Sean Convery

It is always interesting to see the entire security vendor community come together and parade their wares at RSA each year. If I put myself in the role of a potential customer, this week saw a dizzying array of vendors, many of whom were chasing the same industry buzzwords. The buzzwords of this conference, just based on my own observations, were:

• NAC - NAC continues to be a term lacking a comprehensive and agreed-upon definition. As a result, many vendors were claiming NAC support–often with a specific spin based on the capabilities of their company.
• Data Leakage - Companies attempting to protect data from being inadvertently disclosed were on the rise. It seems nearly impossible to prevent a dedicated adversary from disclosing data she has access to, but simple tagging mechanisms to prevent the accidental “reply-to-all” may be useful.
• Compliance - The Infosec equivalent of a trump card when it comes to purchasing decisions, it seemed almost every vendor touted help with regulatory compliance as a feature of their products.
• Policy - Another overused word (without qualifiers) many companies touted policy features.

I suppose this list of buzzwords means a single new startup, focused on all four areas, could probably get a nice batch of seed money from an unsuspecting venture capitalist. I can imagine the pitch now… “Our intuitive UI lets you craft complex policies to define data leakage protections correlated with the NAC status of an endpoint, all with rich ties to compliance reporting for export to an auditor.” I’m sure Vijay, the world’s most desperate venture capitalist, would jump on board.

Technorati Tags: RSA Conference

Just a quick note to remind folks that next week is the RSA Conference in San Francisco. I’ll be up in the city much of the week and would love to chat with anyone who reads this blog. My company is in booth 430 and I’ll be around there much of the time. If you’d like to chat, drop me a line or swing by the booth.

On another note, sorry about the lack of posts of late. I was working against a publishing deadline which I’ve now met. I’m sure RSA will provide plenty of fodder for future posts. Last year’s RSA was all about NAC, this year it will be interesting to see what the buzz-leader is.

Technorati Tags: RSA Conference

Happy New Year everyone! I hope that folks had a great holiday. I thought I’d start off 2007 with a bit of an off-topic post.

Back in 2004 Darrin Miller and I did some work looking into IPv6 security. The major result was a paper describing the various security considerations in IPv6, setting aside IPsec. At the time, the majority of the research we saw was looking at IPsec as the principle means of securing IPv6. Since IPsec support is a “standard” feature of IPv6, this was a reasonable assumption. As it turns out, for various reasons outlined in the paper, this wasn’t such a good idea. The paper was well received and even found its way into some US-CERT recommendations, and was largely reused as chapter nine of Deploying IPv6 Networks.

Fast-forward almost three years from then and some things have changed and many others haven’t. The IETF v6ops working group is still churning out some new docs on the subject which is great. However, just like in 2004, the market seems to be ignoring IPv6. Not even a federal mandate to deploy v6 in the government by 2008 is enough to get things going. GCN recently reported as much, highlighting agency concern that security vendors aren’t migrating their products to IPv6 quick enough.

I’ve not done a lot of poking around in IPv6 security lately. In preparing for this blog post I went through and updated my IPv6 security links page to tag any additional dead links and add a few new ones. The fact that this links page–largely untouched since 2004–returns in the top five results of a google search for “IPv6 security” says more about the attention paid to the subject than a lengthly blog post ever could have. The top result is a presentation (from a former colleague at Cisco) that Darrin and I expanded on in our work. Eric did a great job with that presentation but given the governement’s focus on IPv6, I would have guessed research from 2003 would not be so well ranked.

Technorati Tags: ipv6, security

New York Times journalist David Pogue recently posted about a cool service which is giving away free international phone calls. He then got a fair amount of comments from folks worried that this service might be giving away the calls for a more nefarious purpose such as data mining. I love Pogue’s posts and articles in The Times but I think his response to these comments was a bit short-sighted. He gets some things right when he talks about the privacy we’ve already sacrificed in our daily lives, but he gets it wrong when he describes the value of, for example, listening in on phone calls:

All of the much smaller potential abuses make a whopping assumption: that somebody actually *cares a whit* about you and your mundane daily communications. Yes, of course someone at the phone company could look over your phone records and figure out whom you call. But who would ever be so bored, and–forgive me–what could ever be so boring?

