Federation

Federated activity presents a challenge for enterprises with high-level security architectures. Federation involves information sharing among the services and with working partners, coalition partners, first responders, and other organizations. Federation may be unilateral or bilateral and with similar or dissimilar information-sharing goals. Strong internal security controls often do not extend cleanly across enterprise boundaries, potentially leading to insecure shortcuts and workarounds that can become the rule instead of the exception. This chapter presents methods for an enterprise to extend its strong security policies to include federation partners. It applies to federation partners that support the same security policies with compatible standards and services and also to partners that provide a similar but incompatible security framework, a subset of required security services, or no security services. The partner organization may be fully trusted, partially trusted, or untrusted. Even in trusted partners the services may not meet required security standards. The solution presented combines selected partner security services, internal services, derived credentials, delegated authorities, and supplemental services to form the federation security architecture.