Identity in Crisis
Managing identities is becoming one of the hottest problems in the corporate IT environment, and the thinking around identity and identity management is coming to the forefront of our CIO agendas.
If you start to think about identity and identity management, it wont be long before your head is ready to explode. The problem is immense, and quite complex.
Sleepless in Seattle, Boston, LA,
Let me share with you some things which should keep you up at night.
Passwords are not the answer, theyre not even the beginning of the answer. Yet, theyre probably the major authentication method in use today, and since theyre so easy to compromise, theyre the source of much of the attacks against systems today.
First, they dont truly identify the user, only that the possessor of the password knows it. I can give you my password, or you can trick me into giving it to you, and it doesnt make you me.
There are some basic rules to consider when you review your identity problems. This list is not conclusive, and there are a number of good discussions going on right now about the problem of identity. You should be aware of them do a search on identity management or "rules of identity" to get up-to-speed on the contemporary thinking regarding identity and identity management.
Why should you care about this? Increasingly you are going to face identity issues either personally or professionally. As weve moved to a more online commerce environment weve faced a higher criminalization of the environment, so increasingly as technology managers, the issue of knowing who is knocking on our digital door is going to be important.
A Few Observations
Here are some (more) things to consider:
Identity needs to be associative. Like the old algebra rule A+B = B+A, identity is associative. I go to the local supermarket and want to cash a check, but they dont know me. They ask me for my drivers license. In effect, they really dont trust me, but they do trust the state, so when I show them my drivers license, they know that since the state of New Hampshire trusts me, and they trust the state of New Hampshire, then they should trust me, at least as to who I say I am.
The same associative rule would apply if I showed them my passport, since they also trust the federal government.
Identity needs to be constrained to specific use. If the document I gave the supermarket to cash my check contained lots of information about me, my Social Security number, my income, my health record, there would be a potential for more information necessary to complete the transaction to be transferred, thus putting me at risk.
The supermarket needs to know that I am who I say I am and needs a way to contact me if the financial instrument (the check) is in error. They dont need to know anything other than who I am, where I live and a way to find me if the financial instrument I presented is in error. Giving them my Social Security number, health information or any other piece of information puts me at risk.
Users need to control their identity documents. I have a RFID (radio frequency identification) fob on my keychain that allows me to purchase gas at certain stations. Unfortunately for this type of technology, it is also readable by anyone with an RFID reader without my consent.
Now if they read my fob, they wont know who I am because theyd have to access the database which correlates my fob ID with my actual ID, but frankly, it makes me nervous that by reading it, they could spoof it and become me to a gas pump.
At current gas prices, they could be an expensive identity theft. A user should have to explicitly authorize the transfer of ID to the requester.
ID verification needs to be symmetrical. You probably get five emails a day from Paypal, banks, etc asking you to unlock your account or verify who you are.
We should all know that these are phishing attempts trying to steal your identity, but it illustrates that the trust associated with exchanging identity needs to be symmetric: If you are asking me for my identity, I need to be absolutely sure I know who you are.
This is accomplished somewhat by the certification of websites by a known certificating agency and the associative nature of the trust with the certification agency. But obviously some of these phishing attempts are successful, so not everyone understands the nature of symmetrical trust.
ID should transfer in a one-time, encrypted manner. When I send my ID information to a website, it should be along the lines of two-factor authentication, it should have a finite life, be encrypted and its interception along the line (i.e. by sniffing the wire) should not allow its use at some future date.
The current two-factor identification like RSAs Secure ID performs some of this function, and its telling that Paypal has just struck a big deal with RSA.
ID needs to be universal. I have about a dozen bar-coded tags on my keychain, ranging from my supermarket card to West Marine. Its really getting ridiculous, each individual company I deal with has a unique way to identify me to their system.
What we need is a single-identity vehicle, preferably electronic, which contains all of the information about you; who you are, what you like, and more. We need to allow partitioned use with permission, so when I present the document to cash a check it tells the supermarket or bank only who I am, but when I present it to my doctor, it may tell him all of my health information.
It should be partitioned so I must give permission to access the specific information, and ideally it should be tied to some biometric data to conclusively prove who I am. It should be usable in person, like cashing a check at a supermarket, or online, like validating who I am to my bank online.
Its clear that identity has become one of the most important issues we as technologists deal with in our daily lives. Yet, were just at the forefront of this seminal issue, and its time for all of us to start thinking about it and doing our homework.
Daniel Gingras has been CIO of five major companies and is a partner at Tatum Partners, a nationwide professional services organization of senior-level technology and financial executives who take on leadership roles for client companies. He has more than 30 years of IT experience and teaches computer science at Boston University. He can be reached at firstname.lastname@example.org.