Thanks to the ISACA Now blog for posting my article, Eliminating Passwords in the Enterprise!
Periodically I have a disconnect with a client or a consulting partner. You know, one of those moments when you realize you are on different pages than you thought you were when the conversation started.
I’ve realized that there are typically two types of people working in Identity and Access Management. The first group comes from a security background, while the second has access administration or maybe more general IT on their resume. I’m a graduate from the second school.
This really dawned on me about five years ago. I was talking to a consultant, who was relatively new to IT, about identity management and how my job was to give the right people access to the right resource, yadda, yadda, my normal spiel. He was listening but had a furrowed brow and I realized he was struggling with the ‘allow access’ part of the conversation.
I quickly learned that he was an ex-military police officer with experience in electronic security systems. He was much, much more interested in blocking access and ensuring maximum security. The idea that we could (and should) make access easier was hard for him to understand.
I have learned that there are some in this business that come from a position of wanting to over-secure everything. If that’s who you are working with, it is best to consider that viewpoint because they won’t be able to move forward with an IAM solution until their primary security needs are met.
But there are also those of us that want a really good user experience even if it means managing some additional security risk. We’ll always look for a design that allows access — while still being compliant with security and privacy — but is more aligned with client business needs.
Where you from?
I’ve been thinking about how the public sector model for identity has changed in recent years from one where the government body controls the credential AND acts as an identity provider, to one where the credential management is delegated to a service provider. Social media login and, at the premium end, SecureKey’s briidge.net are examples of this model.
Social media credentials from Twitter, Facebook and Google are used everyday by millions of Canadians. Why not leverage these existing accounts to access government services?
The problem I have when talking to clients about these solutions is the assumption that any credential service provider (CSP) will do. That is, a public organization can (and should) readily accept any common credential, add a layer of identity proofing, create a link back to the credential (for future access) and start counting the costs saved. After all, it is all about citizen choice isn’t it?
This isn’t as simple issue. There are some fundamental problems with using low-end credentials, such as social media logins, that need to be carefully considered when delegating authentication to a third party:
- Operational Disruptions — There was a great post from the Basecamp blog a few years ago (since deleted) that described how difficult it was to maintain the link between a credential provider and the site. This post talked specifically to OpenID and how changes to the credential may not be properly shared with relying parties, resulting in support calls and manual fixes. Users would also forget which OpenID account they used, and Basecamp had no automated way to reconnect them. In the end, disruptions were common for OpenID users, support costs spiked, and Basecamp discontinued its use.
- Longevity — Which social media credential providers are going to be around for the long run? What consolidations of login services or outright mergers are coming? How might the protocols for social media login change? For a public-sector service wanting to provide stable, long-term services, picking the right credential service providers is extremely difficult.
- Wrong Message — Social media companies (Google, Facebook, even LinkedIn) often misbehave when it comes to privacy. They routinely run afoul of privacy commissioners and even irritate their user bases when ever-invasive features are introduced. Given the poor privacy records, should a public-sector website be encouraging the use of social media login to access government services? What are the downstream risks?
- Convenience — Social media login can certainly save time when it comes to authentication. I use my Twitter account to access Level 1 (low value) services frequently. I’ll admit it is convenient and I like that blogs, news websites and the like offer this option. But convenience is far less important to me when accessing my personal information on a government website. First of all, security and privacy protection matter a lot more. Further, I don’t access these sites all that often so if I have to login (or request an automated password reset) it isn’t that big of a deal to me. What would be more useful would be a common credential for all of a particular government’s services, so that I can experience single sign-on.
So what are the benefits of leveraging a social media credential for government websites? Well, for those more trusting than me, convenience and the benefit of having fewer passwords to remember is a definite plus. And cost savings can be significant for large websites, although keep in mind that a full IAM stack is still required — the public sector website will still need to provide their own login service as not all citizens will trust an alternate credential.
Ultimately, social media login for services won’t meet government privacy and security requirements for access to sensitive information. Existing in-house systems and credential solutions (like SecureKey) that specifically address the trust issue will likely prevail.
In my own city, Edmonton, they have been talking up e-voting for a while now. There was an announcement yesterday that a pilot project is being conducted to validate the process of running an online election. (More information can be found here and here.)
