Default style (Cherry Eve). Switch styles (Capricorn). Atom Feed Calendar
http://blogs.sun.com/whoami/date/20090918 Friday September 18, 2009

Web 3.0 and beyond our digital identities.

    Managing our identities in this digital world with an ever growing number of accounts gets to be complicated.  I have accounts at work, to do shopping, banking, for clubs I belong to, and for fun.  Each place has their own rules about what a user name should be and often the one I want is already taken so I end up with something that is harder to remember.  No two accounts have the same account username.  Then password rules vary from site to site as well.  Some require lower case, upper case, number, and special character.  Some will not let you use special characters or require all numbers (pins).  Many people try to simplify their life by either using a central data store for this information like Microsoft 's Passport system or on a device like Microsoft XP that has credential management software to save username passwords for web based accounts or a cellphone like my i-Phone that will remember username and passwords for email accounts.  Each of these solutions have their own problems and do not really address the real problem of identity and access through some common identity.  In the physical world to gain access to resources a person shows either a state issued drivers license or some other government issued picture ID like a Passport or military ID.  This could be to get a loan, get a controlled substance like alcohol, use a credit card to purchase products, gain access to some buildings, or get checked out by your local police department.  If things are really serious like getting employed, getting a passport,  or getting a handgun permit they ask for my birth certificate, my social security card, and depending on the case might also ask for a government issued picture ID (which by the way only required the birth certificate and social security card to get it issued).   In all cases this identity is a single identity, yourself. 

  Most of current identity and access problems in the digital world are centered around history, virtualization of identity, current configuration of equipment, and physical distance from user to location of requested services.  So let's look at each one of these.  As computers evolved  the need for access control beyond just physical access to a room became quite apparent as terminals started to become a common access point.  Think about the main frame days when many operators would access a mainframe system from many locations within a building through something like an IBM 3270 terminal.  This device was a link to the mainframe and smart cards were not invented yet, biometric readers would have been very expensive, not very good, and not tied into IT yet, and even mag-tape cards and readers were not yet mainstream.  So how to control access?  We create a username and password application that controls access to the system and require the use of this before access to the system is granted.  It was simple and worked.  This brings us to our next issue virtualization fo the identity.  Someone does not physically go through the network to identify themselves.  So the username became the virtual form of someone's identity.  This creates a whole new set of problems in regard to knowing who is really on a system.  How do I verify that the username is only used by the user it was given too?  This is the cornerstone of the digital identity problem.  In the early days this was solved by adding the password that only the user was to know.  As we know this no longer meets the needs of our current use of technology.  So what do I mean by current configuration of equipment?  Well we keep carrying forward our old method of access with username and password; however, we have very inexpensive smart card readers and biometric readers that could be built into systems.  In some cases biometric readers have been added to some laptops and keyboards to add this feature.  The issue is that A. it is not wide spread enough for public facing systems to require it. B. Some of those system have been proven to be easily fooled or to not work with some users so consumer confidence in the technology is not high enough to push the technology on everyone.  C. The whole problem of who owns the biometric data, the user or the site, that is providing the service has not been addressed for a global market.  D. Finally standards in this space are not complete enough for all vendors to implement a biometric solution in a way that it will work with other vendors.  This is much like the problem of networking in the early days before TCP/IP become king.  Based on this it is much easer to continue using a username and password because no matter what the device is if it can connect to the system it will have the ability to enter data at the prompt for username and password.  Smart card readers have some of the same issues as biometrics.  Not all smart cards are the same or can be read by the same card readers.  Not everyone uses the same format for putting data on the card so finding the data that a system needs is complex at best and in many cases would be cryptic from one system to the next.  So again standards and standard formats are required for this type of technology to move into mainstream consumer identity management.  There are standards out there; however, they would need to be adopted to a level that they are what vendors produce so they can be compatible.  And finally what I mean in this last “location of required services” is if I want a Yahoo account I get it from the comfort of my home I do not have to travel to yahoo head quarters in Sunnyvale CA to prove who I am.  If the account is critical enough one would be obligated to prove who they are in person before getting an account.  This still does not solve the problem of a single identity that proves who I am with possibly many persona for that identity. As a side note there will always be a case for fake identities like spies, undercover police officers, and testers of systems to name a few. 

