Cloud Identity, Trust and the Liability Elephant.
I have been involved with a couple similar initiatives around certification for identity and thought it would be interesting to explain the logic behind these efforts. The first initiative is led by the Open Identity Exchange and is based on the Open Identity stack. The second is more enterprise cloud focused; it is driven by the Cloud Security Alliance (CSA). The CSA is developing a more SAML-oriented technology blueprint within OASIS. The technology protocols are different but the risk controls are similar. Therefore, I am hopeful that both trust frameworks will converge (I will certainly try to help them converge).
But let us re-hash the motivation of the industry that sponsors these efforts. A trust framework is necessary to enable policy makers across vertical markets (healthcare, enterprise SAAS, mobile payment, digital content) to set the security and privacy bar for identity providers, identity brokers and relying parties. For sure, across all vertical markets, the sharing of identity requires a baseline of best practices for security, and privacy as it facilitates customer adoption of cloud identity services by providing a foundation for trust.
However, there is another motivation to develop certification programs for identity services. The true 'raison d'Ãªtre' for identity trust certification is that it will allow private consortia or legislators to govern liability in a multi-party transaction. In particular, one can shift the liability away from accredited identity providers on the basis that they have demonstrated the proper privacy and security controls through certification. In other words, trust certification can be used to kill the liability elephant that has been haunting the federated identity rooms for so many years.
By capping liability risk through certification, an identity trust framework would make it commercially easier for large Internet consumer, commercial banks and online payment systems to participate as identity providers in high assurance transactions such as health care, eGov services and all new breeds of cloud services. In essence, this not too different from the VISA model, where a consortium of financial institutions establishes the network blueprint, for online payment, defines the necessary security controls and is hen able to shift the liability (in this case, away from the card issuing banks (IDPs) to the merchants (RPs), who are generally responsible for charge back expenses).
Of course, certification does not happen in a vacuum. Certification is about risk management. It needs to define privacy and security controls appropriate to the transaction and information risk levels. This means that identity certification will have to discriminate among different levels of assurance (most likely, the four NIST levels of authentication) in order to adapt across multiple verticals. Howard Schmidt seems to agree with the need for identity trust frameworks and even points to a concrete market: "The president is 'concerned and very committed' to making sure that as healthcare goes electronic that 'we also have the right controls for security and privacy,' Schmidt said at a May 11 conference on privacy and security sponsored by the Health and Human Service Department. "The plan to develop a strategy will focus on ways to improve identity management. As part of that effort, the administration will roll out a 'trust framework' incorporating authentication technologies, standards, services and policies that government, industry and consumers could adopt. The key issue is that we have to instill trust in the system. If we don't trust the system, we won't use it and if we don't use it, we lose its [potential] benefits".
For all of us in the digital identity world, it is certainly encouraging to see that the federal administration is recognizing the importance of identity management and its acute need for trust policy. It is certainly not an easy issue, but it is now getting the visibility that it deserves. There is also plenty of good will in the industry to collaborate and make a trust framework for eHealth a reality. The elephant may not have quite left the building, but at least we can now all see it, and it is a good thing.