Communicator Unveils First Liberty Product
Web Services standards show up, slowly
Creating secure online communities between companies without compromising each one’s unique security plans and policies just got easier. Communicator Inc., based in White Plains, NY, announced that its Communicator Hub ID, a digital identity management service, is the first product that uses the Liberty Alliance’s open specification for federated network identity in an inter-enterprise environment. Liberty is a Sun Microsystems-led effort to get all Web Services users to agree to a standard.
A consortium of eight Wall Street firms, including Credit Suisse First Boston, Goldman Sachs, and Salomon Smith Barney, formed a consortium in April 2002, called SecuritiesHub, which uses Communicator to interface researchers. Any of the 22,000 SecuritiesHub users and customers, all from different firms, can use a single user name and password to access proprietary bond research and trading information often located on the different companies’ intranets. Communicator software takes care of matching the security credentials between different companies’ systems and manages the content, letting members subscribe to information or forward it to other members.
“It’s a gated community—the federated directory lets each participant set the rules for the community,” says Serge Shinkar, product manager for Communicator Hub ID. Given that these are financial firms opening up research to each other, however, it doesn’t look like any old community. For one thing, no one can use an alias, and everyone must satisfy mutually set levels of authentication and authorization. “I can't go in myself. I need to have a company vouch for me,” says Shinkar.
Gated communities give businesses a way to share information while maintaining their security and not having to translate security policies for every partner. “What you don't have to do is get all these guys in one room and say, 'Okay you have to agree on how you do this policy,'" says Ray Wagner, Research Director of Information Security Strategies at Gartner.
Wagner says Liberty “is a great way to build a community.” However, companies that create software that’s simply compatible with SAML (Security Assertions Markup Language), the Web Services security framework, don’t need to necessarily bother with Liberty. “The fact is, if you're committed to SAML, you don't have to go all the way to Liberty,” he says. The benefit from doing so would be if Liberty ever gets widely adopted.
To date, federated identity adoption is not widespread. Much of the banking industry’s view, at least, is “no one has shown us any real good value around federated identity,” Wagner explains. He says many companies are probably waiting to see if Liberty becomes a standard, so they don’t have to sign up to use it.
Other companies are already doing work that approaches Liberty without adopting it, in particular Delta’s Skyteam alliance, which consists of Delta, Korean, Aero Mexico, CSA Czech Airlines, Alitalia, and Air France. The alliance lets fliers use their frequent flyer miles gained from any of those airlines on any other in the alliance. “That's not small potatoes,” says Wagner.
Liberty adoption has been slow to take off. Liberty also competes with Passport— Microsoft’s alternative to the Liberty Alliance that would use Microsoft’s brand of Web Services and also work with .NET servers. Neither proposal, however, has won the race, Wagner notes. “Whether or not Liberty or Passport will ever be ubiquitous, it's anyone's guess, and I would guess it's not likely. Liberty needs AOL behind them, and it seems like AOL's interest is flagging.”
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.