  The goal for the average consumer would be to have one identity with multiple authentication strengths for access to different resources.  The identity would need the ability to be decoupled from an individual if the identity was compromised (like identity theft) and would need to be something that could be used across networks from many different types of devices.  I would want my bank to accept my identity from my PC at home, my workstation at work, or my cellphone on the road.  I do not believe that any current technology is ready to fill this role yet.  The simplicity of the username and password make it easily implemented and very flexible for different devices and applications.  Many security experts will tell you that username and password is not secure enough for many systems.  The fact that human nature is to make things easy can also makes it easy to figure out a username or a password.  It may not be hard to figure out that fluffy is the password when fluffy is pasted all over the cube.  Also with the power of computers today, it is not very difficult to brute force attack password to crack them.  Why has the computer industry not solved this problem yet?  Is it just too hard?  I do not think so.  The issue is the consumer, lack of standards, and additional cost.  Currently the consumer is not demanding change.  The de-facto standard is username and password so it is built into systems and applications. A number of other authentication methods have been tried in pockets of the industry with varying degrees of success. There are a number of solutions being tried for example cellphones in some countries are gaining momentum as a replacement for the charge card or ATM card.  There are proponents of government issued Smart Cards for this role.  Others favor a purchased and vetted ID card like Clear was for travel.  There was a big push by some for PKI to be the identity and authentication system of the future.  Companies like Verisign built a whole infrastructure around it.  There are some marketeers pushing USB devices that could fill this role.  There are three key messages here: first, we need to move to a single identity after all, they all trace back to you.  This identity needs to support multiple personas for different environments.  I might want to be one personas in “Second Life”, another on “FaceBook”, an even a different one on “Yahoo”, and then something different at work.  The second, is we need some method of identification for individuals  that has a minimum medium level of assurance.  There also needs to be a standard method of identifying users across multiple devices and applications.  This method needs to be able to support a two and possibly a three factor authentication with multiple levels of security based on systems being accessed.  I might be upset that someone was able to get into my facebook account; however, I have much more at risk if someone gets into my bank account or my accounts at work.  So ease of use might vary based on risk requirements. And finally it must be easy to use, support the majority of the population,  and be cheap to implement. 

  I believe it is critical for the computer industry and government to work on this issue.  We are putting more and more critical data out on the Internet.  We are creating methods for information sharing that are unprecedented in our known history.  Laws are struggling to keep up with this globally changing environment of information and access.  Bad things will happen to good people if we do not solve this problem.

Posted at 02:01PM Sep 18, 2009 by Edward Clay in Personal  |  Comments[0]

http://blogs.sun.com/whoami/date/20090909 Wednesday September 09, 2009

Is government controlled identity good or bad?

