GM, Boeing Faced Uphill Battle To Reach Global Identity Management

Managers from two multinational companies share their tips on connecting employees, parts suppliers, other business partners, and outsourced software developers.
As the global identity management system irons out its kinks, there's still a need to connect it to more resources inside the company. At one time GM had more than 7,000 applications. They've been squeezed down to 2,481 by GM's CIO Ralph Szygenda, but Heaton's staff still needs to connect the identity management system to corporate software resources. "We're talking about federation nirvana. We haven't gotten there yet," he acknowledged.

"The CIO wants single sign-on for every application in three years," he said. Other firms in telecommunications and a few in insurance have done it against less daunting odds, he said. GM will do it, too.

Later in the same session, John Tolbert, federation project manager and authorization systems architect for Boeing, reinforced several things that Heaton said. Boeing's global identity management system has moved to the Security Assertion Markup Language, or SAML, standard. The 2.0 version of the standard was established two years ago by the Organization For the Advancement of Structured Information Standards (OASIS), which makes it possible for different authorization systems to work together. But Boeing found that SAML 2.0 "isn't widely adopted yet," said Tolbert, as his firm tried to build connections with suppliers and business partners.

In the automotive industry, GM was told by DaimlerChrysler that it would cost $2 million to upgrade its identity management servers to SAML 2.0, and Heaton concluded he had to design at least part of his system to work with the 1.1 SAML. New regulations are adding to identity management system requirements. A directive of the Federal Financial Institutions Examination Council (FFIEC) issued last year requires a two-factor user authentication rather than just a user name and password. The requirement applies to any financial institution that is executing high-risk financial transactions on its Web site and takes effect at the end of 2007.

A two-factor authentication can be achieved by a user carrying a token that generates a random identification number that has been synchronized with a similar generator on a central server. The number is created for 30-60 seconds as the user logs in, then ceases to exist. Such a user identifier is hard to steal and use in the allotted time. An intruder sniffing it off the network during its one-time use can't do any damage with it after it expires.

"The FFIEC is recognizing that no single authentication mechanism is immune to abuse," while two-factor systems are much harder to crack, said Burton Group analyst Mark Diodati.