True enough for mundane communications. However, what’s a mundane checking of your bank balance to you is instant identity theft for an adversary. If network security taught us anything it is that an attack which is trivial to manually execute is usually trivial to automate. Imagine someone selectively tapping calls only to a bank’s customer service phone number? How many account numbers, mother’s maiden names, birth dates, and–at least portions of–social security numbers could be harvested? If you went without any voice analysis at all and just listened for the touch-tones you’d already have a wealth of information. Think dsniff for telcos.

Pogue is right however with respect to this specific service. There is nothing new to worry about. We’ve had plenty to worry about all along. Whether that worry is “neurotic” as Pogue describes, I’ll leave to my readers. I’d use voice encryption if it was an option, but until it is I’m not changing the way I live my life.

Technorati Tags: pogue, privacy

Bruce Schneier’s security blog alerted me to this seemingly funny, but ultimately tragic quote from an election official on their voting system:

The software developed for InkaVote is proprietary software. All the software developed by vendors is proprietary. I think it’s odd that some people don’t want it to be proprietary. If you give people the open source code, they would have the directions on how to hack into it. We think the proprietary nature of the software is good for security.

I think the lesson for those of us who work in security is this: just because a security principle is well documented, debated, and understood, does not mean that it is common knowledge. Now please excuse me while I go cry myself to sleep.

Technorati Tags: voting

Thomas Dunbar - CSO XL Global Services

Publicly traded as XL

Parent of a group of Insurance, Reinsurance & Financial Products

$58B in assets

www.xlcapital.com

Founded in 1986 as an offshore insurance company, 50 employees when you started, but there has been a ton of mergers and acquisitions, each of which has separate naming schemes.

Had 17 IT organizations, wanted consolidation, then shared services, then one IT.

Needed to support the business:
-Organic growth
-Business unit managers is to support new services

Identity issues

• No governance model
• No standards
• No technical or application architectures
• 250 dominio applications
• many exchange organizations
• 6 notes domains
• no common naming standard
• over 40 email domains
• dozens of customer applications requiring authentication

Data - Multiple repositories of user ID

User Experience - Had to logon to 10-12 applications per day

Org Culture - Global user base increases complexity

Applications - Big gaps in security and compliance. 3000 applications, now down to 600 with goals to reduce further.

XL Key business objectives and requirements

• One company without borders
• Increased security - password standards, deprovisioning people
• SARBOX - rights and privileges,
• Increase user satisfaction and productivity - reduce logons, improve IT perception
• Cost measurement / management - Better admin and infrastructure
• Infrastructure Responsive to New business requirements - building block technology with no throwaway work.

Selling IdM at XL

Security, Productivity, User Experience were how we sold it. Sold as a phased approach with investment occurring over time.

Phase 1: Build an identity management foundation

• create a common identity
• establish its authoritative source
• develop a common directory
• identity your authorizations

Phase 2: Build a directory exchange broker (meta directory)

Phase 3: Enable web and windows apps with simplified sign-on

Phase 4: Develop enterprise directory services solution

Single identity store for all Xl employees and non-employees and brokers and partners etc.

Phase 5: Develop enterprise simplified Sign-on (round two after phase 3)

Phase 6: RBAC and Federated IdM

• Advice, don’t start here, build credibility and momentum first

• Roles are complex, not starting there

Roadmap Development Approach

• Risk Avoidance - smaller projects, use proven products
• Rapid Value Realization - immediate value and results
• Pragmatism - use existing skills and technology base
• Cost Containment -

In 2004, Initial account provisioning was created. Peoplesoft is our authoritative source. Feeds into AD, Exchange, ClearTrust, Lotus Notes

Using cleartrust, linked this into Plumtree Domino and other web apps

XL Initial success

134 Apps SSO overnight
86.4 User Sat
Help desk calls reduced 20%
New account provisioning within 5 days before new hire start date
Accounts easily deprovisioned
One common lifelong Identity
Established framework easily leveraged

In 2005, brought in more apps, more cleartrust deployment, etc. this continued through 2006. Other businesses like HR started leveraging the identity infrastructure to provide more applications.

