Identity and Security Quotes

Each weekend I’ll put together a set of quotes on identity, security and privacy.

So why do we care so much about identity? 

“Why is identity so important?  Identity forms the basis for authorization and trust.” — From the NIST draft publication 800-103: “An Ontology of Identity Credentials”

In the early days, our neighbours to the south had some strong feelings about balancing security and feedom: 

“Any society that would give up a little liberty to gain a little security will deserve neither and lose both.” — Benjamin Franklin

And here’s a good one — recall the massive loss of data in the UK last year?  Some frank comments:

“Let us be clear about the scale of this catastrophic mistake—the names, the addresses and the dates of birth of every child in the country are sitting on two computer discs that are apparently lost in the post, and the bank account details and National Insurance numbers of 10 million parents, guardians and carers have gone missing” — Opposition MP and Her Majesty’s Revenue and Customs’ Shadow Chancellor George Osborne



Video/Podcast Page

Take a look at the page navigation link directly above this post called Video/Podcast — I’ve started to collect and post links to identity, security and privacy video clips.  There are a few podcasts I’ll add as well in the coming weeks.

I find that these videos — even if some are from vendors and can be biased — provide easy-to-digest mini courses on various topics.  Enjoy!


I remember you…

There is a fine post at the new IT in Canada site on the data we leave behind.  To summarize Michael O’Neil,  there are big risks for young people that willingly post information on social networking sites — questionable pictures, funny posts and even videos of prankish behaviour — that will forevermore be stored, somewhere, on the ever-expanding Internet.  The impact of one’s (recorded) youthful exuberance on future job prospects, for example, could be significant.

This is not a new topic, but it is a good way of introducing a similar issue in a corporate context.  Imagine you are an intern attending a training session on some new technology at your company.  The company is keen to record, store and catalogue the training session for future use, so it has setup a video camera next to you at the back of the room.  Being young, smart and confident, you inevitably joke and inject sarcasm throughout the session, with jokes about senior management working their way into the audio track.  A few borderline unpolictically correct jokes are contributed, hilarious to those in the room.  Much fun was had!

A few days later, the video is stored and posted to the intranet.  The topic is not a hot one, so viewings are limited.  After a while, the video is surplanted by dozens of other rich media content, and it becomes buried on the site.  Eventually it is archived and forgotten.

Ten years pass.  You get promoted steadily.  You mature.  You’re ready for the big promotion and as your interviewer prepares for the interview, she scans the intranet using a powerful new search engine tool that not only can index rich media, but is sophisticated enough to identify an individual’s voice and facial characteristics to aid in the search.  It also has scanned archived data…

You can see where this is going.  Facebook, blog postings and social networking sites aren’t the only risks to impulsive youth.  Big Brother might not be watching, but the evidence of our past behaviour will always be there for him to find in the future.


Info Card / Smart Card Convergence

Here’s a prediction: by 2010 we’ll all carry a smart card that is linked to a virtual information card that resides on our PC.

In this near future, our bank needs us to use two-factor authentication, and the credit card companies force us to use the same when shopping online.  Our governments want us to apply for programs online, but insist on proving who we are with strong authentication to reduce fraud.  And we also have realized that its a good idea to have two-factor logins on our own computers.

In the midst of all this, our awareness of personal privacy has increased to the point that we don’t just blindly enter personal information on every e-commerce registration page that asks.  We’re not just tired of the repetitive entry, but insist on controlling what information is shared. 

A Microsoft rep told me this past week that CardSpace and smart card integration services are just around the corner.  Are info cards converged with smart cards an obvious solution to a set of already chronic security and privacy problems?


Identity Cards

Now that the British Columbia provincial government is moving towards a virtual identity card for citizen access, the prospects seem bright for establishing a solid, flexible and user controlled credential for citizen-to-government business. 

To date, my expertise on information cards is limited to seeing Kim Cameron speak twice, seeing a demo and reading up on the assorted solutions on-line.  But I’ve had lots of exposure to the issues related to the strength of a security credential so I’ll stick to that theme for this post.

First some background and assumptions.  The BC government plans to distribute the certificate to users via some secured channel, presumably a link to a web site that has been identified to the user in a letter via Canada Post mail, or some other secured, out-of-band channel.  So far, so good.  The user goes to the site, let’s say mine is, and enters a shared secret (probably a one-time PIN) that was included in the letter.  A certificate gets downloaded to my computer, then some ID card magic takes place and — voila! — the digital identity card is set to go. 

Subsequent visits to sites that need authentication result in easy access by supplying the digital identity card.  No additional passwords needed, security and privacy increased, everyone happy, right?