  It is interesting that almost any technology can be used for good or evil. Most technologies are not  evil in and of them selves.  How the technology is used is what can be evil.  So what does this have to do with identity?  Who someone is can be critical in some types of financial transactions, in some types of health care, in a military, in government jobs that have a level of security or secrecy to them, and in some commercial jobs to name a few.  Identity is often used to connect some set of attributes, history, or capabilities about an individual to create a profile that is used for decisions about capabilities or access rights.  For example in the US a president must be born a US citizen and go through a vetting process about criminal activity, financial stability and allegiances to other countries.  If this information can not be correlated then it would be possible for a president elect to hide critical history about who they are from the government and in so doing possibly become president of the United States with a criminal past or allegiances that could jeopardize the country or the citizens freedoms.  The president of the United States has access to information that if put in the wrong hands could jeopardize the country and all the citizens that live in it.  In a white paper called “ID Cards – a World View” by Nathan Allonby he talks about how the commercial industry uses reward cards to track shoppers behaviors and how a “National ID card” could help governments profile their citizens to take away freedoms.  The use of a unique identifier (UID) to link multiple data bases together to profile it's citizens could be used against the citizens. How the use of an RFID tag in the card could be used to track citizens movements.  As I started this entry technology is not evil; it is how it is used. It is true that a national ID card could be used for evil and if that card is tied into other countries could even have a farther reaching effect on those that travel.  On the other hand it could be used to track health trends in a given geographic area (those that lived in a area all their lives Vs those that migrated in), help prevent fraud in a governments welfare system,  better track who is using what government services, better track who and from where are individuals moving from one town to another to trend what additional services might be needed.  During the movement of many hurricane Katrina victims it could have been good to know what communities these individuals moved too.  Those communities might have been able to ask for federal aid to support the influx of citizens from this migration to build up infrastructure.  Knowing who someone is and some attributes about that individual is critical for governments to give services (welfare, grants, drives licenses, passports, gun permits, etc..), for banks to give loans, for doctors, lawyers and other professionals to get licensed to perform their job,  and for health care services.  The ability to build a true profile on someone would greatly enhance the decision making process in each of these cases.  Much like a live virus being used for a vaccination to prevent someone from getting the disease or for chemical warfare to kill thousands it is how the live virus and technology is used.
  The more we rely on a technology the more that technology becomes the target of criminal activity.  If an ID card is the key to access services, money, or the ability to do something there will be those that try to cheat the system to make a fake that can be used.  We can use technologies and procedures to try to secure the card.  The question is always at what point is the amount of fraud at an expectable level to the cost of producing the cards?  For government ID cards one question is if there is fraud who will pay the cost of fixing the problem?  If the cost to get my good reputation back is on me the government will not care much about that fraud as long as it does not create a political event that could jeopardize their jobs.  On the other hand if the fraud is costing the government embarrassment, security, or real money it could cause them to fix the problem at their expense.  The real question is what is the planned use of the card?   Will it be for the benefits of an identity that can track attributes to better our lives or for evil?  Even if it is for the benefit of the citizens the question will be: will we let our government institute this type of solution knowing the possible risks if someone with evil intent gains access to the information?  What level of security will be around the data bases that store all the critical data? Some information once taken can not be fixed or changed.  If someone's DNA is stolen someone can not get new DNA.  If some critical medical information is leaked out to the public it can not be taken back with some type of retraction; it is public knowledge. These risks need to be addressed and publicly discussed as we move forward.  As with most technologies over time we will see the pros and cons of it.  Government smart card ID cards will become part of our lives in one way or another with some controversy over if it was good or evil.  A positive unique identity is the first step in being able to better assess who a person is based on past actions and known attributes.  If it is good or evil will have to be left up to history to tell; but, for now it is a tool that could aid in helping both governments and privet industry to better service the population.

Posted at 12:12PM Sep 09, 2009 by Edward Clay in Personal  |  Comments[1]

http://blogs.sun.com/whoami/date/20090813 Thursday August 13, 2009

Does social networking cause us to drop our guard around security?

Identity is more then just authentication and authorization to resources it is also our reputation and what that means to others.  In our connected world we may have lost sight of the criticality of a good reputation and how that is maintained.  Do we some how believe we are safe because we access a public sight from our safe homes and plan to only talk to family & "friends" on the other side?  In a very interesting article dated 5 Jul 09 it indicated that the new MI6 Chief's family was putting to much information on Facebook which might compromise his job. Check out: http://www.mailonsunday.co.uk/news/article-1197562/MI6-chief-blows-... In the article it stated "Amazingly, she had put virtually no privacy protection on her account, making it visible to any of the site's 200million users who chose to be in the open-access 'London' network - regardless of where in the world they actually were."  I have had many conversations with my children and family about being careful with what they put on sites like facebook, myspace, twitter,  and other social networking sites.  I often find it a challenge to make them understand that the information is copied and could be out there for life and that they and those they talk about may be judged based on that information.  I have talk to them about their security and how risky it is when someone puts to much information out there that could be used by people like sex offenders and other people looking to use information for criminal activity to do harm.  The http://www. can stand for the wild wild west and should be treated as such.


