Category: Identity Management

Thoughts on Jim Harper’s talk

While Washington, DC may not have a lot of companies working on identity technologies, it certainly has a lot of bright people working on identity policies. This afternoon I got to hear one them, Jim Harper, speak about his research into identity and identification and his subsequent book, Identity Crisis: How Identification Is Overused and Misunderstood. If you haven’t read it yet, do so. It is an approachable survey of identity management and identification issues facing the U.S., set in the context of the REAL ID Act. (The short blurb I gave my mother-in-law about the book was enough to get it into her reading stack.) This wasn’t the first time I had the opportunity to hear Jim; Phil roped him into giving a keynote at Digital ID World last year.

There were two items I took away from his talk. First, Jim has an excellent analogy on how we protect physical assets versus how we “protect” electronic financial data. How many keys do you have in your pocket or purse? I’d wager it’s probably more than three. I’m also confident that you have a bunch more keys at home in the drawer somewhere. Each key matches up to an important physical asset: an apartment, a bike, a car, a safe, etc. In fact, you may even use multiple different keys to secure the same physical asset. Although convenient, I don’t think anyone would use the same key for every asset they own; just the idea of it seems somehow unsettling. Jim makes the point, if people don’t use a single key for securing their physical assets, how come we have (or are coming dangerously close to) using a single key, social security number, for “securing” all of our financial data?

Second, the point that credentialing, or authorizing, is just as important as identifying. At a point-of-sale terminal, merchants are primarily interested in can you pay, not who you are. Knowing that you are allowed to travel, but hiding who is doing the traveling. This smacks of both Dick’s Identity 2.0 talk and Bob’s talk on the Identity Oracle from last year’s Catalyst.

The question was raised what are the real opportunities that people have to opt-out of large scale identification. In reality, it is hard to opt-out of being identified and continue to fully function in society. There is a glimmer of hope in stronger identification systems allowing citizens more choice as what is needed to identify them. This sits somewhere between Kim’s Law of Minimal Disclosure and the Identity Governance Framework.

All in all, it was great to hear Jim speak and heartening to find parallels between identity policy and identity technology. I am concerned that too many bright identity minds are wrapped up in “enterprise” projects and have lost a bit of the wider societal view of the implications and impact of their work

Identity Capacitance

Continuing on Andre’s thoughts that there are more identities coming from the Internet than from internal networks… The challenge for the enterprise is managing this vastly larger population without overrunning the systems and services currently in place. The problem is one of identity capacitance; how many identities can the company manage and how many identity services can it offer?

A company, can manage its 10,000 employees and their identity-related needs, and it can do this within budget and operational constraints. The systems that it employs to do so gives the company an identity capacitance of X. Using federation tools, the company can raise its identity capacitance to 100X. But the total numbers of identities out there is far far greater than that. To address this, the company has to increase its identity capacitance, but it can’t and still stay within budget and operational constraints. Enter Identity Service Providers. With theoretically infinite identity capacitance, the provider can let the company sanely managed the oceans of identities out their while providing all the qualities of services that customers expect.

Questions I don’t have answers to: Is an identity service provider different than an identity provider? Do they compete with each other? Are they opposite sides of the same coin?

Two populations, two approaches

Andre over at Ping Identity has clearly been doing some heavy thinking. First, he connects internet-scale security and the continuing death of the firewall. Then, he raises the point that there are more identities outside the enterprise than within. The implication is that those external (Internet-based) identities are of real value to the enterprise; they are partners and customers. These external identities need to be “secured and tracked.” Two questions come to mind. First, do both populations require the same kind of identity management and services? At issue here is context. The context of a customer or partner is different from an employee. Yes, they may need similar identity services, but the manner in which they consume those services is context driven. This may lead to different sets of identity services, which must be centrally orchestrated and audited. Second, is the application tier really the best place to tackle these problems? I think the two different populations require different approaches. Companies needs to tackle inside identities from the network layer up. Why? Because people on the inside have greater access to the soft fleshy underbelly of the business. Even the most well intended employee can inadvertently cause damage once he’s on the enterprise network. Meanwhile, outside identities should be dealt with at the application tier as that is their access path to corporate systems.

Are we there yet?

This week, I spoke at the International Information Integrity Institute’s Forum in Dallas. The I4 is an interesting bunch. This member’s only event brings infosec practitioners from around the world to swap war stories and hear about new trends. I was blown away by the attendees and the raw frank nature that they discussed their issues.

“Sox sucks.” That was the gist of what one attendee said to me. She outlined the myriad of hoops she has had to go through dealing with SOX. Behind her frustrations was an implied question shared by many attendees – “When will we be done?”

When it comes to regulatory pressure, sadly, there is an inverse relationship between how tightly written the regulation is and how long it will take to be compliant. The tighter the reg, the less time it will take, and vice versa. PCI is fairly tight, whereas SOX (and its interpretations) are pretty loose when it comes to IT.

When it comes to major IdM projects, they often get presented to the enterprise like a decree from the Kremlin: “Good news, Comrades! We have a five year plan for achieving compliance through user provisioning. We shall be victorious.” The reality is that it really may take five years, but there’s no way you’ll sell upper management going that route. Successful projects use guerrilla tactics; find a small target, plan thoroughly, achieve the goal, move on to the next one. You can make the big five year plan work by stringing small victories together to achieve the end goal.

Unfortunately, in this litigious world, getting to “done-ness” is getting and harder. The good news is – every small victory and all the steps we take along the way make the business better.