Despite industry efforts to standardize identity management infrastructures, end user decisions are still clouded by products with interoperability issues. Hydrasight research director Michael Warrilow said vendors are not doing enough to ensure interoperability. Over recent years larger players have acquired smaller vendors to build out an identity 'stack' as part of a broader infrastructure.
"Having a good 'story' on security and identity helps the major vendors lock in customers," Warrilow said, adding this lock-in has been focused primarily on internal applications and Web front-ends.
"Vendors need to ensure they focus on moving towards efficient means of allowing trust and passage of information between organizations," he said. "Right now, many organizations are forced to resort to using e-mail to send information, [because] of the minimal identity management required."
On standards, Warrilow said, some - like LDAP - have become "de facto" standards, while others like SAML (Security Assertion Markup Language) have only had moderate take-up.
"What is needed is a way to graduate or increment security, dependent upon the use scenario," he said. "Web services represents our 'best hope' to improve this situation and create loosely-defined trust relationships to allow improved 'federation'."
One organization facing a massive identity management challenge is the NSW government with its efforts to integrate services across departments. A NSW Department of Commerce spokesperson said the agencies are very experienced in the offline identity management of their external clients, but there are still many issues involved.
Such issues include the "practical scope of online identity management" and the "variety of needs across large organizations".
The spokesperson also said the lifecycle costs and benefits of identity management systems "when transactions between individual clients and government service providers are infrequent" are also a problem.
To that end, Warrilow believes "you can safely assume 'federated' will be the buzzword in identity in 2006".
Hewlett-Packard's CTO for identity management and security, Jason Rouault, said there are standards relating to authentication, but types of authentication typically don't have standards from a vendor support point of view.
"Each vendor has its own APIs and that's a big issue, because enterprises that roll out identity management need to support many vendors," Rouault, who is working on standards-based identity management with the Liberty Alliance, said.
"A new wave of hosted business applications provides a strong case for federation, which also has the ability to share attribute information."
Rouault said the evolution to standards-based ID management will be similar to how bank credit cards evolved, allowing people to use one card at different bank's ATMs.
Novell's CTO for identity-driven products, Carlos Montero-Luque agrees the industry "hasn't got there yet", but is moving in that direction.
"It used to be a very locked-down environment with strict requirements - that is changing substantially," Montero-Luque said.
"The standardization is critical and becomes a vendor problem. If the vendor cannot give you a good story for interoperability then the vendor is asking you to work around them."