IdM solutions to communicate.
1) A successful implementation depends on making sure that those implementing the solution understand the problem space well enough to model it in terms of both identities and relationships. Of course, be sure that the IdM solution has the ability to uniquely identify the users within an organization.
2) Make sure that the organization is already dealing with policy in a fairly systematic way. If it already has policy representations or equipment from other manufacturers that deal with policy, then the organization can begin defining the relationships.
3) Identify where the subjects or identities of the relationships reside. Is it with engineering, marketing, operations or a combination?
4) Define and identify the existing relationships and break them down into sets so that Web Services can bundle resources appropriately.
5) Define and identify the policy that spans the relationships articulated in #4. What agreements are in place? What mechanisms make those relationships work? For example, an enterprise affiliated with stock trading transactions might determine that certain conditions (e.g., weekday during trading hours) are met in order to trust the relationship between two identities.
Realizing Maximum Benefits
For the full benefits of Web Services to be realized, an IrM solution must comprehend the trust boundaries implemented by existing and future IdM solutions. Most major companies are using the Internet to work closely with partners to provide information on inventory, products, pricing, sales cycles, etc. IrM doesn't alter the existing structure; rather it enhances the relationship to make it more productive.
In the case of an auto manufacturer, IrM creates an efficient and productive value chain that is a competitive differentiator and a model of efficiency. If it was determined that a different supplier were required for a particular product, the manufacturer would have the flexibility to adjust its trust boundaries overnight and begin using the new supplier. It is this flexibility combined with the inherent productivity of the Internet that makes Web Services and IrM powerful yet interdependent tools.
Digital identities are here to stay whether on a passport or a corporate intranet. The work that lies ahead for the IT industry is to ensure that trust boundaries for Web Services are secure, flexible and evolve the value chain.
Adarbad Master is currently CTO at Epok, and has worked with numerous Fortune 500 companies over a period of 15 years and his areas of expertise lie in Internet services, open systems deployment, scalable distributed computing and large database system design and management.