As we become more open and looking to be connected to an audience that is not face to face we also seems to be less inhibited.  In a room full of people from many countries and all walks of life I doubt that Sir John Sawers's wife would have shown the pictures on her facebook account or talked about most of those topics.  So why in a place that is open to the world would you do it? Because one does not see the threat so often one may not perceive it.  This lack of inhibitions can effect judgment in regard to security and can put people at risk as pointed out in the article. There are great gains that can be made through the use of community sharing sites within the government and industry.  There are training programs for US government employees to teach them what is OK to talk about and what is not.  Should we really share it even though it could be argued that even much of the "OK" information once pieced together can be used to get other information that is not OK?  As we become more transparent how do we keep things secret or confidential when that information does not need to be in the open even in this new information sharing age?  For example if one knows the technology used, the configuration of that technology, and the policies and procedures around that technology someone with bad intentions has a good place to start to plan their attack.  If one collaborates with many to design and build an infrastructure that information is now out there and possibly open for all to see.  There are many published documents on what technology standards the US government should us, how to lock it down, and procedures that should be used for example to create a public facing website.  This shared information is critical to keeping systems locked down and for different agencies to not have to re-invent the wheel so to speak.  On the battle field a general will want to know the lay of the land, how many troops are out there, where they are located, what technology they are using, and what might be their battle strategy.  Once they have this information they use it to build their battle strategy.  The same is true with good hackers trying to break into systems.  As more and more people are encouraged to be open even in the US government the government will have less control over what information will be out there.  This quagmire of information sharing and security must be in the front of all our minds as we share information on community sites both government and privet.

From the article the message that our families and even friends can put information out there that could be damaging to us personally and professionally is scary at best.  If judgement by all is not used when making posts on public sites those posts can create a big problem.  How does the US government and industry help provide training not just for the employee but also to the families of employees on how to use these sites? How do we monitor this vast cyberspace without imposing on peoples right to privacy?  The new US government policies around open information sharing will help the government in many ways.  There are many pit falls to this as well that may become apparent over time.  Policies and procedures will have to be move at the light speed to keep up with these changes in technology and communication or we will truly be back in the "Wild Wild West" when on the WWW.

Posted at 02:39PM Aug 13, 2009 by Edward Clay in Personal  |  Comments[1]

http://blogs.sun.com/whoami/date/20090805 Wednesday August 05, 2009

Smart Cards, Biometrics, and human authentication

   I have been seeing a number of countries instituting ID cards for the population and/or for their employees that includes biometrics.  Over the years I have believed that biometrics has a solid place in the automated processing of human identification.  

  If you think about it we the human race have been using biometrics since the beginning of time.  All of us have been using it from our early childhood to identity our mother, father, siblings and others that we come in contact with on a regular basis.  We use a combination of voice, gate, facial,  and a number of other measurements to decide who these people are.  There can be a certain level of change like hair color, glasses, cuts, bruises, and other changes that we can process that based on the other features that someone his who they say they are.  Is it a perfect system no.  I can not tell you how many times I have had someone walk up to me and start talking to me like they know me and in a few seconds we are able to determine that I am not who they thought I was.  This is because they have not seen the person in a long time so their perception of the person has become fuzzy.  Much like the statement when at a class reunion “Bill, is that really you?” as we change due to age our biometric foot print changes as well.  Those life changes can change posture, size, hair coloring, and with injuries or surgery could effect many other things in relation to our appearance.  Also as our memory tries to remember someone's biometric information over time there is some alteration or loss depending on our age when we stopped seeing them.  For example if someone is 10 the last time they saw an uncle and then see him again at 40 there is 30 years for their mind to change or forget things; however, I should point out that they would have been looking up to him and now might be looking eye to eye or even down on him and that will effect their perspective of what he should look like.  