Bringing in Oracle CoreID in 2006, better simplified sign-on, extranet portal / cleartrust integration

2007 plans - Develop approval workflow for user access, delegated admin for power users to manage other users’ rights, improve rights management and provisioning

Post IdM - Auth is AD (consultants and employees) - RSA Secure ID for remote acces, RSA single sign on manager
Authorization - AD, EDS and AD/AM, RSA Cleartrust, Custom Applications
Administration - MIIS, Oracle Virt Dir Eng, Oracle Core ID
Auditing - MIIS, Cleartrust, AD form repository

Mission pieces - User lifecycle management (2007), Feteration System (2008), Roles based access control (2008) (Doing some policies with GPO in AD/AM but looking to do more)

Formula for success - Plan ahead, don’t go it alone, detail the benefits, build momentum, communicate

• Develop a strategy
• Sell but don’t oversell
• Demonstrate business value
• Highlight security and compliance gaps
• Seek industry experts
• Form partnerships
• Goal: SSO
• Sell the ability to lower operation costs and improve user experience, focus on phased approach
• Sell better security through better managed passwords
• Don’t start too big (enterprise Provisioiing) or complex (RBAC)
• Build credibility and gain momentum through low risk / high value tactical components
• user building block mentality
• demonstrate how each piece fits into the company’s long term strategy
• Continuously sell, sell, sell
• Demonstrate success

Technorati Tags: Digital ID World, identity

Jeff Anderson - Fifth Third Bank

Came into session a bit late…

Challenges:

• Regulatory issues, Sarbox, etc.
• Financial services specific issues, Patriot act, financial mondernization act
• Identy silos are more than just enterprise directory and AD. Silos for me are every place that provides identity services (databases, applications etc.). This also includes third party services

Solution overview:

• IDM stack that we deployed: at top are the applications themselves, perhaps they are silos themselves but they need to access others. Below that is the application access layer (SOA, directory connectors, etc.). Below that is the enterprise directory (LDAP) and the virtual directory. Below that is the provisioning system
• Enterprise directory is Sun, Virtual directory is radiant
• Directory hardware, use Sun hardware on E25Ks. Since it is virtual, we don’t need to specify that this is the only source.
• Each of the three tier 1 data centers has an instance of this sun hardware.
• Virtual directory services sit on the same hardware as the LDAP store.
• Virtual directory overview: At top is virtual directory engine (core). Below that you have RDBS connectors to applications directories and databases.
• What it means to us: Virtual directory allows us to abstract the data. This allows the applications to ask one place for data without needing to understand the back end. 4 use cases:

• Directory Joins - virtual directories can join two objects into one logical system
• Protocol masking / external joins - two examples to discuss later. This has more to do with what happens when the back end system isn’t a directory but we want to use it like a directory.
• Schema transformation - legacy systems have naming inconsistencies. Virt directory allows us to make them consistent
• External data masking - when dealing with security controls we can access systems without fine grained access control by allowing the virtual directory to enforce what you are able to see.

Synchronization vs. Virtualization

• Synchronize when source of authority was unstable, unresponsive, etc.
• Virtualization for everything else.

It doesn’t matter when you move or access the data. What matters in virtualization is that you choose a product that lets you switch between the two when you need to. What happens when the back end directory changes? These are important questions to ask your vendor.

What did we do at the bank?

Identity management programs were selected to be early users of the virtual system: B2B single sign-on was the first.

Big diagram of transaction, download slides to see in detail.

Cleartrust was deployed prior to identity management effort and as the first customer of the identity service.

Why not just move the data??? Why deploy virtual directory?

Three reasons:

1. Time - lots have to change to move an identity store
2. Cost - startup costs are high
3. Regulatory Controls - If you are leaving the data in the system you have now, it has already gone through the controls. If you move the data, you have renewed requirements for audit. If you pass audit now, leave the data where it is and save yourself cost.

