One of the lessons GM’s Jackson has learned in the process of federating third-party services in an employee portal is that legal staff must be educated on the ramifications of federation. On the other side, the service provider must strike a balance.
“You can’t be too loose, so as to expose yourself to breaches of fiduciary responsibility,” says Roger Sullivan, vice president of business development at Oracle. “But, on the other hand, you can’t make it so restrictive that it’s more difficult to trade using this automated model than it would be using paper.”
Pain points for federation
With governance, there are four primary areas of focus: business issues, liability, privacy, and security.
The business issues can include details of who does what, who pays for what, and revenue-sharing agreements. Most of these are straightforward and are probably already outlined in existing business agreements.
Liability is a tougher problem. Working through the liability issues “ultimately comes down to a common desire by both parties to use federation,” GM’s Jackson says. “Both organizations have to come to an understanding that it’s worth the risk and then work through the issues.”
There are no set formulas for assigning risk. “It’s largely ad hoc and dependent on the nature of the application and how large the risk is,” Jackson says. “A travel application is smaller risk than someone’s 401(k).”
Click for larger view.
Privacy sometimes gets short-changed in IT projects, but you can’t ignore it in federation. Many federations include more than mere authentication. The identifying party may be providing personal data to the federation partner, including things like Social Security number, birth date, and even credit card information, depending on the application.
In many cases, use of this data is governed by regulations, especially in Europe and for certain verticals in the United States, such as finance and health. In other cases, you may have promised to protect your customers’ data in specific ways; federation requires that these same protections be offered by your partners.
“Revocation of identity credentials is also a key element of any federated scheme,” says Scott Blackmer, an attorney who specializes in IT and privacy law. “Otherwise, federation amplifies the threat of fraud, identity theft, and misattribution of content and opinions, as one party after another relies on bad credentials. Federation should include a system for verifying challenges to identity credentials and suspending or revoking them when they have expired or become suspect.”
The importance of policy