  In the world of criminology finger prints have been used for years to ID someone that commits a crime.  Then came DNA on the scene later to add to the biometric identification of those that commit crimes.  So what does all this have to do with IT and ID cards.  Because of the cost and complexity of using biometrics for IT it has not taken off and dominated our method of verifying who someone is within the IT world.  The cost of readers both in dollars and in space required on a desk has come down to the point that some laptops have a camera and fingerprint readers built into them. There are fingerprint readers built into some keyboards for desktops as well.  And if you want you can get USB memory sticks that have fingerprint readers on them to unlock encrypted files.  This shows that biometric readers are coming down in size and coast and are becoming part of mainstream consumer products.  

  For years it has been known that user name and password is a poor way to secure systems.  It has been built into most OS's and applications for years and no one seem to get fired for using that as a method of authentication so it continues to be the “norm”.   Why have we not evolved in the enterprise from this form of authentication?

  When we try to solve government problems and authentication problems it becomes a bit more interesting.  All over the world governments are trying to figure out how to make eGovernment work for the population.  The US government is trying to work through methods of identification for travelers (TWICS and passports), standardized identification for government agency employees (PIV), and identification of emergency responder; it seems that smart card technology has progressed to a point that fusing IT, biometrics, and smart cards together for a single multi-factor authentication would help solve most industry and government problems for identification of users for up-to a medium security assurance level.  Most large corporations use some form of smart card for building access.  In the US all states have a drivers license program and many require anyone over 21 years old to get an government issued ID of some kind for purchases alcohol, cigarettes, renting or watching movies of a given rating, fire arms purchases, or access to some establishments. I see three things that need to take place to solve this problem.   So the issue is not the production or issuance of cards it is the standardization of a card format like HSPD-12/FIPS 201 (PIV) and the re-issuance of those card to the population.  So it would have to be a phased approach where some citizens would be able to use the new card before others.  This would mean that services would have to have more then one way to authenticate until the final phase of the deployment.  The second part is the need for computer hardware vendors to make sure that both fingerprint readers and smart card readers are built into systems so home users have access to these methods of authentication.  These devices need to use open standards that will be used in the government issued cards so that eGovernment can take advantage of these devices.  It would also help eBanking and eCommerce in their fight on identity theft and fraud.  If they also got behind this type of authentication method it could speed up the adoption of this type of technology.  And thirdly that OS and application are coded to use these devices and cards for authentication and authorization during system use.  If governments started pushing this type of a solution and eBanking and eCommerce also start to go in this direction hardware vendors would produce devices in mass and cost would become even smaller and adoption would be global.  In the old days we use to spend a lot of money for a modem to get an internet connection over the telephone and now they are built in even though many people no longer need them.  Why because they are cheap to build, take up little space, are still needed by many, and are a check box on someone's shopping requirements.  This same effect would become the case for these technologies if governments, the banking, and commerce industries all pushed this for access to their full service resources.  I can see it now “One Card & Once Access Method; for all your accounts at work, home, and abroad!”

Posted at 02:48PM Aug 05, 2009 by Edward Clay in Personal  |  Comments[0]

http://blogs.sun.com/whoami/date/20090729 Wednesday July 29, 2009

In Web 2.0 and beyond, should identity controls be defined by government's?

The US government in finding ways to track citizens for tax purposes devised laws like: Vehicle registrations with License plates (taxes), driver licenses (taxes) and Social Security Cards (taxes) which have built a government identity infrastructure.  These items are for taxing the citizen's that want to use the government furnished highways or have a government furnished retirement plan.  Since the government furnished retirement plan is mandatory for all working US citizens everyone has to have one and now even infants are required to register for tax deduction purposes.  In the process of trying to make sure the government gets paid by all eligible citizens they have developed a few systems for tracking identity.  In the physical world these systems have had enough success in revenue gathering that the government has continued to use them.  Over the years the drivers license has been the primary card used for identification in the US and has evolved over the years to add additional data for better identity assurance.  Driver licenses were first pieces of paper and evolved into cards with additional data being added like physical description (height, weight, eye color, hair color, and gender), driver photo's, colored designs, emblems, and holograms within the card.  All used to make it harder to impersonate someone or make fake cards.  After 9/11 and security becoming a concern of the government additional identity programs like the government mandated Travel Workers Identification Credential (TWIC) has been added to help control who has access to ports and other internal delivery/mass storage locations.  Also the government wanted a more standard way to identify government workers and contractors in a way that any agency could read an ID card from any other US Government agency so the HSPD-12/PIV card requirement came about.  The PIV card does not have a tax basis; however, shows the government getting more into the identity business to do their business.

