Managing identity and access in the cloud
By Graham Titterington, Ovum 20-Oct-2010
Today identity resides largely in individual websites with no interaction between them. Users have to identify and authenticate themselves to each site or service.
It would be good to have an online identity that would be recognized at multiple websites. It would provide a major advance towards a truly connected world. Businesses would be spared the cost of maintaining their own identity databases, and Internet merchants would gain higher conversion rates from enquiries to sales.
Users would find it easier to do business with multiple sites by avoiding lengthy registration processes and by not needing to carry sets of credentials for every website they visit. The overall security of Internet transactions would be enhanced and there would be more scope for performing trusted and high-value Web transactions.
|"Under pressure from the US government, [...] the industry is formulating a 4-tier model for different levels of identity assurance." |
-- Graham Titterington, Ovum
Trust is key to viable identity sharing
It is relatively easy for an organization to enrol a person with whom it has a relationship with into its systems, and establish a mechanism for giving them appropriate access permissions. It is much harder to decide when to trust a third party that makes an assertion about the person. Liability for incorrect information is another stumbling block to establishing commercial identity services. How can we build a mutually acceptable business model around the supply and consumption of this identity service?
The exciting news is that, under pressure from the US government, which wants to advance its e-government initiatives, the industry is formulating a 4-tier model for different levels of identity assurance. Standards are emerging from the OITF (Open Identity Trust Framework) and the OASIS ID Trust. The standards bodies are also specifying processes for authenticating and enrolling people at each tier. ISO 29115 defines trust levels in user registration processes. NIST SP 800-63-1 suggests authentication methods that are appropriate for each level of identity assurance, using single-factor and multi-factor authentication. The model is expressed in economic terms. NIST SP 800-63-1 also lists a spectrum of devices and their underlying technologies that can be used for each level of authentication. We now have guidelines covering identification, registration, and authentication for a multi-tier model.
Establishing the business value
The tiered model is crucial for the development of identity providing services. It not only gives assurance to relying parties -- it also provides a basis for determining the value of each band of assurance. This provides the basis for a business model for the providers with an appropriate limit of liability.
Financially the only credible business model is for the organizations that use the identity services to pay the identity providers, as end users will be reluctant to use a service where there is a fee charged simply to log in. The advertisement funded model, which is so common on the Internet, is unlikely to provide higher tier services where costs are greater and volume of use is lower.