Mistakes in identity

Breaking up your identity can be good for security

Securing Web Applications Made Simple and Scalable

No system works perfectly all the time, but for something as fundamental as being able to prove who you are and get access to what you’re supposed to be able to do, we need to set things up so there’s a fall-back plan.

Breaking your identity up into pieces is good for security as long as we have audit trails and procedures for dealing with the problems. The Bandit project, led by Dale Olds from Novell, will add role-based authentication and auditing to identity systems, drawing on the Novell Directory Services, which Olds also worked on. He doesn't think this is an easy fix; indeed he admits “how difficult, almost unsolvable some of these issues are”.

He wants to get away from a single identity storing everything about you that a particular system wants to know, in favour of looking up the minimum of information securely from identity providers you choose – an identity metasystem. “The premise I would start with is that we need to try to design systems that more closely follow the physical world, to try to prevent the over-aggregation of data and over reliance on any single system.

There are so many aspects identity in our daily lives that we have not sufficiently handled in the online world: evolution and replacement of identifiers, anonymous financial transactions (cash), mutual authentication (I authenticate to a service, but I'm not sure it's really the intended service), as well as partitioning and isolation of various system breaches and failures, information leakage and more. By dividing up identity into multiple pieces we can get the business and technological incentive to prevent companies from storing more information than they need. We need to unify identity systems in the sense of being able to communicate between them; we don't want to unify them in the sense of having only one system.”

With multiple identity providers, each of which have a small piece of information about you – your date of birth or your frequent flyer membership – there’s less to attack. Olds suggests you might store an identity claim on a system that wouldn’t even know enough about you to track to down if it was compromised, so the attackers wouldn’t get much that was useful. With multiple identity providers, if your insurance company isn’t available to provide your date of birth you can turn to another provider for the information. There isn't a single point of failure, although there’s always risk.

Identity wouldn’t be much use if it didn't identify you. “One of the benefits of online identity management is the amount of good things that can flow from a reasonable online reputation. Trust involves persistence of identity so you have to be able to correlate information over time. The issue is how to get these dividing lines right.” And we’re always going to need ways to put things right when there’s a problem; Olds wants system designers to think about what can go wrong well in advance. “It is still going to be messy; even if we get it as right as real life is now - well that doesn't always work, so we need remediation mechanisms. And we need legal systems in place to get the motivation for moving in the right direction.”

Multiple identity providers bring added benefits. You’ll have one place to update your details rather than hundreds and with less data duplication there's less opportunity for anything to go wrong. And the benefits to the businesses you’re dealing with could give them an incentive to push this kind of system. The less identity information you store, the less there is to store securely and in a compliant manner. Like Kim Cameron, Microsoft's identity architect, Olds has a background in directories and metadirectories and he sees identity as a natural progression; “authentication, authorisation and audit – the three As are still there”.

Directories give the user the illusion of a single view of their information but the real value is in cleaning data via policies stating which sources are seen as authoritative. Inside a business you’ll trust the HR system to have your salary right, but the IT system will have your up-to-date email address; you don't need to copy that across if you know where to look for it. For customers, the address your credit card validates with is more useful than what’s in the shipping records from a previous order. A third of the average customer database is out of date within a year, so anything making it easier to stay up to date will save money as well as avoiding mistakes. Roles and authentication make it possible to dictate who owns the trusted information - and who can update it.

There are no easy answers for dealing with redundancy and availability issues in a distributed identity framework like the identity metasystem; if the server for your identity provider isn’t online you can’t use it to provide your identity for a transaction. Microsoft’s Passport servers aren’t always as robust as you’d want , but banks and credit card processing services manage high availability; it’s going to be one of the factors we consider when we choose which services we want to use to store and provide information for us.

Olds compares the changes happening in identity to a familiar programming method: refactoring. “You take a system that’s seen as monolithic and inflexible and sometimes you get it just right and it just works." Paul Trevithick of the Higgins identity project says the industry has to plan ahead and think defensively. “As Kim Cameron said recently, we need to design our identity systems like medieval castles with layers and layers of defences. The internet today is like living in straw huts when the Mongolian hordes come through with flaming torches. It wasn’t designed for the bad guys. We’re just now designing some of the first good defences. But this is going to take many years to get right.”

One other thing Dale Olds thinks we might need to work on is the name. “When I talk to my neighbours about these issues, identity is something they don’t care about -but security they do care about. In the industry, security is encryption and passwords and cryptography but a user thinks of security as keeping my information safe - they think of it more as an identity thing. We are not presenting this to people in ways that help them understand why they should care. Identity is already shot through the Internet; if we show people identity is about protecting the things they care about then they see the positive advantages.®

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.