When you deploy a directory you’ll define the view, this is the data store, this is how you access it, the access rules, etc. Four things happen: bind request comes from SSO. Searches the entitlements to see if it is a valid user. Search for requested user. Binds as user checking the credentials.

Cleartrust for cross-silo authentication is made easier by virtual directory. I.e. using websphere for J2EE apps, need to secure the app. The app is secured through cleartrust. Challenge is when the employees don’t exist in the external directory store. Websphere doesn’t let you split what you do for console logins vs. anything else.

Lessons learned:

• Virtualization of the identity to leave it where the data resides is a powerful tool that avoids regulatory issues. Any approved data source can be used for SSO, for example.
• Remove application sequencing dependencies: since you don’t need to move identity stores, that is different than application work. No mid silo applications with a need to do things at the same time. The time different apps operate can be decoupled.
• Real-time access instead of synchronization is possible with low overhead. No large hit in access times.

Technorati Tags: Digital ID World, identity

Here’s my rough notes from the second morning keynote on Day 2, please expect rough writing. My comments / editorializing in brackets prefaced with “SJC”

Scott Wallace: The National Alliance for Health Information Technology

Huge problem, no identity management in healthcare

“When you’ve seen one hospital, you’ve seen one hospital.” Little standardization between hospitals.

Healthcare information is all personal. Information known about you regarding health does not change over time for employment, insurance, etc. Once disclosed, it is gone forever. Your reputation can be fundamentally affected.

Economics of Personal Healthcare

• All I want - full access
• Others should pay for it - Insurance
• I’m not paying for others - Medicare

The healthcare triangle is the relationship between the provider, the patient, and the payor (insurer). This leads to complexity in the way the information systems are constructed.

We all outsource healthcare which means information must be shared in order to get good care.

Information must be shared for exams, diagnostics, etc.

All this information exists in paper but paper tends not to move around: (Lab, Doctor’s office, hospital, nursing home) - Labs tend to do the best job.

Electronic in the healthcare industry means you faxed something.

30 years ago you had a family doctor, only hospital when near death. But today there are specialists, distributed care, and much more sophisticated information. (Static X-Ray vs. 64-slice CT)

Healthcare is desperately in need of tools to manage this info.

Rand did a big study: “Healthcare is the nation’s largest, most inefficient information enterprise.”

Access, Errors, Quality, Efficiency

Access:

Kaiser Family Foundation puts 16% of the population: 44 million people as uninsured. Highest rate of spending per capita and lowest rate of access.

Errors:

We kill 98,000 people a year in victims of healthcare. 250,000 doctors - (doctor’s always deny they killed anyone)

Thinks part of the cause is bad information systems

Quality:

Rand - Patients recieve the appropriate care 53% of the time. Why? Information can’t be shifted appropriately. $500B a year is wasted in healthcare.

Another report, To Err is Human, - Information needs to follow a patient around from doctor to doctor.

Information flow problems are caused in part by paper systems. Lots of waste has to do with information needed being unavailable. How many times have you had a test repeated because the info wasn’t available or trusted?

Why still paper based in healthcare?

• Systems
• Economics
• Security and identity

Systems:

No innovators in healthcare, no iPods. Physicians intolerant to change. Big IT innovation in healthcare is still not huge (average large healthcare IT company does 1.5 billion in revenue). Support requirements, etc. scare people away

Economics:

Economics are resistant to change. The purchasers aren’t the beneficiaries (10% goes to providers). Fee for service, no quality differential, no efficiency reward.

Children’s hopsital in LA. Did 140million IT deployment. Took acute care cases and made them ambulatory, allowed folks to keep patients out of hospital. About 8 months after they finished the deployment they were nearly bankrupt so everyone else is afraid to deploy for fear they will reduce their business. This is a big impediment.

Fee for service: Doctors get paid the same across markets regardless of how good or bad they are. This stifles innovation. If you as a doctor only get paid by use, you don’t want to cut down the number of uses.

