The Legal Thicket of Federated Identity Management
Tuesday, January 12, 2010 at 12:41PM http://www.ecommercetimes.com/story/The-Legal-Thicket-of-Federated-Identity-Management-69077.html
In a nutshell - federated identity presents legal and audit challenges that all organizations will need to address before it gains wide acceptance. This is not news; fed zealots have been saying this for years. The thing that keeps me up at night has actually been the fact that the non-technical side of the house isn't ready for this, in my case thinking about auditors.
Current auditing process:
Auditor: "Tell me who has access to Resource Foo."
IT Guy: "Let me dump the ACL on that resource and parse through the groups...okay, here's a list of users."
Auditing in a federated world:
Auditor: "Tell me who has access to Resource Foo."
IT Guy: "The list of users I gave you last week, plus any one of my federated partners' users who presents me with a claim that reads "Marketing." No, I can't tell you who those people are. Yes, the list of who those people are can change from nanosecond to nanosecond without my being aware of it...erm, why are you crying, Mr. Auditor?"
It's these kinds of process problems that need to be resolved even moreso than the technical ones...though PKI is still a big technical one to contend with. :-)
One phrase that jumped off the page at me in the above article: "Recognizing the need to comprehensively address the legal issues raised by identity management, the American Bar Association has established a Federated Identity Management Legal Task Force to undertake such a project."
Shiny. Must Google.
Reader Comments