Andy James, Chief Technology Officer, Solidsoft, examines how the creation of a federated security environment can facilitate business benefits that may not be possible without it.
From an individual's perspective, federated security is simple. It allows someone to access multiple systems with a single log-on. The systems concerned may be internal to the company they work for, web sites they visit personally or the systems of customers and suppliers.
Automatic Teller Systems are a good example. No matter which organisations' ATM you use to withdraw cash, they all know who you are, through the card and the pin number you use, and can pass information back to your bank.
The first step in creating a federated security environment is identity management. The purpose of this is to authenticate the identity of a person trying to access an organisation's systems. In its simplest form this could be a username and password, which are given to an individual once physical evidence of their identity has been established. In more secure environments physical authentication may also be required, through the use of smartcards for example.
The next step is authorisation. Here additional data, which relates to the individual's role and associated capabilities, is added to the authentication information. For example, a departmental manager may be limited to accessing the employee records of the people that work for him, while a director can access everyone's records. Equally authorisation can be used to determine which systems an employee can access, as well as the capabilities they have within each one.
Federation takes the whole concept one stage further, by allowing identity and authorisation information to be passed between organisations. Let's suppose you want to make some payments through a web site. You go to a bank's web site, go through the various layers of security and make your payments. Now you remember your pet insurance is due. There is a link to a partner’s insurance service and you click on it. If the partner’s insurance service is federated with the bank’s site, you will not need to sign on again. The bank's system will pass information that validates who you are to the partner’s insurance system's site and tells it that your log on can be accepted.
Having a central database, typically Microsoft
Active Directory, which holds information about individuals' identities and authorisation levels, makes security management much simpler. Instead of having to manage security at the individual or application level, it can be managed according to the role and/or grouping a person has. As a result:
An individual's role or grouping defines the capabilities associated with them.
Any changes to either are automatically applied to every individual within them.
Adding a new employee is simply a matter of assigning a role to them.
If an individual leaves a company, one action automatically withdraws all their capabilities.
Consequently, the administration effort is reduced significantly, there is greater control and auditability, and there is less risk of errors occurring.
In addition, adopting such a security model enables organisations to federate security with other entities. The technology to enable this to happen is fairly straightforward. The main effort is administrative, as each organisation will need to agree standards and ensure that the information that is passed between them satisfies their internal security requirements for identification and authorisation. However there are significant benefits to be gained:
Service levels to customers can be improved and extended, by allowing visibility of internal systems, to see the progress of orders for example.
Revenue opportunities can be increased, by linking with complementary organisations to provide new, added value services.
Collaboration with suppliers and partners can be improved, by allowing cross organisation development or project teams to share information and intellectual property.
Closer working relationships with suppliers are possible, through initiatives such as vendor managed inventory, by allowing selective access to internal systems.
Integrating new acquisitions is simpler, as employees can quickly be given access to new systems and applications.
Innovating to allow business growth
The benefits of federated security are considerable. They are made possible because federated security allows electronic channels to be locked down even at the same time as they are opened up. Consequently, federated security is one of those rare pieces of the IT landscape that can actually drive business options that were not possible before.