Security and Identity:

Classic problem of how to share and who to share with.

“if we are worried about privacy in healthcare why do we have gowns that open in the back”

Privacy means keeping secrets. We have blinds on bathroom windows because we want privacy. In healthcare when they say privacy they mean confidentiality: limited disclosure towards only specific people.

HIPAA issues - Look into electronic health records to protect data confidentiality you get much better poll results from consumers. Speak in a language of confidentiality, not privacy.

Some Identity Issues

• Policy
• Stakeholder Engagement
• Technology and Clinical Practice

Policy

Identity links to confidentiality

HIPAA - created lots of state laws to be more severe than the federal base. Things mandated in one state might be illegal in another state

Legislation to block unique ID - wanted to create nation healthcare ID to track your healthcare information. Two years later HHS was told not to work on it by congress.

Big debate in healthcare now is do we have a national system or a regional system

Need appropriate protections and sanctions since the data is so critical. Need to prove if you get leaked healthcare information that you didn’t use it. Stealing banking info gets you in jail, less clear if you steal someone’s healthcare information.

Stakeholder Engagement

Consumers are completely disengaged from this problem. They think there doctor has all the relevant information. The average group practice doctor has 3000 patients. Consumers don’t know how little their doctor’s know about them.

Only way to get consumers engaged is to discuss convenient information. No need to show insurance card over again or discuss medial allergies.

Clinicians are worried about accuracy and completeness of information which often leads to repeating tests. False positives and negatives if information is wrong is a huge problem.

Technology issues

Unique or algorithmic matching? Still sense that nation ID is necessary in some circles but algorithmic matching is viewed with a skeptical eye.

Need to inform the policy debate in the public and congress

Must defer to the policy consensus - so many standards, engineers need to agree that some standard is needed.

Question Steven Spraig (sp) - Wave Systems - Trusted computing opportunity with the PC’s hardware ID. All PCs will have a common method for identity within a hospital. How can these standards be brought into awareness in healthcare?

Healthcare IT people are extremely cynical since they’ve been burned in the past. Tone down your message to something you really know you can do.

