Mistakes in identity
Breaking up your identity can be good for security
No system works perfectly all the time, but for something as fundamental as being able to prove who you are and get access to what you’re supposed to be able to do, we need to set things up so there’s a fall-back plan.
Breaking your identity up into pieces is good for security as long as we have audit trails and procedures for dealing with the problems. The Bandit project, led by Dale Olds from Novell, will add role-based authentication and auditing to identity systems, drawing on the Novell Directory Services, which Olds also worked on. He doesn't think this is an easy fix; indeed he admits “how difficult, almost unsolvable some of these issues are”.
He wants to get away from a single identity storing everything about you that a particular system wants to know, in favour of looking up the minimum of information securely from identity providers you choose – an identity metasystem. “The premise I would start with is that we need to try to design systems that more closely follow the physical world, to try to prevent the over-aggregation of data and over reliance on any single system.
There are so many aspects identity in our daily lives that we have not sufficiently handled in the online world: evolution and replacement of identifiers, anonymous financial transactions (cash), mutual authentication (I authenticate to a service, but I'm not sure it's really the intended service), as well as partitioning and isolation of various system breaches and failures, information leakage and more. By dividing up identity into multiple pieces we can get the business and technological incentive to prevent companies from storing more information than they need. We need to unify identity systems in the sense of being able to communicate between them; we don't want to unify them in the sense of having only one system.”
With multiple identity providers, each of which have a small piece of information about you – your date of birth or your frequent flyer membership – there’s less to attack. Olds suggests you might store an identity claim on a system that wouldn’t even know enough about you to track to down if it was compromised, so the attackers wouldn’t get much that was useful. With multiple identity providers, if your insurance company isn’t available to provide your date of birth you can turn to another provider for the information. There isn't a single point of failure, although there’s always risk.
Identity wouldn’t be much use if it didn't identify you. “One of the benefits of online identity management is the amount of good things that can flow from a reasonable online reputation. Trust involves persistence of identity so you have to be able to correlate information over time. The issue is how to get these dividing lines right.” And we’re always going to need ways to put things right when there’s a problem; Olds wants system designers to think about what can go wrong well in advance. “It is still going to be messy; even if we get it as right as real life is now - well that doesn't always work, so we need remediation mechanisms. And we need legal systems in place to get the motivation for moving in the right direction.”
Multiple identity providers bring added benefits. You’ll have one place to update your details rather than hundreds and with less data duplication there's less opportunity for anything to go wrong. And the benefits to the businesses you’re dealing with could give them an incentive to push this kind of system. The less identity information you store, the less there is to store securely and in a compliant manner. Like Kim Cameron, Microsoft's identity architect, Olds has a background in directories and metadirectories and he sees identity as a natural progression; “authentication, authorisation and audit – the three As are still there”.
Directories give the user the illusion of a single view of their information but the real value is in cleaning data via policies stating which sources are seen as authoritative. Inside a business you’ll trust the HR system to have your salary right, but the IT system will have your up-to-date email address; you don't need to copy that across if you know where to look for it. For customers, the address your credit card validates with is more useful than what’s in the shipping records from a previous order. A third of the average customer database is out of date within a year, so anything making it easier to stay up to date will save money as well as avoiding mistakes. Roles and authentication make it possible to dictate who owns the trusted information - and who can update it.
There are no easy answers for dealing with redundancy and availability issues in a distributed identity framework like the identity metasystem; if the server for your identity provider isn’t online you can’t use it to provide your identity for a transaction. Microsoft’s Passport servers aren’t always as robust as you’d want , but banks and credit card processing services manage high availability; it’s going to be one of the factors we consider when we choose which services we want to use to store and provide information for us.
Olds compares the changes happening in identity to a familiar programming method: refactoring. “You take a system that’s seen as monolithic and inflexible and sometimes you get it just right and it just works." Paul Trevithick of the Higgins identity project says the industry has to plan ahead and think defensively. “As Kim Cameron said recently, we need to design our identity systems like medieval castles with layers and layers of defences. The internet today is like living in straw huts when the Mongolian hordes come through with flaming torches. It wasn’t designed for the bad guys. We’re just now designing some of the first good defences. But this is going to take many years to get right.”
One other thing Dale Olds thinks we might need to work on is the name. “When I talk to my neighbours about these issues, identity is something they don’t care about -but security they do care about. In the industry, security is encryption and passwords and cryptography but a user thinks of security as keeping my information safe - they think of it more as an identity thing. We are not presenting this to people in ways that help them understand why they should care. Identity is already shot through the Internet; if we show people identity is about protecting the things they care about then they see the positive advantages.®