Here’s more highlights from the keynotes (I’ve paraphrased a bit).
Howard Schmidt (Information Security Forum, R&H Security Consulting) - eID
There are reports that revenues from identity theft exceed the world drug trade!
The lowest barrier to ID theft is static user IDs and passwords.
It’s not necessary to have a single authoritative source of electronic ID – one for each thing you’re looking to do.
The reality is that people already have many electronic ID cards with competing standards and purposes – there doesn’t have to be just one. We need different form factors, federation, transportability, one time passwords on mobiles, etc.
Threats to privacy – the weakest link is that somewhere there is a database and an administrator, people working in data centers; corporate loyalty is not what it should be especially in this climate, and worries about insiders are greater than ever before.
It’s a myth that privacy and security are at odds with each other. Without security you have no privacy. There need to be policies on who owns data, how long it’s kept for etc. eID can help with privacy protection. (Delegation of credentials needs to be dealt with.)
He mentioned PKI and cryptographic solutions to limit disclosure to those correctly authorised; biometrics (now much more reliable and faster); smart cards (chip/pin). Cryptographic data masking showed real promise. Tamper proof controls are being developed e.g. for card.
Impediments to eID adoption – the biggest issue is trusting someone’s credentials enough to do a transaction with them. It’s cultural. In many societies the concept of ID cards smacks of Big Brother etc.
There’s also a cost/benefit point – it costs more if hacked! He gave an example where he’d warned of security issues, was told they had no budget to address them, then the system was hacked and it cost far more to deal with the aftermath.
Aggregation & mapping with other data – you can keep different IDs on a card for different purposes and select which one you want to use; different levels of ID based on need.
Conspiracy theories – he believes it’s individual impropriety rather than institutional issues.
EU – see the ENISA report on electronic ID cards in the EU, 10 states have them, 13 plan to.
US – the most forged document is the drivers’ licence.
Future issues -
- is a virtual ID possible, following you around but without leaving a trail?
- chipped humans
- backlash against Big Brother.
No perfect solution for cyberthreats but more can be done. eID can help security but is also an attractive target for those looking to compromise ID – potentially a single point of failure. Most people already have several eIDs.
The debate on balancing national eID cards against privacy rights has not concluded and needs to be less emotional.
Tim Brown (CA, Inc) – Identity in a Cloud
He agreed claims based authentication and eID are the way forward.
How to implement applications that accept claims, how to use the clou as a route to ID services? There had been some successes in federation, collaboration, authentication, customised ID services. But companies may need to step up and accept liability if they confirm someone’s ID and get it wrong.
Many services don’t scale, adoption is not widespread, value to provider / customer limited. Collaboration is important.
He gave the example of a small Boston hospital using one active directory with 5k employees and 50k accounts because the simplest way to federate was to create new users.
Many businesses build up their directory to allow partners access to their system but the problem is that involves risk, administration, understanding who has access to what, and should they still have it; recertification is almost impossible.
The focus is on ROI – not enough ROI to change system. But insufficient IT resources to manage 50k accounts properly.
It’s not just small businesses growing too large. Large companies face similar issues e.g. Canon (partners – from 50k to 150k; consumers – over 1million; same number of IT staff).
Can the cloud be used to create a hybrid approach? Delegate administration to partners –> manage 1k partners cf. 50k accounts; regular audits; send recertification messages regularly to partners to handle, etc.; automate workflow and approval processes, reduce admin burden. Only touch 1 or 2 active directories, not the whole infrastructure.
This is repeatable for different companies / industries.
Components: ID management system + authentication & authorisation services + probably federation services too. Security policies to set out how to get access to an app (workflow, authorisation etc).
Some organisations create a role for every operation for every group company and managing roles becomes very important. In the cloud, it can be simplified to true business roles (cf. what group is someone a member of).
To move towards a claims based system, a phased approach will be necessary.
Mary Ellen Callahan (US Department of Homeland Security) – Identity & Privacy: Policy, Governance, Barriers & Compliance
This was the most she’d heard about privacy in a tech conference! She agreed that with privacy and security you can’t have one without the other.
She discussed identity management for government – giving only necessary information etc.
Privacy is at the table when these conversations on identity take place.
In the US privacy is more about fair information practices than the Brandeis “right to be left alone”. See the slides listing APEC Privacy Framework, OECD, DHS Fair Information Practice Principles etc – common principles on collection limitation, data quality, purpose, use limitation, security safeguards for safe ID management.
In the Department for Homeland Security, for transparency there have to be (and are published on their website):
- System of Records Notice – disclosing every database they have
- PIA narrative.
The gatekeeping element – can’t get money without providing SRN and PIA!
She discussed the US-VISIT collection of biometric info on incoming non-US citizens (110 million biometric records, one of the largest biometric databases in the world), stored in the IDENT database, to which fair information principles are applied with the primary objective of protecting the privacy of visitors – e.g. redress for errors such as mistaken identity via DHS Traveler Redress Inquiry Program (DHS TRIP).
Transparency engenders trust. (As well as being Chief Privacy Officer at the DHS, she’s also the Freedom of Information Officer.)
Other blog posts about the event
I’ll write up the other presentations I went to if and when I have time.
Some blog posts I’ve come across reporting on this conference:
- The Future of Identity in the Cloud - Marco Casassa Mont on his presentation at the conference (he has also, I notice, just published an interesting co-authored paper Towards an Analytic Approach to Evaluate Enterprises' Risk Exposure to Social Networks)
- Identity Metasystems Roundtable - roundup by Drummond Reed, posted on the Information Cards Foundation’s site.
- Christopher Brown’s summary – including sessions he attended which I couldn’t.
©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.