Linux in Government: Federated Identity Management Business Drivers
In last week's article, we discussed federated identity management (FIM) to get you familiar with some of the concepts of how it worked. We also stressed the need for Linux practitioners to start preparing for the emergence of new products and services requiring FIM. In this week's discussion, we explain reasons why identity management has become required in many organizations.
Homeland Security Presidential Directive (HSPD) 12, dated August 27, 2004, established a policy for a common identification standard for federal employees and contractors. In the directive, the White House established these talking points:
Wide variations in identification technology people use to gain access to secure facilities exist and need to be eliminated.
The Secretary of Commerce needs to be responsible for setting a standard for appropriate identification within 6 months.
The heads of executive departments and agencies will have a program in place 4 to 8 months following the standard.
Within 6 months and 7 months following the the Standard, the Assistant to the President for Homeland Security and the Director of OMB will recommend additional technology.
The Assistant to the President for Homeland Security will report within 7 months after the Standard on the progress implementing HSPD 12.
In response to HSPD 12, the National Institutes of Standards and Technology (NIST) Computer Security Division initiated a new project for improving the identification and authentication of federal employees and contractors for access to federal facilities and information systems. Federal Information Processing Standard (FIPS) 201 started the clock for agencies to implement common smart card-based ID cards, among other identity management procedures.
FIPS 201 lays out the technical and operational requirements for the system and card. HSPD 12 requires agencies to have their access systems in place, "to the maximum extent practicable", by October 25, 2005.
Some people feel that meeting that deadline is likely to be a challenge. Although NIST is not responsible for implementing the standard, Jim Dray of NIST stated, "I don't think it's going to be possible for most agencies to continue doing business as usual and comply." People at the Office of Management and the Budget (OMB) remain optimistic.
The main commercial Linux vendors may wind up providing infrastructure and provisioning to the various agencies that must meet the standard of FIPS 201 and related documents. You could say that the President of the United States created a sense of urgency in the federated identity management sector by suggesting that wide variations in identification technology people use to gain access to secure facilities exist and need to be eliminated.
That's the essence of Red Hat's entry into this market. For more information on Red Hat's product, take a look at its product page.
The new FIPS 201 standard requires replacing the former Government Smart Card Interoperability Specification (GSCIS). The new standard requires DOD, for example, to re-deploy applications on 2.2 million computers and update 3.5 million Common Access cards. And, that's only one implementation.
With all of the scrambling to comply with the President's standard, many vendors find themselves scrambling to help agencies meet their deadlines. You can count on IBM and its partners Red Hat and SUSE to benefit from those efforts.
In addition to FIPS 201, other federal regulations have created a need for identity management. Again, with IBM having a significant lead in the market, Linux will see its share of business. Let's take a look at the primary drivers in the compliance area.
Healthcare Insurance Portability and Accountability Act (HIPAA)
HIPAA regulations provide for the protection of healthcare information. Control of access to information systems has become big business in the health care industry. Fines of up to $100,000 and prison terms of up to five years for noncompliance make HIPAA compliance a big concern.
HIPAA regulations affect business processes, information systems operations and information systems sharing. HIPAA-compliant privacy and security features require structured identity management solutions that we have seen in products such as IBM's Tivoli Access Manager, which runs on Linux and interoperates with a variety of other software platforms.
HIPAA regulations impose requirements to enforce formal security policies and procedures for granting different levels of access to patient information.
Gramm-Leach-Bliley regulations became effective on February 1, 2001. The US Treasury Department issued guidelines interpreting the privacy and security requirements contained in the GLB Act of 1999, also known as the Financial Modernization Act of 1999.
The GLB exists primarily to repeal restrictions on banks affiliated with securities firms. It requires financial institutions--including preparers of income tax returns, consumer credit reporting agencies, real estate transaction settlement services and debt collection agencies--to adopt privacy measures relating to customer data.
The legislation eliminated legal barriers to affiliations among banks and securities firms, insurance companies and other financial services companies. Such affiliations require legal and security safeguards. The Federal Deposit Insurance Corporation (FDIC), Federal Reserve System (FRS), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC) and the Office of Thrift Supervision all regulate some area of Gramm-Leach-Bliley.
The Sarbanes-Oxley Act of 2002 has created numerous logistical, operational and economic challenges for public companies. Sarbox requires CEOs and CFOs of public companies to swear under oath that the financial statements they publish are accurate and complete. This is supposed to protect investors by improving the reliability of corporate financial statements. It imposes stiff penalties for auditors, corporate officers, company directors and others who violate the Act. Every publicly traded company registered under the Exchange Act or that has a pending registration statement under the Securities Act of 1933 falls under the regulations.
If someone fails to comply with Sarbox, he or she can expect stiff penalties, including jail terms for executives. New processes and procedures to ensure compliance may improve efforts to implement identity management and automate many of those processes.
Identity management technology helps automate processes that enable Sarbox compliance. For example, it addresses security processes associated with establishing "adequate internal controls" around financial reporting. By mapping these processes as well as internal security policies to automated identity management, companies can utilize frameworks for improving security and ensuring compliance.
Organizations are continuing to deploy directories such as OpenLDAP in their business. As different applications accumulate data, federated identity management will provide users the ability to access those directories transparently.
Mergers, Acquisitions and Divestitures
The market will continue to consolidate. Companies will buy companies and attempt to merge heterogeneous information systems together. Look at Computer Associates' acquisition of Netegrity as an example. Such acquisitions provide challenges. Federated identity management helps companies merge their work forces.
Secure Web Services
As organizations allow associates into their information systems at the supply and demand side of their food chains, the need for secure identity management emerges. If you want to ensure trusted communities, federated identities provide the most efficient way to do so. Today's identity management solutions support broad security infrastructure initiatives.
Consumers worry about personal information getting into others' hands. Proponents of Web services have problems similar to credit card companies: they simply know too much about us. As a result, they tend to sell information or tailor product offerings that tempt us to buy things we don't need.
Hopefully regulations will emerge to stop the sharing of consumer information within and among businesses. We'll need identity management systems that help ensure others won't be allowed to look too deeply into our personal lives. Expect legislation to emerge that will help control outside access to our identities while allowing us ease of navigation.
About two years ago, I read an article by Doc Searls discussing a new kind of Web technology called blogs. I went on-line and started looking around at his examples and shrugged. Within a couple of weeks, I purchased some blog software and added it to several Web sites I manage. At the time, I had no idea how quickly the blogsphere would take off.
I have similar thoughts about federated identity management. Although a great deal of activity in this market takes place under the radar of journalists, don't be fooled by their current lack of coverage. Journalists tend to flock to the same stories.
Journalists that ignored Doc Searls' assertions about blogs now use them extensively. I also expect the crowd to begin reporting soon on FIM. Hopefully, you'll be ahead of them.
Tom Adelstein is a Principal of Hiser + Adelstein, a consulting and operating company specializing in free and open-source software solutions and support. Tom is the co-author of the book Exploring the JDS Linux Desktop, author of an upcoming book on Linux system administration and has written prolifically since 1985. Tom's business career began in public accounting where he first learned to program and develop software and later progressed to Wall Street, where he became the designated principal of a NYSE firm. He later returned to technology and has consulted and worked with start-ups as well leaders of the Fortune 500.