Why is the Identity leg of the stool missing?

[Many thanks to Gerry Gebel for giving me the nucleus for this post]

In the midst of the ongoing privacy and security conversation, I pointed out last week that identity is the missing leg of the security/privacy stool. Identity is both a means of expressing privacy requirements and a necessary set of security controls, as well as a key to delighting customers and driving business engagement. A colleague pointed out that while security and privacy might be different halves of the same coin, identity is the coin itself. I’m not sure I fully agree with that but it gets to sentiment I have.

The use and protection of identity data has strong footing in both the privacy and security worlds. And yet identity and identity management professionals are not a first class member of the conversation. Why is that? One reason, in my opinion, is because we didn’t expect the industry to stand alone for the duration.

The inevitable absorption into business process that never happened

Speaking as an identity professional, I don’t think we claimed our seat at the table because, in part, we didn’t expect to be around IT for so long. 10 to 15 years ago there was a thought that identity would be subsumed by larger, adjacent business process engines. Human resource management, for example, should have absorbed identity management, at least for employee identity. I still remember the Catalyst In San Francisco where the Burton Group identity team (I was just a newbie in the audience at the time) had Oracle and SAP talk about their plans (or lack there of) for synergy between HRMS and IAM. What was clear to Burton Group was that the systems that managed your job role and responsibilities ought to be managing that in both on- and offline worlds.

Employee identity really ought to be a function of HR and an extension of HRMS’s. In doing so, identity professionals would become the technical arm of HR. Some companies tried this. Some companies put their technical role management programs within HR. Although some companies tried this approach, for political/organizational/cultural reasons, those approaches did not last.

If HR was to be the home of employee identity, then what of customer identity? Looking to the business process engines that manage customer information, one could see CRM systems absorbing customer identity functions. In such a world, the teams overseeing sales, service, and marketing processes would be the voice of the customer and their business process engines would deliver the identity functionality the customer needed.

In both scenarios the job of “standalone” identity management technology and professionals would be greatly diminished. The path forward for professionals in such a world was to become technical HR, Sales, Service, Marketing, etc professionals, acting as business system analysts serving their constituency or delivering architectures and process integrations to allow identity information to flow and be useful. These worlds did not fully materialize. Continue reading Why is the Identity leg of the stool missing?

The role of design in protecting cyberspace: thoughts from CFP 2009

Among the sessions in this year’s Computers Freedom and Privacy conference was a panel on the recently released National review of cyber-security. Ed Felten presented three related areas that he believes have to be improved in equal measure to improve overall cyber-security:

  1. Product development
  2. System administration
  3. User behavior

But, to me, there was something missing from the list – product design.

Too often I have seen products whose user interface, in fact its entire user experience, was constructed after the fact.   First the special sauce gets codified, then the chrome is put on and product gets a face.  It is easy to recognize products that have been built in this way as they tend to expose their internal data models to users, forcing users to adopt the metaphors of the engineers that built the product in the first place.  These types of products make problems internal to the product problems for the end-user and this can lead to very bad things.  See Three Mile Island as an example.  Poor user experience design leads to so-called “user error,” but is it really user error if the end-user is confronted with meaningless alarms, confusing error messages, and misleading feedback?

At CFP, I talked to Bruce Schneier his research that went into Beyond Fear to get a better understanding of the psychology of fear and its relation to security.  As you probably know, humans (and other animals too) are fantastically bad about evaluating risk. Optimism bias and other factors cause us to either over or under-estimate risks. Combine this with the fact that how choices are presented directly influences how choices are made and you realize the crucial need to build better user experiences for security (frankly, all) products.

“Is everything okay with the mother ship and should we blow up Russia?” This is the question presented Buckaroo Bonzai and I think I’ve seen a form of it as a dialogue box in Windows.  Would it be considered user error if an end-user pressed the “Yes” button and nuked Moscow? Bad design is at the least confusing and at the worst dangerous.

I did talk to Ed afterwards and he acknowledged the role of design in product development. As he said, if we only attempt to improve one of the three areas product devolvement or system administration or user behavior we won’t improve cyber-security; we have to improve all three.  User experience design as a part of an improved product development processes can directly lead to better more informed user behavior. Okay you product managers and designers make your voices heard – better safer products through better design!