nahit.org

Technorati Tags: Digital ID World, identity, Healthcare

Here’s my rough notes from the third session, please expect rough writing. My comments / editorializing in brackets prefaced with “SJC”Dick Hardt - SXIP IdentityTalk around Identity 2.0. Need temporal awareness to understand what something is.Vitamins: hard to sell as it prevents something in the futurePainkillers: easier to sell as it stops something badViagra: very easy to sell - allows something new[SJC: Dick went through a variation on his great Identity 2.0 prezo. Deltas below]Need to know past behavior of a job applicant in order to evaluate how he’ll do in the futureLet’s look at:Yahoo-Single account for multiple services. Big set of silos. When they bought flickr they had problems since flickr needed its own identityMicrosoft-.net Passport failed. Windows Live ID is a rebranding. Info-card is a good evolution since the user is at the center.Google-Google has single account, lots of silos.As a user I’d like my own account but for google this is a vitamin not viagra.Ebay -Has silo identities but also has reputation, has past behavior as a predictor of future behavior.Single account via identity 2.0 has single point of failure. But you already have one login per site with the big sites and you can make the one login more secure. You can reduce the risks of that single login by making that login more secure. [SJC: Single points of failure are still single, no matter how secure, see the previous talk on a national ID card]Wikipedia could benefit from reputationSlashdot uses karma, what about using that karma from slashdot in other places like games. It becomes an alternative currency [SJC: Read Down and Out in the Magic Kingdom by Cory Doctorow]Panel is now introduced:Moderator: Dan Farber, Editor In Chief, ZDNetPanelists:Michael Barret - CISO Paypal - Previously president of Liberty AllianceMichael Graves - CTO VerisignJim Piala (sp) - Product manager Windows LiveDF: What does MS say about Dick’s comments?JP: Windows live and windows live ID has a key focus on identity interoperability (issuers and technologies). Need to give people control of their identities. Users like to have multiple identities, some with the same provider, some with different providers. See big opportunities with WS* and InfocardsMG: Verisign is not moving out of areas than it has been in. It is more heavily investing in those areas. Securing enterprises, PKIs, etc. Military grade deployments. Sees real growth in what companies like SXIP and Microsoft’s infocard, OpenID WG, etc.MB: Identity gets more complex and standards hoped to go somewhere are just part of the problem. More difficult issues are what the earlier presentations explored. For financial services, can you actually pay? Less about identity, more about is what you just did similar to what you did in the past.MG: Cardspace is an important technology to integrate with. Verisign could provide network based technology to help control the endpoint. How do I know that I can trust DNS. Cardspace provides a good toolkit to evaluate thisDF: When will the walled-garden approach be resolved. How do you make them more permeable?MB: I never though this would happen fast. I am skeptical. Some evidence on the horizon. Hardware based authentication has to be broadly federated in order for it to work. Unconvinced that we have the protocols and the exchange mechanisms around the authentication exchange and the tie to the identity itself.JP: All about business drivers. Not sure that economic incentives are there to allow full federation. Tightly coupled business offerings linking with one another might make more sense.MG: Verisign is taking a very different and disruptive line. We make lockdown tech for financial institutions to manage risk. On the other end, there is the user centric notion which we believe in. Federation does not lead to universal identity. We don’t have the retail presence to risk by making a big change. Comes down to a failure of faith in federation. SSO is a better option as part of the OpenID framework.DF: How do you convince a Yahoo or someone similar to adopt any of these solutions.MG: You don’t, the walled gardens are last to migrate to the new future. Balance between content to keep a user in a site and the tipping point which would cause them to leave the site. Do you want to be a silo, or a hub to allow folks to flow in and out? Interoperability needs to happen via a mesh of hubs which broker these identifiers.JP: Two reasons why we might see more users getting out of the garden. First, users need to be at the center of the experience. They care about this and are frustrated by it being closed. Users themselves will drive this. What if you could take your EBay rep to another site, how can I take my XBox live reputation to another forum? Second, no walled garden is completely walled. Partnership will be present between the gardens.MB: We don’t have protocols which describe trust levels bewteen systems (i.e. paypal, skype, and ebay). With three auths in our own systems, how do I cross-correlate theseQuestion from audience, Mike Jones from MS: Depending up the value of the information secured by an ID, the current username/password standard either is good enough or not manageable nor able to be secured. How do we get users away from this?JP: Different applications require different levels of assurance. This isn’t a bad thing, nor an impediment to federation. You just need the identity to match the scenario.MG: Lack of success has not been because passwords are not adequate. It has been because they’ve been too difficult to use. Risk and fraud needs to be managed. Need a growth path to make things better.MB: Each component of identity can break. At that point you are trying to predict which transactions are legitimate and what you should do to mitigate the risk. Need business specific standards. Phishing problems around user-driven identity. Not much traction in email signature standards. One of the things we are doing is to limit the phishing attacks from paypal is to sign every outbound email to try and make some progress.Question from Phil Becker, DIDW: Question in the mind of Windows Live offerings, Enterprise IdM has advanced the notion of self service and scaling improvements to make all this more deployable. Software as a service and other service based offerings might invert the outlook, when does Windows Live start to be sell to a business. Could a business use their own authentication and then assert that to Windows Live?JP: That is exactly what is happening. That used to be achieved using password synch between AD and Windows Live ID. Using ADFS (AD Federation Service) and WS* in the future to allow enterprises to manage their identities themselves in accordance with governance but are accepted at Windows Live services. Federation is a user experience improvement.Question from Jeff Smith - Office: Age for purchasing alcohol are minimalist things for specific transactions. What are verisign’s thoughts on this?MG: We are providing the infrastructure for this like Infocards is.MB: I am doubtful whether these sorts of systems will work the way Infocards is described. This is because of the commercial dynamics of this. In practice these kinds of problems are dealt with in low-tech AUP type policies. The elegant conceptual mechanisms… I’m just unconvinced that they’ll emerge in the marketplace. Just because some merchants and consumers might want them, there may not be enough economic traction to make this happen. Need the plumbing first.JP: The requirement for claims creates an interesting requirement on the system. Claims need to be verified perhaps by a legal framework. Few digital identities have been vetted to that level. Some electronic ID programs in Europe meet that requirement. There are no comparable identity issuers in the US.Question from Jon Donovan, Network Appliance: All this seems consumer centric, how does this apply to enterprises? How can I trust other identities from a reputation perspective?MG: There’s a big gap between nothing and a government issued ID. Nothing to perfect. Stepwise evolution is needed.Paul Bran (sp) - Brighton Consulting: When can I use a better credential?MB: If something is fradulent what is the cost to the consumer, business, or insuring entity? We honor all legitimate transactions at paypal. We exonerate customers 100% when it is not. This isn’t about technology, it is about the business decision in understanding the risk and cost. I’m a great believer in opening federation up, but the question becomes, when an auth fails because they can’t get online if their token is destroyed, how do you get that person online? At American Express we had lots of scars, but when a customer called with a forgotten password, half of the time they just forgot their username. We need to be able to disambiguate this.JP: Large PKI/smartcard islands are increasing and more interoperability would allow these systems to be used online. Cardspace / Inforcards might be another way to increase adoption of more systems.Pam Dingle from ? - Windows Live ID and Infocard are not the same thing and even in Vista they are separate. What is the nature of the integration planned?JP: Windows Live ID is a hosted service at Microsoft, we’re excited about Infocard as an alternative means but we believe that as a large company we’ll need a dedicated identity service as well as use newer techniques.