First of all, I think that this is exactly the type of pilot project that governments must run to be progressive and forward-thinking. These types of initiatives are high value, not just to validate a solution for this defined need, but for the organization’s other online initiatives. And the proposed e-voting identification process is an interesting one…
To be frank, I don’t have e-voting very high on my personal list of municipal problems to be solved, BUT I do have a keen interest in how people are identified online.
The City’s new project has an identity proofing process for this pilot project. It includes a unique method of collecting identity proofing documents that I haven’t seen before: citizens scan (or take a picture of) their real-world identification, then upload it to the City’s website. Allowed documents include drivers license, passport, Canadian military cards, etc. (see sidebar).
The image of the identification document is then reviewed manually by employees in the elections department and presumably compared to lists of eligible voters. Only when the document matches up with a previously registered voter will a credential be issued to the citizen for voting purposes.
This approach is convenient to citizens, or at least those that are savvy enough to scan a document and upload it to a website (which is probably a pretty high percentage of those that will consider online voting).
But whenever I see ‘convenience’ cited as a reason to do something online, I can’t help but look for the security and privacy compromises required to make that thing convenient. On first review (I haven’t done a deep dive s feel free to correct me!) here are a few things that might be compromised by such a process:
- How does the process ensure that the citizen is in control of the document at the time e-voting registration takes place? For example, the passports for a household might be stored in a filing cabinet. Let’s say one member of the household is politically active and the rest don’t vote at all. How difficult would it be for the one family member to round up the passports and create multiple e-voting credentials?
- There may be a privacy issue here. Scanned identification documents contain a payload of sensitive information. My passport has my legal name and birthdate — two attributes that are useful for the voter vetting process. But it also contains my passport number, my place of birth and my citizenship. None of these attributes are needed by this process, and should not be collected and stored as part of the process. (Update: The City’s 311 service has informed me that the data will be stored in Canada and destroyed no later than December 31, 2012. Also, only authorized personnel can view the data and they are subject to confidentiality agreements.)
- Finally, how can one be sure that the scanned identity document has not been digitally tampered with? Paper and plastic documents have physical safeguards to increase reliability. For example, the Alberta drivers license has a hologram on it and ‘declined width text wave’ feature (and these are just two of a dozen security features). How do these features translate to the scanned image? Assuming many of these features do not translate well, how well does the scan of the document actually prove the citizen’s identity? As a comparison, would such a scan, subsequently printed, be acceptable as ID at the polling station?
It will be interesting to see how these and other challenges of e-voting will be overcome in the coming months.
The general impression is that identity management systems — in particular the authentication and authorization components — need to run continuously in order to ensure users can access their business applications. Enterprise IT shops are accustomed to building in redundancy in hardware and rigorous process to ensure systems ‘stay up’. It is not uncommon for a critical business system to have a target up-time of 99.99% or even 99.999%.
Why is this the case? Information systems availability (or lack thereof) can impact productivity and, for private businesses, profitability. And the case of medical systems — actual clinical systems, not informational websites — an outage to a system can impact health service delivery and have negative outcomes for patients. As a result, it is common for an identity management system to be designed for high availability, and for organizations to fund (hardware, software, people, etc.) the service at a level appropriate to meet this goal.
But not all systems need this type of high availability.
Take, for example, a set of web applications offered to the public for access to government information. These applications represent a sub-set of the business being conducted, i.e. they could be used to apply for funding or to access a library of online information products. In my experience, this type of public-sector system is by far the most common type of application used by citizens online.
So here’s the bombshell — these type of systems do not need to be highly available… 24/7/365 access, highly redundant services, on-call technical analysts, etc. are not part of the requirements for these web applications. Why? Because the expectations and needs of users for access are not as high as enterprise architects and overly concerned business folks lead us to believe.
Think about it for a moment: if a government website or application were down, what would most of us do? Call our elected representative in a rage? Close our business? Drive to the nearest service centre?
No. We’d do what we do when other websites are unavailable — surf on to the next one, spend some quality time on Facebook or check our email…
I’ll try to get a better post out later this week, but I thought I’d share some initial information from today’s briefing via Twitter.
