|Issue:||North America 2005|
|Topic:||Identity and the future of e-commerce|
|Title:||Liberty Alliance Management Board Member, and Vice President|
|Organisation:||Oracle Identity Management Solutions|
Roger K. Sullivan is Vice President of Business Development for Oracle’s Identity Management solutions. Mr Sullivan also serves as Oracle’s representative to Liberty Alliance Management Board and Vice Chair of its Conformance Expert Group. Liberty Alliance, an industry association of vendors and enterprise customers develops standards for federated identity management. Mr Sullivan was President and CEO of Phaos Technology Corp. before its acquisition by Oracle. Previously, Mr Sullivan was the chief marketing officer for Zions Bancorporation eBusiness Group and held senior management positions at icomXpress until Zions Bancorporation acquired the company. Mr Sullivan also served as Vice President for BIS Strategic Decisions’ system consulting and Continuous Information Services and was worldwide director and programme manager for Wang Labs’ imaging products. Roger Sullivan is widely recognized as a leading authority on security, document and work process technologies. He holds a BS from Northern Illinois University and has conducted graduate studies in Information Management at Boston University. Mr Sullivan served as a Top Secret Security Control Officer for the US Army Security Agency.
As commerce becomes e-commerce, businesses and financial institutions around the world are working together to develop standards for secure, identity-based, web services. Federated identity, a system similar to that used by credit card issuers–where a third party, the card issuer, vouches for the identity and creditworthiness of the buyer and circles of trust–where an individual trusted by a member of a circle is automatically trusted by all the members–are the keys to the new identity standards.
Who are you? Can I trust your identity? Can you trust mine? Today, as commercial activity has shifted from paper-based and face-to-face interaction to exchanges conducted electronically, questions like these take on increasing and urgent importance. Whether you are an individual shopping at Amazon or a large financial institution doing billion dollar deals, you must be able to trust your business partners. There must be a way to ‘know’ for sure that the person or institution you are dealing with is a trustworthy partner, that they are who they say there are. Otherwise, the risk of doing web-based transactions is simply too great. Identity management is: 1) The necessary foundation for secure interoperability; 2) Central to successful realization of what’s possible on the web. That’s why financial institutions around the world are working closely with the Liberty Alliance, a global consortium for open federated identity standards and identity-based web services. Founded in 2001, Liberty Alliance’s mission is to support a networked world in which individuals and businesses can more easily interact with one another while respecting the security of identity information. Today, Liberty Alliance represents more than 150 organisations including leading banks, technology companies, government agencies and wireless providers. Standards are essential Most organisations have disparate proprietary applications, data repositories and identities each in use within separate applications or stovepipes. Every large enterprise knows that these stovepipes are difficult to integrate within a specific organisation let alone among outside trading partners. The Liberty Alliance has designed standards, specifications and a framework that enable organisations to securely interoperate with their partners and customers by leveraging what is called federated identity to establish circles of trust among different websites, intranets and other points of electronic platform contact. In the federated identity model, a consumer or an enterprise designates who they want to communicate with–who their circle of trust is–and to what degree they wish to communicate with or trust them. In this model, they input a password once. Their credentials are then shared among the circle of trust members. This way, the consumer or enterprise can move from trusted site to trusted site without having to key in password or identity information over and over again. A circle of trust is usually composed of a group of service providers who share linked identities and who have pertinent business agreements in place regarding how to do business and interact with identity providers. Once a user has been authenticated by a circle of trust identity provider, that individual can be easily recognized and take part in relationships with other service providers within the circle trust. A trusts B, and B trusts C, so A trusts C, and so on. Federation, in fact, resembles the credit card model; the merchant verifies that the credential (card) is valid, but does not authenticate the identity of the individual as such, nor verify that the individual is credit worthy. As long as they communicate the card and transaction information to the issuer for approval, merchants are covered and the liability, the risk, shifts to the credit card issuer. If they do not submit the information for prior authentication and approval, merchants are responsible for the bad debt in accordance with the terms of the merchant card agreement. The federation model distributes liability for actions among the trading partners and with new identity management technologies in place provides opportunities for new business initiatives. The beauty of the Liberty Alliance standards is they enable financial services organisations to engage with partners of all sizes. The flexible applicability of Liberty Alliance technology broadens trading relationships beyond large peer-to-peer business entities to include medium and smaller entities that were once unable to assume the financial burden of large scale ‘triple A’ products, but are nonetheless vital members of the business community. The Liberty Alliance standards are written to work in most platform environments, from servers and mainframes to PCs and handheld devices. This lets businesses and individuals conduct transactions whenever and wherever they see fit, using whatever system configuration is