As a side note: there are still some government owned resources where identity has no part in the collecting of funds; for example Federal, State, and local parks.  Those that require you to pay do not care who you are.  All they care is that you pay and do not do illegal activity while there.  

So what does all this have to do with Web 2.0 and beyond?  We now have the digital highway and most of Americans are on it in one way or another.   Currently we use the internet for shopping, banking and financial dealings, managing medical insurance, sending email, telecommuting to work, chatting with friends, holding conferences, playing games, sharing video and music, creating and playing in virtual worlds, and the list goes on.  What is missing is identity assurance and security -- who’s who, how do you know for sure, and how do you prevent someone from pretending to be you?

The government has been moving more to an e-Government with many states creating portals for citizens to pay for the renewal of their vehicle registrations, pay tickets, being able to find government resources and services, and being able to look up laws.  In most cases the government really does not care who you are when using these services.  For example does it really matter who pays my registration renewal as long as it gets paid?  They do care to some level when an address or other information about the citizen is changed; however, from my experience the security on this service is minimal and more a hassle to a person trying to use the service then truly protecting ones identity or privacy.

So what will drive the government to want to identify who is using resources on the internet?  Though one could argue security, I believe unless things get bad and the industry does not try to police it's self that the government does not want to jump into this problem unless it means an effect on revenue.  So what would drive them to regulate identity for profit or to stop the fraud from the government on the internet?

What about the Healthcare problem and the Department of Health and Human Services (HHS) would head my list. The American Recovery and Reinvestment Tax Act of 2009 included some $19 billion earmarked for projects to improve the efficiency of information systems technology. Currently hot topics are the electronic health records with the exchange of those records for regional, state and national levels high on the list.  To accomplish this healthcare information management systems must start with an accurate identification of each person receiving healthcare services or participating in healthcare benefit programs.  Why does the government care about uniquely and securely authenticate users across the healthcare system? Because the government is looking to take more control over healthcare.  If the government is going to control it they need a way to make sure that only those that should have access have access to only what they should have access too.  The solution:  a countrywide digital identity credential could solve the problem.

There is some push by the Social Security Administration to look at strengthening protection of people’s SSNs.  This could possibly use some biometric or PKI authentication to prevent others from stealing or misusing someone’s SSN.  This could pave the way to use the SSN card as a tool for combating identity theft, determining immigration status, confirming employment eligibility, possibly as your national healthcare card, or should we say it?  Yes, a national ID card.

In the U.S we have an identity crisis. For e-government services, as well as many industries, how we assure identities and secure online access while maintaining individual privacy are critical questions that have not really been solved.  We have many solutions that work for pieces of the puzzle with no clear standards based solution that can be used across the e-world.  Often this is little more then asking questions, checking a credit card, or using some user name and password that may have had minimal vetting of the identity in the first place.  All of this is weak and does not do much to stop the identity theft problem that we have in the US.

I believe that the resistance to the Real ID program and the watering of this for the PASS ID bill are clear indicators that the federal government is trying to solve this problem.  It also shows that politics will drive the solution not what is best for security and privacy.  I truly believe that the privet sector, technology companies, and governments all need to work together to solve this problem.  When laws force direction it is often driven by people that do not truly understand the problem and the technology.  If industry sees this as a way to A. solve a real problem  and B. make money the computer industry would throw resources at solving this problem.  The real issue is that the people who buy systems and use services do not understand the problem well enough to boycott  the use of services that are not properly protected.  With the attitude in the US the citizens will expect the government to fix this problem for them and in this regard will let laws drive what the solution is.   The technology to solve this problem is already around us.  If the computer industry uses open standards and start building solutions into hardware, software, and services this problem could be solved by industry and not regulated by government's.  This is a call for all to get involved before it becomes legislated and tied to government bureaucracy. 

