An interesting question not asked enough

Matt Flynn relays an interesting question about federation. The question essentially boils down to this:

How do we audit federation-enabled access to business services?

What I find interesting is not the question or the answer, but how often the question is asked.  A few years ago I made the utterly wrong prediction that this would be a big issue by now. With all the attention being paid to compliance in the IdM space over the past few years, there are several explanations as to why this issue is hardly ever discussed:

1)      Few businesses are really using federation to enable access to important services to their business partners.

2)      Of those that are many are using a federation service provider such as Covisint. Covisint supplies auditing tools and services to address this need.

3)      In some cases federation has been added after the fact to an existing partnership where access was granted via provisioned user IDs and passwords. In this case the service provider likely already has auditing capabilities that are still applicable after the conversion to federation. This was the case with several federation deployments I was involved with at OpenNetwork/BMC.

I had also predicted that this issue, along with the difficulty of establishing the legal agreements needed for federation would drive business partners to federation service providers like Covisint.

One response to “An interesting question not asked enough

  1. Hi Jeff, you seem to be emphasizing ‘audit of federated transactions’ (i.e. logs of SSO operations in support of audit ), whereas I get from the original query ‘audit of the security infrastructure’ (i.e. to ascertain the assurance levels a given IDP could meet etc)

    Of course, a federation provider like Covisint can facilitate both.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s