Well… there is this bit about increased security (and the corresponding claimed increase in privacy assurance) that gets tossed around in these news stories.  It is sort of like the Canadian Government and their ePass solution.  ePass also uses certificates — these are served up by a government web server to your browser.  I’ve heard some call this strong or two-factor authentication — username/password + certificate = two factor — but, in fact, the cert is accessed using that same password.  As a result, ePass is only single factor and, for all intents and purposes, its authentication strength is the same as a simple username/password solution.  (It does offer increased session security, that much is true.)

Back to the BC Gov’t:  from what I can tell, the digital ID card cert is essentially still offering single-factor authentication, i.e. that cert is protected by a simple password just begging to be scribbled on a post-it note.  Some might argue that the computer where the certificate is stored is the second factor, the ‘something I have’ that provides additional assurance.  However, in this world of shared computers at work and home, the claim that only the authorized user has access to the certificate is weak.

Social engineer the password, gain access to the computer and you’re doing business with the gov’t under someone else’s identity.  Yes, convenience has been increased, and anonymous access can be achieved, but the real hard problems of doing business on-line have not been solved.  The high value business-to-government centres around sensitive information like student transcripts, drivers’ license renewal data, personal health data, electronic tax account files, etc.  All of these require strong authentication in order to access confidential data. 

From what I can tell, virtual identity cards, in this implementation, don’t provide critical features that will enable broad, functional access to sensitive government information.  What is needed is a virtual card linked to a true second factor device, biometric or other solution that sufficiently increases the strength of the security credential to be used for sensitive information access.


Assorted thoughts…

I’ve been swamped with a new project lately so I’ve not had much chance to post.  If I had more time in the past week, I would have written really insightful things on topics such as:

  • The Alberta Auditor General reports that numerous government departments have not maintained proper control over IT systems, pointing out a need to improve IT security.  Good news for security consultants here in oil country, but the interesting thing about this post is that IT security is news-worthy — normally not the sort of thing you’d expect to read in the morning paper.  Does that signify a shift in general attitudes towards IT security?
  • Thanks to Vikram Kumar’s blog for the story of the identity fraud artist in New Zealand who managed to bilk the government out of a cool $NZ3.4 million ($C2.5m).  He did it through serial impersonization, using faked government documents to claim benefits for multiple identities. “It was a full time occupation of serious dishonesty,” said Justice Peter Woodhouse.  And I like the bit about the buried cash and gold bullion, gotta be a movie script in here somewhere!
  • An awareness of security breaches is always a good thing.  I periodically drop in on the Breach Blog site to catch up on news about misplaced records, hacked databases and stolen flash drives.  Keeps fresh the belief that we can’t do enough to secure our information — and if we don’t, someone is lying in wait to make us look foolish…


“We are all little brothers”

In 1949, George Orwell published 1984, a classic tale of government oppression of ideas and freedoms, characterized by loss of privacy on a massive scale.  The famous quote ‘Big Brother is watching you’ warns the citizens that little they do in their private lives will escape the scrutiny of the totalitarian regime.

Fast forward to 2007: Canada’s Privacy Commissioner, Jennifer Soddart, is raising the alarm on privacy.  Ubiquitous cameras and video recorders, combined with an increasingly cavalier attitude about what can be posted online, are undermining our privacy in ways even Mr. Orwell couldn’t have imagined.

Says Ms. Stoddart: “It’s not just Big Brother who’s akin to a government watching you in the Orewllian dystopia.  We’re all little brothers.  We’re all fascinated with the gadgets that allow you to do this.”

Are we all little brothers, immaturely wandering our neighborhoods, snapping pictures of whatever catches our eye and posting it to Flickr within minutes?  Are all the little brothers out there taking hours of video, hoping for something scandalous to happen so it can be captured and posted to YouTube for all to see?

And while 1984’s Winston Smith was fearful of the Ministry of Truth, in today’s world should we be wary of each other?


Who are you? Part two

When we work with clients on identity proofing designs, it is surprising how difficult it is to establish parallels between real world identities and electronic identities.  In some cases, the physical identity process is considered sacred, one that cannot be modified or added to for the purposes of adding an e-business identity.   Government and private sector alike struggle to align these two similar — same? — processes.

In other cases, we are asking clients about confirming identity for the first time — they simply don’t have existing business processes to properly validate the user when conducting business.  They haven’t considered formal process in this area because the need for serving up sensitive information is so new.  And they recognize that developing this process will cross organizational boundaries and create disruption at a business level (after all, this isn’t a technology issue).

Identity proofing is a critical issue in identity management and it needs to be carefully designed to ensure that users are appropriately identified before they are allowed access to sensitive information. 
Bottom line: Identity proofing for electronic identities is fundamentally the same as identity proofing in the real world.  In other words, proving you are who you are is the same regardless of how you conduct business!