Liberty Alliance releases privacy best practices

Find opportunities — and win them.

An industry standards body has released guidelines on how to ensure that online credentialing systems meet privacy laws.

An industry standards body has released guidelines on how to ensure that online credentialing systems meet privacy laws.

Agencies can use the Liberty Alliance Project's guide when developing authentication systems, said Christine Varney, a consultant for the San Francisco alliance whose members' focus is identity management standards.

The best practices released today accompany the release of the alliance's second set of specifications for federated identity management.

The Privacy and Security Best Practices includes a high-level summary of how to implement federated identity management systems so that they meet U.S. and European government privacy laws, such as the Child Online Protection Act, Health Insurance Portability and Accountability Act, and European Union Privacy Directive. It also offers guidelines on securing identity management systems.

The federated identity management specifications lay the groundwork for setting up Web-based services for authentication. With the specs, vendors and end-user organizations can start building applications that work together across systems. The initial round of Web services specifications includes templates for setting up registration systems and building employee profiles.

The federated approach to authentication is based on organizations setting up their own authentication systems that use a standard set of specifications for exchanging credentials across systems.

The Liberty Alliance specifications are well-suited to government use, Varney said, especially given the Office of Management and Budget's and General Services Administration's recent decision to scrap plans for a centralized federal authentication gateway.

The Liberty Alliance Project has more than 160 participating organizations, including GSA, the Defense Department and companies such as PeopleSoft Inc. of Pleasanton, Calif., Schlumberger Ltd. of New York, Sun Microsystems Inc. and VeriSign Inc. of Mountain View, Calif.

Joab Jackson writes for Government Computer News magazine.