When you want to gain access to a system and the use of a security credential is required, do you rummage through a spreadsheet of passwords, or fumble for one of several keys like a traditional jailer? For manufacturers, there are many choices on implementation of security during design. For example, will the security credential be contained on tangible media – such as an identity smartcard. Or will it be purely electronic, as most banks use for online banking today.
Although there have been many articles written about the volume of passwords in use and the security mechanisms the average person now relies on, how do you know whether such safeguards are trustworthy, let alone whether this information is kept private but readily available? (For manufacturers looking to increase ROI: some organizations expend over 50% of their technical support resources in password management for users!)
Most vendors of technology today do not offer a choice of security mechanisms. This is because, among other things, there is still a lack of real support for the adoption of standards. This is beginning to change and we’ll discuss more about this in future editions.
For now, imagine that you can have your own individually-chosen identity credential, one that you trust, possibly pay for, and can keep a record of its use to access multiple sites and services.
Imagine using this security credential for email, banking, and physical security devices. Would life be simpler? Although most online vendors today issue users their own identities, often a simple password attached to an email address, we all know the limited security that such rudimentary tools offer, and why this proposition has little appeal if it is known to be insecure.
Think of an identity like a currency. Unless the currency has ongoing strength and its value is effectively defended against counterfeiting and other problems, it will at some point become useless. That’s the problem many banks have today: their currencies (card numbers and passwords) become useless quickly because they cannot defend their value and identities are easily assumed by others. Additionally, the overheads associated with the cost of “currency” management and replacement are indirectly passed on to the cardholder.
Some may argue that currencies fluctuate, as do privileges on well-managed systems, but the core idea here is around sustained value and a recognizable standard that many can adopt.
If online identities are like currencies today, then almost every cloud provider is a nation and can create its own currency when it issues usernames and passwords. So how can we trade these thousands of currencies and still be assured that each other’s currencies are not counterfeit, or worthless?
Once you grasp the concept, there are several possibilities—unified groups of currencies (like the Euro) that can be regulated and defended is a contender. Also, we have the notion of validating currencies and other financial instruments that may be traded, while discarding those that cannot.
Whether you favor the free market , regulation, or a combination of both, all of these approaches work. Presently unfolding debate on the financial sector, around a mix of sound regulations for the free market, pay homage to these ideas.
In the US, the Federal Government, the worlds largest user of a unique and secure identity currency (known as the FIPS card), is assembling a strategy around where and how its identity currency can be traded to enable commerce in the cloud.
The Federal Government’s position, found at www.idmanagement.gov, is this: “…the goal is a consolidated approach for all government-wide identity, credential and access management activities to ensure alignment, clarity, and interoperability.”
It is a clear message that demonstrates strong leadership: “Here is our currency, it’s secure, we will defend it, and we are looking for trading partners”. Who wants to ignore an opportunity like that?
This approach demonstrates that the Federal Government is seeking input from those who recognize the value of an enterprise identity management system.
See cloud vendor Brivo Systems’ White Paper "SaaS and the Efficient Realization of FICAM Goals" here (abbreviated URL). Brivo’s physical security framework can be implemented to allow use of the Federal Smartcard, and can also check its validity against an online cache to ensure that the card has not been revoked.
Contenders supporting the approach to authenticate using an external source include, but are not limited to OpenID and OASIS with it’s Security Assertion Markup Language (SAML).
OpenID participant companies include AOL, BBC, Facebook, Google, IBM, Microsoft, MySpace, Orange, PayPal, VeriSign, LiveJournal, Yandex, Ustream and Yahoo!
The SAML idea has been around since 2001 so it’s not new, and the single most important issue that SAML is trying to solve is the Web Browser Single Sign-On (SSO) problem. The focus is to overcome the proliferation of non-interoperable proprietary technologies and assumes that the user has enrolled with at least one identity provider.
What will identity, credentialing and access management look like in the future? Is the overall cost of issuing a credential that is less than optimal and proprietary really sustainable? Can growth and efficiency of online commerce be maintained without impeding growth?
The identity train is coming, if you don’t feel the tracks shaking, you soon will.
Published in the International Security Buyers Guide June 2010
Posts
