2006 will be the year that federated provisioning will become a priority for identity management vendors and organizations across various verticals.

Many view federated provisioning as the logical next step in the evolution of federation. It is poised to create a viable channel for communication of identity events between federation domains, while ensuring that the right parties are able to participate in the business flows as and when required.

Federated authentication cannot be leveraged to its fullest potential unless the federation of identities behind it has a real, well-defined business value. The federated identities must create real business synergy in the enterprise via the applications and services they have access to. This necessitates controls and tools that help meet compliance and scalability requirements. Initial use cases will be for provisioning accounts between different federation domains that exist within the global enterprise, but it won't be long before that value proposition starts to extend outside the enterprise boundary.

AGAINST, by Mark Ford, principal, Deloitte and Touche LLP

Over the past three to four years we have observed the advent of identity federation. The first functional aspect of identity federation on the scene was federated single sign-on or F-SSO for short. The uptake of F-SSO has been predicated on the fact that open standards emerged from various factions within the industry and have continued to drive the basis upon which F-SSO has become achievable, and in general acceptance today.

Standards, such as Security Assertion Markup Language (SAML), Liberty Alliance, and WS Federation, have helped to establish a foundation for F-SSO. As these standards continue to consolidate, we are seeing the promise of F-SSO come to life. In the case of federated provisioning, we have yet to see emergence of an industry-supported standard that will help to simplify provisioning for a federated identity environment. While I can see its merits in real-time, I believe that we will not see federated provisioning become a reality until a coordinated effort to drive to a common standard is undertaken.

THREAT OF THE MONTH: OSX/LEAP-A

What is it?

OSX/Leap-A, also known as OSX/Oomp-A and CME-4, is the first virus which infects Mac OS X systems.

How does it work?

The virus is sent inside a .tgz archive file, posing as screenshots of the latest Mac OS X release. The executable inside the archive has a JPEG icon, in an attempt to fool unsuspecting users into double-clicking on the file. When executed, the virus infects recently used applications and attempts to spread to other Mac OS X users via iChat.

Should I be worried?

There is little threat from the current incarnation of the virus. The executable has bugs which prevent it from working as intended. The infection process requires a user to provide the administrator password. However, now that the technique for infection has been made public, interest in writing Mac OS X viruses will increase in the near future.

How can I prevent it?

Anti-virus scanners have been available for Mac OS X from several major vendors for some time, however they have not been widely deployed. This is not because OS X is inherently more secure, but is simply due to the overall lack of malware for the platform. Mac OS X is subject to the same classic malware spreading vectors as Microsoft Windows, including browser exploits and social-engineering via email and instant messaging.

Joe Stewart, Senior Security Researcher, LURHQ