Mistakes in identity

Breaking up your identity can be good for security

Top three mobile application threats

No system works perfectly all the time, but for something as fundamental as being able to prove who you are and get access to what you’re supposed to be able to do, we need to set things up so there’s a fall-back plan.

Breaking your identity up into pieces is good for security as long as we have audit trails and procedures for dealing with the problems. The Bandit project, led by Dale Olds from Novell, will add role-based authentication and auditing to identity systems, drawing on the Novell Directory Services, which Olds also worked on. He doesn't think this is an easy fix; indeed he admits “how difficult, almost unsolvable some of these issues are”.

He wants to get away from a single identity storing everything about you that a particular system wants to know, in favour of looking up the minimum of information securely from identity providers you choose – an identity metasystem. “The premise I would start with is that we need to try to design systems that more closely follow the physical world, to try to prevent the over-aggregation of data and over reliance on any single system.

There are so many aspects identity in our daily lives that we have not sufficiently handled in the online world: evolution and replacement of identifiers, anonymous financial transactions (cash), mutual authentication (I authenticate to a service, but I'm not sure it's really the intended service), as well as partitioning and isolation of various system breaches and failures, information leakage and more. By dividing up identity into multiple pieces we can get the business and technological incentive to prevent companies from storing more information than they need. We need to unify identity systems in the sense of being able to communicate between them; we don't want to unify them in the sense of having only one system.”

With multiple identity providers, each of which have a small piece of information about you – your date of birth or your frequent flyer membership – there’s less to attack. Olds suggests you might store an identity claim on a system that wouldn’t even know enough about you to track to down if it was compromised, so the attackers wouldn’t get much that was useful. With multiple identity providers, if your insurance company isn’t available to provide your date of birth you can turn to another provider for the information. There isn't a single point of failure, although there’s always risk.

Identity wouldn’t be much use if it didn't identify you. “One of the benefits of online identity management is the amount of good things that can flow from a reasonable online reputation. Trust involves persistence of identity so you have to be able to correlate information over time. The issue is how to get these dividing lines right.” And we’re always going to need ways to put things right when there’s a problem; Olds wants system designers to think about what can go wrong well in advance. “It is still going to be messy; even if we get it as right as real life is now - well that doesn't always work, so we need remediation mechanisms. And we need legal systems in place to get the motivation for moving in the right direction.”

Multiple identity providers bring added benefits. You’ll have one place to update your details rather than hundreds and with less data duplication there's less opportunity for anything to go wrong. And the benefits to the businesses you’re dealing with could give them an incentive to push this kind of system. The less identity information you store, the less there is to store securely and in a compliant manner. Like Kim Cameron, Microsoft's identity architect, Olds has a background in directories and metadirectories and he sees identity as a natural progression; “authentication, authorisation and audit – the three As are still there”.

Directories give the user the illusion of a single view of their information but the real value is in cleaning data via policies stating which sources are seen as authoritative. Inside a business you’ll trust the HR system to have your salary right, but the IT system will have your up-to-date email address; you don't need to copy that across if you know where to look for it. For customers, the address your credit card validates with is more useful than what’s in the shipping records from a previous order. A third of the average customer database is out of date within a year, so anything making it easier to stay up to date will save money as well as avoiding mistakes. Roles and authentication make it possible to dictate who owns the trusted information - and who can update it.

There are no easy answers for dealing with redundancy and availability issues in a distributed identity framework like the identity metasystem; if the server for your identity provider isn’t online you can’t use it to provide your identity for a transaction. Microsoft’s Passport servers aren’t always as robust as you’d want , but banks and credit card processing services manage high availability; it’s going to be one of the factors we consider when we choose which services we want to use to store and provide information for us.

Olds compares the changes happening in identity to a familiar programming method: refactoring. “You take a system that’s seen as monolithic and inflexible and sometimes you get it just right and it just works." Paul Trevithick of the Higgins identity project says the industry has to plan ahead and think defensively. “As Kim Cameron said recently, we need to design our identity systems like medieval castles with layers and layers of defences. The internet today is like living in straw huts when the Mongolian hordes come through with flaming torches. It wasn’t designed for the bad guys. We’re just now designing some of the first good defences. But this is going to take many years to get right.”

One other thing Dale Olds thinks we might need to work on is the name. “When I talk to my neighbours about these issues, identity is something they don’t care about -but security they do care about. In the industry, security is encryption and passwords and cryptography but a user thinks of security as keeping my information safe - they think of it more as an identity thing. We are not presenting this to people in ways that help them understand why they should care. Identity is already shot through the Internet; if we show people identity is about protecting the things they care about then they see the positive advantages.®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.