On September 7th, I’ll be heading to the 1st Annual Critical Infrastructure Protection Conference conference in Calgary, Alberta. This is the first edition of this conference, subtitled “Cyber Security for Energy and Communications” . With our oil sands attracting wide-spread internation attention — Warren Buffet and Bill Gates visited last week — the protection of these assets is obviously a top priority for both government and industry.
I’ll be helping to staff the Seccuris booth in the trade show, and catching whatever speakers I can. It should be rather interesting to hear Dr. Steven Flynn, the Homeland Security Advisor to Barack Obama speak on infrastructure security — even if this topic is not related to my direct interests of identity, information security and privacy.
Michael Legary from Seccuris will also be speaking on “Virtually Secure: Uncovering the Risks of Virtualization”, a look at the security of virtual server environments.
Always interesting, too, to visit Calgary. It is a rare example of how a city can be sophisticated and thriving, while still retaining its prairie town roots.
Here are the weekend quotes, a day early…
Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing. — Helen Keller, author and activist. Keller, who was deaf and blind, was an advocate for many progressive causes including women’s suffrage and inclusion for people with disabilities.
On privacy and youth:
“Young people are very adept and comfortable with electronic communication. As advocates, we have to help young Canadians find the information they need to be their own privacy watchdogs” — Irene Hamilton, Manitoba Ombudsman, speaking at the semi-annual meeting of Canadian Privacy Commissioners, June 4, 2008. Visit youthprivacy.ca for more information.
On common sense?
“Many companies need to do more to prevent inexcusable security breaches. Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops.” Jennifer Stoddart, Canada’s Privacy Commissioner in her 2007 report to Parliament.
I spent two weeks in Italy last month and, in case you haven’t heard, it is one of the most beautiful places on earth. So it was appropriate that I attend a match of the ‘beautiful game’, aka calcio, football, soccer.
The game was Fiorentina (Florence) vs. Sampdoria (Genoa), and it had some importance so a large crowd was expected. I set out on the number 51 bus from Florence’s historic centre, bound for a suburban stadium near the Tuscan hills north of town. 45 minutes before game time the bus was full of purple-shirted — and well-behaved — Fiorentina fans.
Once near the stadium I realized that I had no idea of where to buy a ticket, so in my pitiful Italian I asked assorted gate personnel, coffee shop clerks and fans where the ticket office was.
I found one in a cafe across the street. Inside there were big signs, in English, saying that English fans could not buy tickets for games here — they had been previously banned from Italian soccer stadiums, presumeably due to poor behaviour over the years, and therefore tickets for all foreigners had to be officially dished out by the club. Nevertheless I enquired at this cafe and was told, no, I had to go to the official ticket office down the street; my pasty Englishman-like complexion and bad Italian quickly (and correctly) labelled me as being a tourist.
I eventually found the official ticket office. While waiting in line for the soon-to-be sold out game, I chatted with a Greek national who was also planning to attend. He asked me if he needed his passport to buy a ticket. Uh, yes, you needed some type of identification, and I had my passport on hand. (I since learned that in 2005, new laws in Italy were enacted requiring teams to sell tickets only to named individuals, hence the need for ID.) He seemed quite dismayed, but stayed in the line hoping to charm the ticket booth ladies I guess. In the end, he was turned away…
At the booth, I presented my passport and asked for a seat in the quiet end of the stadium. The agent looked at my picture, looked at me carefully, then entered my name and passport number into the ticketing system. After a few seconds, the system — perhaps connected to a soccer hooligan database? — confirmed that I was not a troublemaker! Out came my ticket, personalized with my full name:
I was informed that I had to go to a specific gate in the stadium, and would be asked for my passport to prove identity before gaining entry. I sprinted to the stadium, and showed my ticket to the uniformed gate-keeper. He waved me through without asking to see my passport…
The game turned out to be spectacular mostly because of the fans’ behaviour. My seat was in the family end of the 45,000 seat stadium. At the opposite end were 15,000 of the most rabid home fans, and to our right — in a fenced and plexiglass section — stood a mass of rival Sampdorian fans. Below us were a smaller collection of younger, energetic home fans and between the two were several dozen brightly uniformed crowd enforcement officers.