most appropriate to their needs. Technology is sometimes the easiest aspect of problem solving. That is why the Liberty Alliance chose to be more than a technology organisation and to dedicate its efforts to the business side of implementing identity management and identity-based web services standards. The Alliance focuses on the business imperatives, rules, policies and best practice and liability challenges associated with operating in this new model. It is a critical added value that Liberty brings to the standards arena. One of the reasons why Liberty has achieved so much traction is that the initiative is being driven by technology vendors as well as consumers of technology. This approach insures that Liberty’s work is truly viable and speeds adoption. This way, enterprise customers can design systems that truly meet business needs and allow vendors to focus on the product development efforts that are most important to their customers. Federation in action American Express Co., a founding member of Liberty Alliance, is using the federated specifications to connect its intranet, Internet and extranet sites. American Express has also taken the lead in using the Liberty specifications to integrate their back-end architecture with the goal to ultimately Liberty-enable their front-facing applications. Similarly several banks including JPMorgan Chase & Co. and Goldman, Sachs & Co. are part of a consortium that provides institutional customers investment research and other information from multiple sites. The group is using Liberty’s specifications to enable secure sharing and improve interoperability across myriad platforms. The Bond Market Association has rolled out a similar programme. Retirement planning gets a boost from federation Most organisations face the challenge of providing their employees with 401K information. Today an employee in company A has to go outside the enterprise to access their investment plan at company B. With a federated relationship, that employee can access those investments through a web portal that shares the employee identity information and with the employee’s permission, federate it with trading partner/investment company B. This is a classic example of B2B2E and one that is being rapidly deployed by mutual fund companies and 401K providers including Fidelity Investments–an early adopter of Liberty specifications. Federation, though, can be initiated from any ‘side of the street’. General Motors, for example, links employee benefits via a portal they call MySocrates. MySocrates was originally single sign-on portal. It’s now being extended to include Liberty Alliance federated relationships among its employee benefits providers. The insurance industry is also actively deploying federation. Nationwide is taking the lead in adopting partner-friendly identity management technologies. Like most larger insurance companies, Nationwide offers private label insurance policies through third parties–who may in turn be selling those policies through a network of insurance agents. The more easily they can authenticate everyone in the trading chain using common technical and business standards, the larger market share they can capture. What’s most exciting is that the federated identity model enables organisations to look beyond the tactical issues of single sign on, application provisioning and improving one-to-one core trading relationships. The most visionary organisations are looking at how digital identity can actually shift their business models and move them out of traditional B2B, B2C and B2E and into B2B2E and other models. The standards and practices set forth by Liberty fully enable this third-party model where identity supports trading relationships and then extends it outward to each partner’s representatives. It goes back to the idea that if A trusts B, and B trusts C, so A must trust C as well. The future of e-commerce is in identity Financial services organisations deal day-to-day in the identity security trenches. They are investing considerable resources in determining how to secure their customers and business partners identity in an increasingly fluid e-infrastructure. They are also looking beyond these ‘defensive’ issues into how to use identity to open up new business models and relationships. The twin issues of security and standards go hand in hand. Standards are essential for interoperability. Security is essential to insure that the interoperability is safe and new business models can be deployed. The future of e-commerce will be determined through secure identity. Definition of terms Identity (n) 1–The most basic element in a high value relationship. 2–The individual characteristics by which a person, business, business partner, government agency or other entity is recognized or known. Single sign-on (n) 1–Having the capability of accessing an online system once and having that authentication honoured by other system entities, often service providers Identity Provider (IdP) (n) 1–A service that authenticates identity, often a trusted party such as a bank, employer, mobile operator or an Internet Service Provider (ISP). Federation (n) 1–An association comprising any number of Service or Identity Providers. 2– A model based upon trust in which user identities and security are individually managed and distributed by the identity providers or member organisations. 3–The system whereby the identity provider is responsible for vouching for the identity of its own users and the users are able to transparently interact with other trusted partners based on this first authentication. 4–A model similar to that used by credit card issuers in that vendors accept an individual’s ability to pay and then that ability is authenticated/verified through a single location. Circle of Trust (n) 1–A trusted group of identity and service providers who share linked identities and have pertinent agreements in place regarding how to do business and interact with identity providers. 2–A system of trust through association where an individual or a business inputs a password once so that credentials can be shared among the circle of trust’s members with the user’s consent. 3–An aspect of federation, where multiple entities are involved, and there are business, policy and technical relationships in place.