A New Day for ID Management
"We're not only getting one-off solutions, but architectures for a number of different solutions, so that whole sectors of the economy and segments of society can more fully go online," said MIT's Dazza Greenwood. "Practically everywhere you look, you see news and signs of this transition that's occurring, an exciting time for people interested in identity."
Let's examine the relationship between controlled digital identities in cyber risk management. Our panel will explore how the technical and legal support of ID management best practices have been advancing rapidly. And we'll see how individuals and organizations can better protect themselves through better understanding and managing of their online identities.
The panelists are Jim Hietala, the vice president of security at The Open Group; Thomas Hardjono, technical lead and executive director of the MIT Kerberos Consortium; and Dazza Greenwood, president of the CIVICS.com consultancy and lecturer at the MIT Media Lab. The discussion is moderated by Dana Gardner, principal analyst at Interarbor Solutions.
Listen to the podcast (43:45 minutes).
Here are some excerpts:
Dana Gardner: What is ID management, and how does it form a fundamental component of cybersecurity?
Jim Hietala: ID management is really the process of identifying folks who are logging onto computing services, assessing their identity, looking at authenticating them, and authorizing them to access various services within a system. It's something that's been around in IT since the dawn of computing, and it's something that keeps evolving in terms of new requirements and new issues for the industry to solve.
Particularly as we look at the emergence of cloud and Software as a Service (SaaS) services, you have new issues for users in terms of identity, because we all have to create multiple identities for every service we access.
You have issues for the providers of cloud and SaaS services, in terms of how they provision, where they get authoritative identity information for the users, and even for enterprises who have to look at federating identity across networks of partners. There are a lot of challenges there for them as well.
Figuring out who is at the other end of that connection is fundamental to all of cybersecurity. ...
You can look at things that are happening right now in terms of trojans, bank fraud, scammers, and attackers, wire transferring money out of company's bank accounts and other things you can point to.
There are failures in their client security and the customer's security mechanisms on the client devices, but I think there are also identity failures. They need new approaches for financial institutions to adopt to prevent some of those sorts of things from happening. I don't know if I'd use the word "rampant," but they are clearly happening all over the place right now. So I think there is a high need to move quickly on some of these issues.
Gardner: Are we at a plateau? Or has ID management been a continuous progression over the past decade?
Thomas Hardjono: So it's been at least a decade since the industry began addressing identity and identity federation. Someone in the audience might recall Liberty Alliance, the Project Liberty in its early days.
One notable thing about the industry is that the efforts have been sort of piecemeal, and the industry, as a whole, is now reaching the point where a true correct identity is absolutely needed now in transactions in a time of so many so-called Internet scams.
Gardner: Dazza, is there a casual approach to this, or a professional need? By that, I mean that we see a lot of social media activities, Facebook for example, where people can have an identity and may or may not be verified. That's sort of the casual side, but it sounds like what we're really talking about is more for professional business or e-commerce transactions, where verification is important. In other words, is there a division between these two areas that we should consider before we get into it more deeply?
Dazza Greenwood: Rather than thinking of it as a division, a spectrum would be a more useful way to look at it. On one side, you have, as you mentioned, a very casual use of identity online, where it may be self-asserted. It may be that you've signed a posting or an email.
On the other side, of course, the Internet and other online services are being used to conduct very high-value, highly sensitive, or mission-critical interactions and transactions all the time. When you get toward that spectrum, a lot more information is needed about the identity authenticating, that it really is that person, as Thomas was starting to foreshadow. The authorization, workflow permissions, and accesses are also incredibly important.
In the middle, you have a lot of gradations, based partly on the sensitivity of what's happening, based partly on culture and context as well. When you have people who are operating within organizations or within contexts that are well-known and well-understood -- or where there is already a lot of not just technical, but business, legal and cultural understanding of what happens -- if something goes wrong, there are the right kind of supports and risk management processes.
There are different ways that this can play out. It's not always just a matter of higher security. It's really higher confidence, and more trust based on a variety of factors. But the way you phrased it is a good way to enter this topic, which is, we have a spectrum of identity that occurs online, and much of it is more than sufficient for the very casual or some of the social activities that are happening.
But as the economy in our society moves into a digital age, ever more fully and at ever-higher speeds, much more important, higher risk, higher value interactions are occurring. So we have to revisit how it is that we have been addressing identity -- and give it more attention and a more careful design, instead of architectures and rules around it. Then we'll be able to make that transition more gracefully and with less collateral damage, and really get to the benefits of going online.
Gardner: What's happening to shore this up and pull it together? Let's look at some of the big news.
Hietala: I think the biggest recent news is the U.S. National Strategy for Trusted Identities in Cyber Space (NSTIC) initiative. It clearly shows that a large government, the United States government, is focused on the issue and is willing to devote resources to furthering an ID management ecosystem and construct for the future. To me that's the biggest recent news.
Greenwood: We're just now is at a crossroads where finally industry, government, and increasingly the populations in general, are understanding that there is a different playing field. In the way that we interact, the way we work, the way we do healthcare, the way we do education, the way our social groups cohere and communicate, big parts are happening online.
In some cases, it happens online through the entire lifecycle. What that means now is that a deeper approach is needed. Jim mentioned NSTIC as one of those examples. There are a number of those to touch on that are occurring because of the profound transition that requires a deeper treatment.
NSTIC is the U.S. government's roadmap to go from its piecemeal approach to a coherent architecture and infrastructure for identity within the United States. It could provide a great model for other countries as well.
People can reuse their identity, and we can start to address what you're talking about with identity and other people taking your ID, and more to the point, how to prove you are who you said you were to get that ID back. That's not always so easy after identity theft, because we don't have an underlying effective identity structure in the United States yet.
I just came back from the United Kingdom at a World Economic Forum meeting. I was very impressed by what their cabinet officers are doing with an identity-assurance scheme in large-scale procurement. It's very consistent with the NSTIC approach in the United States. They can get tens of millions of their citizens using secure, well-authenticated identities across a number of transactions, while always keeping privacy, security and also individual autonomy at the forefront.
There are a number of technology and business milestones that are occurring as well. Open Identity Exchange (OIX) is a great group that's beginning to bring industry and other sectors together to look at their approaches and technology. We've had Security Assertion Markup Language (SAML). Thomas is cochair of the PC, and that's getting a facelift.
That approach was being brought to match scale with OpenID Connect, which is OpenID and OAuth. There are a great number of technology innovations that are coming online.
Legally, there are also some very interesting newsworthy harbingers. Some of it is really just a deeper usage of statutes that have been passed a few years ago -- the Uniform Electronic Transactions Act, the Electronic Signatures in Global and National Commerce Act, among others, in the U.S.
There is eSignature Directive and others in Europe and in the rest of the world that have enabled the use of interactions online and dealt with identity and signatures, but have left to the private sector and to culture which technologies, approaches and solutions we'll use.
Now, we're not only getting one-off solutions, but architectures for a number of different solutions, so that whole sectors of the economy and segments of society can more fully go online. Practically everywhere you look, you see news and signs of this transition that's occurring, an exciting time for people interested in identity.