(Cross-posted from Burton Group’s Identity Blog.)

I’ll keep my paper passport, thanks

Here is a short piece on how a researcher, Chris Paget, bought a $250 RFID reader on eBay and used it to clone ePassports while driving 30 miles an hour near Fisherman’s Wharf in San Francisco.  I fully recognize that this demonstration doesn’t represent a method for fabricating complete paper-in-hand cloned passports.  Cloning is just the first step, but it is a big step.  More importantly, it is a step that the State department has is somewhere between impossible and unlikely.  The following is a passage from the privacy impact assessment (PIA) of TDIS – the Travel Document Issuance System:

The Department of State has taken extensive measures to prevent a third-party from reading or accessing the information on the chip without the passport holder’s knowledge. This includes safeguards against such nefarious acts as “skimming” data from the chip, “eavesdropping” on communications between the chip and reader, “tracking” passport holders, and “cloning” the passport chip in order to facilitate identity theft crimes. These safeguards are described in detail on the Department of State website.

Apparently those safeguards aren’t very strong.  

I invite you to read the State Department’s FAQ on e-Passports.  Notice the incredibly defensive tone in the opening of the answer to the question, “Will someone be able to read or access the information on the chip without my knowledge (also known as skimming or eavesdropping)?”  Also notice the tacit acknowledgment that passport RFID chips can be cloned.

Mr. Paget intends on driving around DC this weekend to see what he can clone, and with a macbre sense of humor, I look forward to reading his results.

Until then, I’ll keep my paper passport.

Chains of trust, questionable origins

If I wanted to print US Dollars at home, I’d need the printing equipment, the paper stock on which to do it, and the magical ink.  To thwart me, the government controls access to the printing plates, blank paper stock, and ink.  This, of course, hasn’t stopped people from trying to print money, but their produced fake money can be detected as fake because they do not have access to the real plates, stock, and ink.  Because the government tightly controls access to the original materials and the flow raw materials into the printing process, our money can be trusted.  (Financial crisis and the government’s predilection to just print heaps of dollars not withstanding.)

The government has not implemented the same model in the case of identification systems: passports and REAL ID driver’s licenses.

Consider this article from the Washington Times.  The raw materials to make a new RFID passport, namely, the blank covers with RFID chips in them, originate in Thailand.  They are then shipped here for printing and binding.  The control over access to this supply-line seems to be very weak.

The new RFID passports are part of a chain of trust.  Border Control allows me to re-enter the country if the passport is trustworthy and valid.  Cloning passports has been demonstrated to be a trivial process.  So one trustworthy passport can become an infinite number of trustworthy passports.  The chain of trust extends from me and the INS at the airport, back to the passport issuance office, to the State Department, to Thailand, and back to Europe where the RFID chips are made.  If any link along the chain cannot be trusted, then the entire chain of trust breaks.  And this seems to be the case.

This is similar to REAL ID.  In this case, municipal Departments of Motor Vehicles are responsible for protecting access to blank REAL ID stock.  That, in and of itself, isn’t any different than what happens today.  By transforming the driver’s license from a piece of plastic that says I am allowed to drive, into a proof of citizenship, REAL ID extends the chain of trust in new ways.  DMVs have been and are relatively weak targets.  This breaks this newly extended chain of trust.

The government, if it wants to establish and extend chains of trust, it must control the flow of raw materials into the process and must ensure that each step is trustworthy.

And if you think I am picking on the government, here’s a third example that doesn’t involve the US government.  It appears that credit card readers we altered during their construction.  These altered readers were indistinguishable from their unaltered peers.  These altered readers sent account data to unknown people in Pakistan.  Swipe a card to pay for groceries and off your data goes.  In this case, the last stop in the payment card chain of trust was effected.  If I cannot trust the card reader not to send my account information to someone I do not know, do not have a relationship with, and inherently do not trust,  then I will stop swiping my cards and just order things online or pay cash.

A system designed to broker trust must consider the extent of its chain of trust.  Each link in the chains must be fully vetted and strengthened.  Until I see evidence of that, I am still going to keep hold of my non-RFID passport.