Mistakes in identity

Breaking up your identity can be good for security

The Essential Guide to IT Transformation

No system works perfectly all the time, but for something as fundamental as being able to prove who you are and get access to what you’re supposed to be able to do, we need to set things up so there’s a fall-back plan.

Breaking your identity up into pieces is good for security as long as we have audit trails and procedures for dealing with the problems. The Bandit project, led by Dale Olds from Novell, will add role-based authentication and auditing to identity systems, drawing on the Novell Directory Services, which Olds also worked on. He doesn't think this is an easy fix; indeed he admits “how difficult, almost unsolvable some of these issues are”.

He wants to get away from a single identity storing everything about you that a particular system wants to know, in favour of looking up the minimum of information securely from identity providers you choose – an identity metasystem. “The premise I would start with is that we need to try to design systems that more closely follow the physical world, to try to prevent the over-aggregation of data and over reliance on any single system.

There are so many aspects identity in our daily lives that we have not sufficiently handled in the online world: evolution and replacement of identifiers, anonymous financial transactions (cash), mutual authentication (I authenticate to a service, but I'm not sure it's really the intended service), as well as partitioning and isolation of various system breaches and failures, information leakage and more. By dividing up identity into multiple pieces we can get the business and technological incentive to prevent companies from storing more information than they need. We need to unify identity systems in the sense of being able to communicate between them; we don't want to unify them in the sense of having only one system.”

With multiple identity providers, each of which have a small piece of information about you – your date of birth or your frequent flyer membership – there’s less to attack. Olds suggests you might store an identity claim on a system that wouldn’t even know enough about you to track to down if it was compromised, so the attackers wouldn’t get much that was useful. With multiple identity providers, if your insurance company isn’t available to provide your date of birth you can turn to another provider for the information. There isn't a single point of failure, although there’s always risk.

Identity wouldn’t be much use if it didn't identify you. “One of the benefits of online identity management is the amount of good things that can flow from a reasonable online reputation. Trust involves persistence of identity so you have to be able to correlate information over time. The issue is how to get these dividing lines right.” And we’re always going to need ways to put things right when there’s a problem; Olds wants system designers to think about what can go wrong well in advance. “It is still going to be messy; even if we get it as right as real life is now - well that doesn't always work, so we need remediation mechanisms. And we need legal systems in place to get the motivation for moving in the right direction.”

Multiple identity providers bring added benefits. You’ll have one place to update your details rather than hundreds and with less data duplication there's less opportunity for anything to go wrong. And the benefits to the businesses you’re dealing with could give them an incentive to push this kind of system. The less identity information you store, the less there is to store securely and in a compliant manner. Like Kim Cameron, Microsoft's identity architect, Olds has a background in directories and metadirectories and he sees identity as a natural progression; “authentication, authorisation and audit – the three As are still there”.

Directories give the user the illusion of a single view of their information but the real value is in cleaning data via policies stating which sources are seen as authoritative. Inside a business you’ll trust the HR system to have your salary right, but the IT system will have your up-to-date email address; you don't need to copy that across if you know where to look for it. For customers, the address your credit card validates with is more useful than what’s in the shipping records from a previous order. A third of the average customer database is out of date within a year, so anything making it easier to stay up to date will save money as well as avoiding mistakes. Roles and authentication make it possible to dictate who owns the trusted information - and who can update it.

There are no easy answers for dealing with redundancy and availability issues in a distributed identity framework like the identity metasystem; if the server for your identity provider isn’t online you can’t use it to provide your identity for a transaction. Microsoft’s Passport servers aren’t always as robust as you’d want , but banks and credit card processing services manage high availability; it’s going to be one of the factors we consider when we choose which services we want to use to store and provide information for us.

Olds compares the changes happening in identity to a familiar programming method: refactoring. “You take a system that’s seen as monolithic and inflexible and sometimes you get it just right and it just works." Paul Trevithick of the Higgins identity project says the industry has to plan ahead and think defensively. “As Kim Cameron said recently, we need to design our identity systems like medieval castles with layers and layers of defences. The internet today is like living in straw huts when the Mongolian hordes come through with flaming torches. It wasn’t designed for the bad guys. We’re just now designing some of the first good defences. But this is going to take many years to get right.”

One other thing Dale Olds thinks we might need to work on is the name. “When I talk to my neighbours about these issues, identity is something they don’t care about -but security they do care about. In the industry, security is encryption and passwords and cryptography but a user thinks of security as keeping my information safe - they think of it more as an identity thing. We are not presenting this to people in ways that help them understand why they should care. Identity is already shot through the Internet; if we show people identity is about protecting the things they care about then they see the positive advantages.®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.