Throughout the game, the Sampdorians screamed, sang, chanted, raised fists and — when Sampdorian scored — rushed headlong towards the plexiglass. The surge of 4,000 manic fans was accompanied by wild shirt-tearing off and the noise of 40,000. In turn, the enraged Fiorentina fans below me rushed towards the security personnel, raised their fists, hoisted middle digits and flung insults toward their guests. On this day, the surge was just a feint, and there wasn’t much more than some light shoving with security at the perimeter. And even if they did burst through, a chain link fence stood in their way.
Fiorentina went on to score the next two, and the singing and chanting that filled the stadium was everything one could imagine at an Italian football game. As the game wound down, the smug confidence of the home fans could be felt. The sky was blue, the game was in hand, our rivals quiet and downtrodden…
Then the unbelieveable happened — with only a minute left, Sampdoria scored! The Genoa faithful rushed down the terrace, more shirt-flinging and frothy-mouthed bellowing! The locals below us surged again, but it was less energetic — they knew as I did that we’d just been tied by these invaders and what good would a bloody clash serve at this point?
It was a fascinating spectacle, even though no true violence took place. And it became very clear why my identity was confirmed prior to buying a ticket. What if I was a hooligan looking for trouble? What if my gang and I decided to bring smoke bombs, darts or other projectiles to lob into the visitor’s section? Only by checking the thug database prior to entry could such debacles be minimized.
The only flaw was the missed passport check at the gate… The careful identity proofing and personalized ticket wasn’t much use if it the ticket-taker didn’t ask for proper ID on entry. Perhaps the profiling of English-looking trouble-makers only applies to international games…
As for the game, click here for the highlights.
The theme of the just completed Privacy and Security Conference was ‘Digital Dilemmas, Digital Dreams’. It had a strong privacy flavour to it, and I found a recurring theme in many of the sessions: a need to find a balance between privacy and security is critical. We truly experience a dilemma when we make decisions that would favour one over the other.
As many have pointed out, privacy and security do not need to come at the expense of each other. For example, increased security does not need to decrease privacy protections. When this happens, things like surveillance cultures develop that are not only harmful to societies but almost impossible to disassemble once in place. Simon Davies from Privacy International pointed this out in his impassioned presentation on the ubiquitous CCTV systems in the United Kingdom: establishing the cameras in public places has already been completed, and removing them is almost unthinkable despite their ineffectiveness. Do you want to be the public official responsible for the removal of a system when the next bin Laden might walk through your town next week? Mr. Davies also points out that building license requirements and insurance companies now mandate that CCTV be installed in order for approvals to be granted to a business.
The reason that Britain has become a mass surveillance society is that when surveillance systems were being planned and implemented, security was the Holy Grail, and privacy — if considered at all — was the second priority. When 9/11 hit and new legislation was enacted, privacy concerns took a further back seat.
Fortunately, in Canada we have some fairly strong privacy controls in place. This isn’t because we have brilliant legislators or lack the ability to implement security controls. Canadian values, privacy awareness and sensitivities to privacy invasions have not been eroded by terrorism and the resulting fear-mongering that follows a terrorist attack. We bask in our privacy acts and glow with pride each time we write a Privacy Impact Assessment.
There you have it: a tidy, smug, self-assured Canadian view of privacy and security… But what if we did experience the unthinkable here — the toppling of the CN Tower or a coordinated attack on Alberta’s oil sands infrastructure (and the resulting environmental disaster)? Would the privacy culture we enjoy survive such an event? Or would invasive border controls, a national ID card and pervasive wire tapping become our norms as well?
At times it is easy to be smug and satisfied in a country that consistently wins UN awards for being the best country on earth. We pretend to not understand the American obsession with security, and are aghast when we hear of CCTV in the UK. How can these countries — our neighbours and cultural peers — allow such an erosion of privacy in the name of security?
The reality is we have not experienced the same pain, and until we do our indignant rhetoric is just that: naive statements untested by the harsh reality of unthinkable events. Keeping our balance in an uncertain future will be more difficult than we can possibly know.