Technorati Tags: Digital ID World, Infocards, Identity 2.0, Windows Live ID

Here’s my rough notes from the second session, formatting be damned. My comments / editorializing in brackets prefaced with “SJC”

Jim Harper - Director of Information Policy Studies, Cato Institute - Author of Identity Crisis

• Wanted to write a book about why we don’t want a national ID card. How do you know who
• Typical identity: Something you are, something you have, something you know
• Wants to add a fourth, something you are assigned. (Your name, your location, etc.)
• How would a national ID card work? Then you can examine the issues around it.

Threats to national ID cards

• Surveillance - easy to tie separate sets of data together.
• Power - information is power, access to data allows the government to find you and affect your life. Access to databases reverses the incentive structure: ordinary incentive is for law enforcement to learn about crime, then track down who did it. With more data it is easier to say anyone must have done something wrong, and then start mining that data to find out what it was.
• Tend towards insecurity - Identity fraud is made easier by the existence of SSN. Single key system means one error compromises multiple systems [SJC: Sounds like some of the issues with biometrics]

Need heterogeneous ID system so that consumers can select the systems they need without participating in a single system.

Think of authorization as coming first. In everything you do, you decide if something is going to go forward or not. Let’s call that authorization. Hugs, handshake, alcohol sales, network access, etc. all have authorization steps. What do I need to know about you in order to shake hands with you? What do I need to know about you in order to hug you?

What level of proof do I need that what I know about you is correct? That level of proof is authentication. Authorization: what you are allowed to do. Authentication: degree of proof provided to allow that transaction to transpire.

So many DHS programs are unwisely relying on identity. Just knowing who someone is not necessary. Don’t need to know who the person sitting next to you is, just need to know that the person on plane can’t hurt you. [SJC: This doesn't seem to apply at all to enterprise networks. I hope he realizes this isn't a universal constant]

RealID act was passed in May of 2005. By May of 2008 states need to issue ID cards in compliance with federal standards. Standards like no more mail-in renewals etc. Dedicated adversaries will bypass these systems (pay-off DMV folks, etc.) but it will be painful to the rest of us.

Big laugh from crowd by suggesting that Identity should be 3rd or 4th, not center. Talks about using a fake-id at all of his dealings requiring credit cards.

Phil came on at the end to suggest that this talk is all about understanding what you accomplish with a given identity check.