Posted at 01:57PM Jul 29, 2009 by Edward Clay in Personal  |  Comments[1]

http://blogs.sun.com/whoami/date/20090714 Tuesday July 14, 2009

Physical and Logical Identity Convergence

  After reading an article about the convergence of logical and physical identities http://www.experteditorial.net/securitysquared/2009/07/available-as-pdf-converging-logical-and-physical-identity-and-access-management.html I thought about the work I have done around the US Government PIV card.  The vision of of the PIV card from my understanding was to create a medium assurance level credential that could be used by and between all US government agencies.  After 911 it was clear that a building could be destroyed along with the infrastructure and that those working in that building might need to report to another building that may not belong to the same agency for them to work during a state of emergency.  It was clear that some system for identity was needed beyond just the US Government agencies pre-911 ID card system.  This need was also evident when FEMA tried to deal with some major disasters like hurricane Katrina and they needed to know who should be on site to help while being sure that people where who they said they were.  In the US an identification card is a common method for knowing who someone is.  The problem is that many of the identification cards are easily forged.  The other problem is how does one know what a valid card from 50 different states and how many different government agencies should look like?  During the efforts around hurricane Katrina there where a number of key people that had to sit around and waist critical time while their identity was checked before they were allowed to be put to work.  It was clear that identity was a problem that needed to be solved for access to resources during a disaster.  The resources that people needed access to were both physical and logical.
  One of the political issues that needed to be handles was that many agencies do not want another agency handling their identity store.  Also there is the security and performance risk of all identities being in one place.  The decision was made, for whatever the final reason, to use a unique agency identifier so each agency could control their own identities and any duplicate unique identifiers between agencies would be resolved by the agency identifier.  Add in the standards and security that FIPS-201 and NIST SP 800-78 offer the PIV card it now becomes a great way to link both physical and logical identity together across multiple agencies.  There are a number of issues when trying to deal with a solution like this; however, it offers incredible flexibility for the US Government. It would be great if a person on vacation and out of their area hears about a major event and is able to go into any government agency and gain access to the building and IT systems to check in and possibly do work to support the event?  This would require some visitor systems that would let them gain access to some or all of their data and systems depending on the security level of the data, systems, and location they are in.  Looking at the advantages to a FEMA problem if medical staff, law enforcement, building contractors, truck drives, and other support people could be pre-screened for a government card.   What if when an event takes place they can gain access to the buildings and systems they need to do the job?  It would be great to know that the truck driver coming in was bring supplies from XYZ to support the medical team and to know what access he should have to make his delivery.  Once an identity is confirmed the systems would also have to give some clue as to the skills and/or certifications that individual has to know what work they should or can do.
  For government agencies what is a down side to this?  Most PACS  (Physical Access Control Systems) are built to handle smart cards so a US PIV card is easily used by most major brands of PACS.  The first issue I see is that most IT systems do not have card readers and in particular card readers that will read an US PIV card.  There are those people that believe a small USB  storage device is the right direction to go.  The USB device can store all the data in an encrypted manor and most systems will except them.  Then there is the problem that usually these devices are in form factor that does not support a picture on it or for that manor other data that might be on an identification card for a person to physically look at it and be sure that the possessor of the USB device matches the data printed on the device.  The device would also have to show agency information as well as possibly other critical information for security guards to read in places that do not have working digital readers.  Second most PACS systems are not set up for USB device access.  The third issue is: identity management across PACS, CMS (Card Management Systems), and IT systems is not something that works out of the box.  Most of these systems have their own management and some are proprietary and do not play well with other systems.  Also it becomes a bit costly to buy three identity management systems to handle a set of users.  Currently an agency has to deal with all these systems to manage identities.  The IT identity management system by Sun will let one create an interface between the other two systems (PACS & CMS) to manage all identities from one place.  Based on vendor shows I have been at I believe that each of these industries (physical access management, card management, and IT identity management) will try to create a product that will also do the others identity management products function.  The customer wants one system to manage identities in and today that is a product like the Sun JES Identity Management software.  The down side is they still have to buy the other systems to support the physical access devices and card production/management systems.   In the future I believe this will not be true.   The identity within all three of these systems will be converged into one identity and identity management system with a single identity that is managed in one place and will be tied into HR systems and access to anything physical or logical will be based on ones identity, status, location, time of day, and role or job function.  
  The convergence of logical and physical identities and their management will save business time and money.  The industries around IT systems, PACS, and CMS all should be racing to see who can build the one system first and set the standards in this space.  Systems that do not follow stands should be force out of the market because business should see them as trying to lock them in and not providing the solution that is more flexible and interchangeable.  Would the average 110V electrical system support a 4 prong lamp today?  Of course not new homes use a standard 110V three prong outlet and most lamps sold in america are sold with this connection.  It is the standard and so is what is built.  We need to get force vendors to use open standards that anyone can build product to so they all can play together.  The convergence is coming, who will be the leader?

