Federation is at odds with infosec best practice – and nature

In modern information security we implore businesses to understand the risks of their particular business contexts, and to enact security mechanisms that are attuned to their environment. There is no one-size-fits-all risk management arrangement. And infosec professionals frown upon one company uplifting another’s security system without first analysing their own situation and fune tuning the controls.

The inherent differences between business settings is the clear reason why authentication rules have evolved into different silos.

And yet the dominant idea in contemporary identity management remains federation: the unreal optimism that one identity can efficiently work across multiple unrelated contexts.

It seems to me like a law of nature – perhaps something like a Conservation of Risk Management Energy – that the effort and cost required to devise one identity that interoperates across N contexts cannot be less than the total overhead of maintaining N separate identities.

It’s truer today than ever before: you cannot cut corners in risk management.