Richard Baker, BT Global Services: Diplomas for collaboration
Two thousand years ago the Romans built a 53,000-mile network of top quality roads to connect ‘head office’ in Rome with provincial capitals across Europe, North Africa and the Middle East. It made it much easier for the Emperor to keep everything under control, and the Empire’s traders found it a boon when it came to doing business with one another.
Unfortunately, though, the network wasn’t secure. By disguising themselves, enemies could use it to move men and materials around. And when travellers arrived, it wasn’t always easy to tell whether they were friend or foe.
And so the struggle to develop effective ways for one organisation to prove the identity of its people to another began.
Roman emissaries used what they called ‘diplomas’ to prove their rights and authorities. Eventually, those who carried these sealed official documents became known as diplomats – people authorised to represent their country’s interests abroad.
But, in these days of global partnerships and supply chains, everyone involved in a productive relationship between companies needs a ‘diploma’ too – usually in the form of user names and passwords that give them access to other organisations’ IT systems as well as their own.
Given the extent and pace of modern collaboration, managing access rights across corporate borders can be a major headache.
Organisations naturally want to keep tight control over access to their networks and systems and will have procedures in place to achieve this. Often, they’ll be keyed into personnel management systems – so that rights are granted and withdrawn as people change roles and jobs, but this can create problems when the people involved work for different companies.
In other cases, procedures can be complex and fragmented – a legacy of the days when access rights were set system by system. Even within an organisation, it can take weeks of passing around emails to get new users authorised, and almost as long to update access when roles change.
Meanwhile, people are under pressure to deliver results. It’s no surprise, then, that they take steps to circumvent delays – allowing people to share user names and passwords, for example. They may be trying to do the right thing, but they expose their organisation to big risks in the process.
Organisations can face stiff penalties if they can’t prove to the satisfaction of the relevant authorities who accessed what and when. Breaching regulations such as Sarbanes-Oxley, Basel II and the Health Information Profile Portability Act (HIPPA) can have dire consequences including fines and even prison sentences. Modern collaboration requires altogether different levels of efficiency and effectiveness. Access rights need to be granted within hours, not weeks, of someone joining a team and they need to be kept up to date in ‘real time’ as the situation changes.
This is hard to do if changes need to be actioned manually by each organisation or replicated across a host of different systems.
Universally-accepted standards are the ideal. That way, companies could connect their IT management systems to others in a quick and secure manner.
Some industries are in the vanguard. The Trans-Atlantic Secure Collaboration Programme makes it possible for people from leading aerospace and defence companies and the governments of the United States, the UK, Canada and The Netherlands to work together securely whenever the need arises. And in the UK, the Unified Police Security Architecture helps the country’s police forces work together. The Safe Biopharma Association is proposing something similar for the health and pharmaceutical industries.
Right now, however, there are no universal standards to make this safe and easy.
Standards are being drafted and are seeing limited deployment, but it will be some time before they become widely accepted. One is the Security Assertion Markup Language (SAML), which was developed to allow organisations to exchange authentication and other data about their employees. Another is the Liberty Alliance – a group of user organisations and technology vendors. It started with a process known as ‘single federated sign-on’ that allows people to book air travel, hotel rooms and car hire without having to log on separately at each member’s web site. Now, though, it is developing standards that can be used much more widely.
But these projects are still works in progress and opportunities to align them are being considered. While this essential work continues, collaborators will often have to ‘federate’ their identity management systems case by case. The solutions that result may only be interim, but those who complete the exercise will gain vital experience in the development of the appropriate IT systems and the operation of the administrative and governance processes that go with them.
Even if you plan to keep your identity management solutions independent of those of your partners, it makes sense to tackle cumbersome authorisation and login procedures as soon as you can. Centralised user administration and single sign-on make everything so much easier not just for those who use your IT systems, but for those who run them. They make auditing much simpler and, better still, they make access-control procedures quick and effective.
And in today’s fast-moving digital economy, that’s really important. Roman emissaries may have been prepared to wait at the gates while their documents were checked, but those travelling today’s networks have little time to spare.
Richard Baker is BT Global Services’ principal consultant in identity management. He has more than 20 years’ experience of working with product vendors, end-user organisations and systems integrators across a variety of business sectors and is a founder member of the Identity Society. In his current role, he helps set BT’s strategy, both as a user of identity management services and as a supplier of such services to the market.