Alliance Proposes ID Standard

By Maria Trombly | Securities Industry News | July 22, 2002

The tantalizing goal of intra-company-and cross-company-integration got a step closer last week with the release of a new authentification and identity standard from Liberty Alliance.

Although Web Services are already being used to integrate disparate applications within the enterprise, and are a big technology initiative for Merrill Lynch this year as a result, business-to-business adoption has been lagging.

Web Services are built using XML-based open standards-and there are a number of these standards that come together to form Web Services. There are currently standards in place for identifying and locating Web Services, for exchanging instructions, and for communicating certain types of data. Last week's announcements add identity and authentication to that list-making Web Services that much more attractive for enterprise applications.

"We see this as the fundamental heart of Web Services," said Andy Eliopoulos, director of network identity at Palo Alto, Calif.-based Sun Microsystems.

With a standard, the two parties involved in an integration project won't have to use products from the same vendors-they could just make sure that the vendors they did pick used the standard. That probably won't be too hard. The Liberty Alliance Project already represents some 70 companies-including technology firms like Sun Microsystems and Hewlett-Packard and financial services companies like Citigroup and American Express-as well as telecommunications and consumer companies.

Daniel Blum, an analyst at the Salt Lake City-based Burton Group, said: "There are other problems to solve down the road, but this seems to be the immediate obstacle." The newly announced standards are complementary to, and are expected to work together with, the WS-Security standard recently proposed by IBM and Microsoft, Blum said.

Still to come? Standards that make it possible for Web Services to be used for multiple transactions, and for transactions that involve multiple parties.

The Liberty Alliance version 1.0 specification, released last week at a Burton Group conference, uses a decentralized system to confirm identity and access rights. Previously, this critical part of the Web Services infrastructure was only available as single-vendor, proprietary solutions-including Microsoft's much-criticized Passport initiative.

"Passport is a service that is run by Microsoft and is in a central data center," said Michael Barrett, vice president of Internet strategy at New York City-based American Express Co. "That isn't what we were looking for."

Under the Liberty Alliance specification, trusted parties such as financial institutions would keep identity information-such as user names and account numbers. These identity providers would then authenticate users or Web Services applications to other parties.

Financial institutions are "natural centers of gravity" for identity data because businesses and retail customers already trust them, Barrett said.

This makes Liberty more palatable to financial firms and other companies that don't want to give up control of customer information.

"Companies are concerned about disintermediation," Blum said. "They want to control their customer relationships." That doesn't mean that there's nothing good about Passport, he added."Users don't necessarily like multiple sign-ons."

However, the downsides of trusting a computer company with sensitive customer data were significant enough to cause American Express, Citigroup, and other companies to start looking for alternatives.

Another downside to using Passport or another vendor-specific, proprietary product was that it was hard to integrate with business partners-each partner would have to use the same exact product. This means that integration had to be accomplished on a case-by-case basis and was long and involved, Barrett said.

One example of the use of the Liberty Alliance standard would be to control a buy-side firm's access to a dealer's system. Today, individuals at the buy-side firms are issued passwords manually-which creates security problems if they leave the company or change jobs-or through a dedicated feed from the buy-side's HR department.

A Liberty Alliance-based alternative would be much quicker to set up, Blum said.

"If you have single-time messages, no permanent records are kept at the remote partner," he said. "So they're never going to have outdated information about your employees and never risk a security breach."

American Express was originally drawn to Liberty Alliance because Sun, one of the company's key strategic technology partners, was already involved, Barrett said. Barrett, who is also a member of Liberty's management board, said one immediate application of the Liberty Alliance standard would be in online retailing.

"For example, imagine that American Express and United Airlines decided to do a deal," he said. "Part of the aspect of that deal would be that we would allow American Express customers to view United frequent flier miles at their Web site and vice versa. If we attempted to build such a partnership at the moment, American Express would have to get into real nasty point-to-point discussions-we use this security engine, you use that security engine, how do we glue them together? Now, all we'd have to say is we use Liberty Phase One. It absolutely does provide the security framework."

Liberty Alliance heavily relies on SAML (Security Assertions Mark-Up Language), a more general-purpose XML-based standard for exchanging security information. SAML, which was also announced at last week's Salt Lake City-based Burton Group conference, is expected to be approved by the Organization for the Advancement of Structured Information Standards (OASIS) standards-setting body this November. Implementation of the standard is already under way at many institutions.

Sun Microsystems is using the Liberty Alliance standard in its Sun ONE Web Services development platform. One Sun customer, Bank of America, is using Sun ONE to automate mortgage processing for its network of independent brokers and to integrate next generation web services with legacy applications and data.

Elsewhere, Wells Fargo is using the standard to provide next-generation single sign-on access across all of its Web sites, including its online brokerage, according to Avid Modjtabai, executive vice president, Wells Fargo Consumer Internet Services. And over the next three months White Plains, N.Y.-based Communicator is implementing the standard to provide single-sign on capability for bond buyers and dealers using its Bond Hub network.

Currently, if a firm wants to participate in Bond Hub-by offering data or services to its members-there's an integration process that can take weeks or even months, said Serge Shinkar, product manager of Hub ID at the White Plains, N.Y.-based Communicator.

By switching to the Liberty Alliance standard, that process can be reduced to just a day, Shinkar said.

"For example, a market data provider or pricing service or news service will be able to offer their services within this community without going through a lengthy implementation period," he said. "The enablement will be at the turn of a switch. It's going to help us retain customers and serve our customers better because the community is going to be more dynamic."

For its part, IBM has announced that it will use SAML in the next version of its Tivoli access manager, due out in early 2003.

According to Bob Sutor, director of ebusiness standards strategy at IBM, last week's announcements mean that we're about halfway to the goal of having full and robust Web Services. Within six months, the technology will be 70 percent there, he added. "The second half of this year is quite active."

After the security standards are in place, the major issue left to resolve would be business processes-Web Services-based interactions that involve multiple transactions or multiple partners. The reason that the different parts of Web Services specifications are coming out in bits and pieces, he said, is that different companies have different requirements.

For example, if a company is using Web Services within the corporate firewall to help make legacy applications mesh better, than security is less of an issue. In addition, different companies may use different authentication mechanisms and may require encryption, digital signatures, or other security measures. The way the standards are currently being written-and this is what causes some of the delays-is to allow maximum freedom of choice while maintaining interoperability.

"We have to make sure that the standards layer on top of each other," Sutor said. "What we're after is a certain elegance of design."