Convenience over Security: The role of industry

New York is the location of yet another identity information on public website fun. It is sad, but I am kind of used to reading about these. What is slightly more shocking was the reason given why the data was out there in the first place:

The documents were posted on the New York site as a convenience to lenders looking to learn more about the financial status of potential borrowers.

Ah yes… for the convenience of industry the government will put citizens at risk. I thought that government was formed to protect citizens, not to facilitate industry making a buck off them. Oh wait, I forgot, this whole HD television thing is an exercise in that. Ok, ok, ok, if government is going to help industry make a buck off of us, at least do it more securely.

Stuff like this makes me wish I could be a Blank.

Diversity as a form of Defense in Depth

I was thinking about David Maynor’s post on Cisco’s latest security updates. His feelings are quite clear on the danger of a homogenous network:

Again let me state for the record how I feel about this: do not buy a single vendor solution for something as important as the very basis for how your network operates. I know you may get volume discounts or sales reps might take you to nice lunches but eventually something like this will happen.

A homogenous network is a weak network. Yes, all products from every vendor have bugs and vulnerabilities. In a homogenous network, all of those bugs and vulnerabilities are arranged like a row of billiard balls. One good smack on one end will travel clear to the end of the row. In a heterogenous network, the bugs and vulnerabilities don’t line up so neatly. In fact, the heterogenous network looks more like a set off balls randomly dispersed on the table. A bump on one side is far less likely to make it all the way across – that is a form of defense in depth.

Thoughts on Jim Harper’s talk

While Washington, DC may not have a lot of companies working on identity technologies, it certainly has a lot of bright people working on identity policies. This afternoon I got to hear one them, Jim Harper, speak about his research into identity and identification and his subsequent book, Identity Crisis: How Identification Is Overused and Misunderstood. If you haven’t read it yet, do so. It is an approachable survey of identity management and identification issues facing the U.S., set in the context of the REAL ID Act. (The short blurb I gave my mother-in-law about the book was enough to get it into her reading stack.) This wasn’t the first time I had the opportunity to hear Jim; Phil roped him into giving a keynote at Digital ID World last year.

There were two items I took away from his talk. First, Jim has an excellent analogy on how we protect physical assets versus how we “protect” electronic financial data. How many keys do you have in your pocket or purse? I’d wager it’s probably more than three. I’m also confident that you have a bunch more keys at home in the drawer somewhere. Each key matches up to an important physical asset: an apartment, a bike, a car, a safe, etc. In fact, you may even use multiple different keys to secure the same physical asset. Although convenient, I don’t think anyone would use the same key for every asset they own; just the idea of it seems somehow unsettling. Jim makes the point, if people don’t use a single key for securing their physical assets, how come we have (or are coming dangerously close to) using a single key, social security number, for “securing” all of our financial data?

Second, the point that credentialing, or authorizing, is just as important as identifying. At a point-of-sale terminal, merchants are primarily interested in can you pay, not who you are. Knowing that you are allowed to travel, but hiding who is doing the traveling. This smacks of both Dick’s Identity 2.0 talk and Bob’s talk on the Identity Oracle from last year’s Catalyst.

The question was raised what are the real opportunities that people have to opt-out of large scale identification. In reality, it is hard to opt-out of being identified and continue to fully function in society. There is a glimmer of hope in stronger identification systems allowing citizens more choice as what is needed to identify them. This sits somewhere between Kim’s Law of Minimal Disclosure and the Identity Governance Framework.

All in all, it was great to hear Jim speak and heartening to find parallels between identity policy and identity technology. I am concerned that too many bright identity minds are wrapped up in “enterprise” projects and have lost a bit of the wider societal view of the implications and impact of their work