A short time ago I delivered a presentation on identity federation to an online audience as part of a Brightalk hosted IAM Summit.  My talk was entitled "Identity Federation:  What is it and why it is a key foundation for SaaS and the future of the Web?"  For this blog I thought would expand on one part of that presentation and highlight a new business model - what I call "identity providers for hire." This model is enabled in part by federation technology and is showing early signs of life in the market. 

In general security technologies are hardly thought of as key enablers of new business models or sources of revenue for organizations.  Generally security technologies are used to mitigate risk; security investments are intended to reduce the probability of future loss (kind of like buying insurance).  However, in the case of identity providers for hire, not only is a security technology enabling a new user experience (single sign-on across the Internet), but it is a key element of a completely new type of business - getting paid for identity proofing and authentication.  So rip up those insurance policies and break-out the business plans!

What is going on here?  Organizations which offer valuable services or data on the public Internet need to be reasonably sure who they are providing them to, thus they need to proof and authenticate their users before providing them access.  To do this the Web application providers need to be vertically integrated in a Web application sense. They not only need to provide the specific applications and data for which they are specialists, but also must confirm the identity of their users - an area in which they are generally not specialists. 

Frankly only so many entities in the world can possibly know an individual well enough to efficiently authenticate them - governments, banks, credit bureaus, ISPs, and universities being representative examples.  Not only is it a pain for zillions of Web sites to proof and authenticate their users, but it is incredibly painful on the users themselves to do this for each and every Web site with which they do business.  As markets mature specialization is typically what results.  The consumer Web is no different.

Organizations such as Equifax are reportedly entering the identity provider for hire market.  Like it or not Equifax and its credit bureau brethren know a lot about you as a result of their data collection on you.  They are thus in an excellent position to raise the probability that the person claiming to be you is in fact you in the online world. 

I believe that ultimately there will be many identity providers for hire with  which both you, the user, and the relying Web site can choose to do business - ranging from governments and banks to ISPs and universities.  Their offers will likely range from being free to being expensive, and their warranties from non-existent to near absolute.  There is a lot to work out before this model can really bloom, but clearly the early green shoots bear watching and further development - particularly if your organization could either directly consume or provide identities for hire.  So yes, security technologies are evolving to being direct enablers of new streams of revenue.