Solving the privacy challenges in a federated identity model

Governments face a dilemma. As more and more services move online, identifying and authenticating citizens in cyber-space are becoming more difficult. Citizens want one-stop service but they also want assurances their personal information is kept private. Sharing information across jurisdictions can create seamless service delivery, but government entities must ensure they are dealing with the same person.

Online initiatives will only continue to expand in the future, so governments will need to settle on a common authentication method for their citizens.

Securely sharing identity information while remaining within the confines of privacy legislation, therefore, is a challenge the public sector is working to overcome.

“I don’t want to simplify too much, but governments have two basic choices for this: a national ID or federated identity management system,” says David Temoshok, director for identity policy and management at the U.S. General Services Administration (GSA) which works with the Department of Homeland Security.

Many organizations have internal identity management systems which provide strong, automated mechanisms to enrol and identify authorized users and control their user rights to information resources. To obtain a health card, citizens must present a passport or other physical credential to prove their identity, and then obtain log-on credentials to gain access to health care Web sites. “So when the authentication credentials are used in the future, they can be correlated back to an identity,” says James Quin, senior analyst at the London, Ont.-based Info-Tech Research Group.

Federated identity management is a new approach that takes this process one step further by establishing trusted relationships between organizations to allow them to share information, he says. Organizations and their users are linked to partnering organizations within circles of trust that are established in federation agreements that specify user rights. Attributes of an individual’s ID can then be shared within a common technology and policy framework that protects that identity.

Two models
There are two fundamental models for federated identity management based on where the authoritative source or repository for identity information resides, he says. “In the meta-directory approach, all that identity information is obtained from trusted partners and piled into a new and consolidated core directory. In a virtual directory, I have my information and you have yours, but we agree to create linkages between them, so it’s not one core directory.”

Which model is more secure is a philosophical question, as there are pros and cons to both, he says. “In the meta-directory approach, you have only one repository to protect with a security infrastructure. In the virtual directory, if you link one directory to another, then it’s only as strong as the weaker of the two infrastructures.”

In Quin’s view, the meta-directory approach may provide more opportunities to build one super-strong security infrastructure to protect a single point of failure. But the stumbling blocks involved in building it trump its advantages, particularly in a government context. “It’s expensive and a huge pain to build these central repositories from scratch – think about the gun registry – and there would be a backlash from citizens.”

But the virtual directory approach means personal information about citizens resides in many government systems and servers in redundant and potentially inaccurate forms. “They tend to be less secure, but virtual directories are easier to create and manage so they tend to be (more common) than meta-directories.”

An emerging standard in federated identity management systems is Security Assertion Markup Language (SAML), a protocol developed by international standards body OASIS that allows the exchange of authentication and authorization data between security domains. Although there are other competing standards and variants, the Liberty Alliance, a global identity organization comprised of 150 major vendor, client and government organizations, has been active in driving the development of open and interoperable SAML-based security standards.

“There are many data exchange mechanisms and standards. The key thing when dealing with multiple vendors in government is to ensure they all speak open standards, or you will burn money,” warns Ross Chevalier, CTO of Novell Canada, adding that many vendors add proprietary interfaces and extensions to their supposedly open systems.

Potential challenges
“Unfortunately, once these systems are put in, nobody wants to back out of them when they find out they aren’t entirely standards-based. Government organizations should ask vendors directly about open standards and demand it in writing so it becomes a service level agreement – and if in fact the system doesn’t work openly later, there’s financial recourse,” Chevalier adds.

There are other potential technology snafus lurking in the architecture of federated identity management systems. “When people talk about federation, they often talk about it at an object level,” explains Chevalier. For example, John Smith is considered an object with identifying attributes such as a name, address and so on. “There are some attributes citizens may not care if they’re shared with other organizations to improve their user experience, and others they absolutely don’t want shared.”

Trust mechanisms need to be built at the attribute level, not the object, he says. Two branches of government with standalone identity management systems may choose to federate the identities of their constituents. But issues may arise if the way objects and their attributes are defined in each system aren’t considered. “If the federation agreement is not articulated correctly, some of these constituents’ attributes may be trusted into another department where you don’t want them to go.”

Canadian directions
Although several standalone identity management systems have been implemented within the Canadian government, the concept is still relatively new, says Pierre Boucher, senior director of architecture and standards at the Treasury Board Secretariat (TBS). The TBS has been focussing on creating a common set of terms and definitions for identity management concepts to bring clarity to discussions. “Many think identity management is just about provisioning users with authentication mechanisms, so we need to ensure people are talking about the same thing,” he says.

The Canadian government is in the early stages of creating a framework for cross-jurisdictional identity management, he says. “There are no policies yet in this area.” But the TBS’s 2007 Transformation Strategy notes there are many benefits in a federated identity management approach, where each program does not have to provide its own set of authentication and identity-proving mechanisms, and this approach also improves the user experience.

In 2006, an inter-jurisdictional identity management and authentication task force (IATF) was set up to look at ways to accelerate progress in this area and to make recommendations about implementing a pan-Canadian identification and authentication framework. In its April 2007 interim report, the IATF highlighted some of the drivers in this area, from citizens’ desire for seamless delivery of services to the government’s need to increase program integrity and efficiency. Seven jurisdictions have an inter-departmental identity management initiative planned, and three have launched pilots: the GoC’s ePass-Portageur, BC’s BCeID, and Quebec’s ClicSequr.

The report also identified key challenges in developing more inter-jurisdictional programs. Currently, there are no universal standards or processes for identifying an individual across Canada – the types of documents issued to prove identity and the identifiers required for government services vary from one area to another.

The report also noted there are limited connections within and across jurisdictions for real-time sharing and verification of identity information, which could contribute to fraud if there are time lags in exchanging identity information.

Lastly, many identification methods are based on names, but there are many variants – nicknames, shortened versions, different spellings – which make matching individuals across databases very difficult.

As CGR went to press in November, a ministers’ conference was planned in Halifax to consider the IATF’s final findings and recommendations.

The American way
The U.S. has already started down the path towards federated identity management in its policies and infrastructure. The government has articulated three high-level policies to guide the development of identity management initiatives, says Temoshok. “Our starting place from a policy standpoint is that we don’t want to create a national ID card, we don’t want to use a unique identifier, be it the social security number (SSN) or another ID, and we’re not going to assemble a single registry of identity information about citizens.”

The open and interoperable federated identity model being developed by the Liberty Alliance aligns well with the federal government’s objectives, he says. The GSA recently mandated passing the Liberty Alliance’s SAML 2.0 interoperability testing as a prerequisite for participating in the U.S. e-authentication identity federation.

“We have several dozen agencies using the common SAML network that we’ve implemented for identity federation,” he says, adding that many countries such as the UK, Australia and France are also basing their initiatives on the Liberty Alliance’s standards.

The need for standardized technology tools to support federated identity management will only expand as governments move more of their business online, he says. “But what we’re seeing in the U.S. and worldwide is that simply establishing standards doesn’t ensure vendors will in fact interpret those standards in exactly the same way, so we wind up seeing differences in products.”

Initially, the U.S. government established its own testing program to ensure the interoperability of all the identity management protocols and products it uses, he says.

Related Download
Improving the State of Affairs With Analytics Sponsor: SAS
Improving the State of Affairs With Analytics
Download this case study-rich white paper to learn why data management and analytics are so crucial in the public sector, and how to put it to work in your organization.
Register Now