Posted at 02:28PM Jul 14, 2009 by Edward Clay in Personal  |  Comments[1]

http://blogs.sun.com/whoami/date/20090708 Wednesday July 08, 2009

Does identity matter or role and attributes management?

Humans have struggled with knowing the identity of others ever since we started communicating with people outside our own small tribe or family.  We have used documents, pass words or phrases, a known person vouching for an unknown person, a common knowledge of something or an event, or biometrics to verify who someone claims they are.  In some cases we just trust the identity they give us.  The intentions of an individual not their identity may effect ones safety or security in our personal or business life.  We often use an identity to make a judgement based on ones past knowledge of that identity around the likely hood that a given identity might do harm.  We may need to know who we are really dealing with to know who to take to court if a contract is broken, who to arrest if someone does something bad, or identify who is passing you critical information (as in battle plans or key business information)  just to name a few.  We may also want to know someone's identity when receiving critical instructions like a formula for an nuclear bomb or just to know who to give credit too for something said or accomplished.  In many cases we really do not care about identity we care about capability.  I may not care who the guy is that helps fix my car along the side of the road.  I just want to know they have the skills to fix it and not make matter worse.  When I sell my stuff on ebay I really do not care who they really are all I care is can they pay for it and how do I deliver it to them.  One can easily see that we often just care about capability not truly identity.  If I talk to many of my personal friends and ask them for an identity they might say which identity?  Do you want my Internet identity, my work identity, or the one I use on these ....  sites?  The reality is that we truly only have one identity and we have many personas/aliases  that we may project in the digital or physical world.  We may not want one group of contacts that know one persona or alias to know about another persona or alias that we have.  A great example of this might be a CIA, FBI, or police officer who is under cover.  Their true identity has never changed and it will not change.  Only the persona of who they appear to be changes.  For their job they portray themselves as someone else (they create a persona or alias) to blend in with a group of people that they do not want to know that they are a Government agents.  Being a government agent is not their identity it is a role tied to their identity that they want to hide and to do this they create a new “identity”  and create a new role with some characteristics that will let them blend in with the person or group of people that they want to get close too.   When talking about identity in the digital world we are really tying some attributes to an identity to gain access to some system or information.   These attribute might be the CEO of a company, the project developer for a critical project, or the payroll clerk to name a few.  We then tie this function to an identity or person that then has access to a given set of resources to do their job.  So I see a few critical pieces here that I have talked about before.  1. Identity vetting.  This process is the first point in which an individual creates a relationship that will tie some identity to the person.  It could be as casual as them giving you their identity and you trusting it to a full blown document gathering, background investigation, and lie detector test. 2. Tying that identity to some usable identification.  This could as simple as a user name, a digital certificate, biometric signature, or some unique identifier for the system.  3. Tying that identity to some attribute or attributes to map out what resources the identity should have access too.  4. once these steps are taken some provisioning of this information is accomplished to give access to systems or physical locations based on the attributes the identity has.  The big question in this is how do you manage those identities and their roles over disperse logical networks and physical access devices systems (PACS) ?  This is even more complex as you add in the many changing roles an identity might have and the many changes in personal or identities within a company.  Often a company will have multiple system for storing employee information like HR systems for pay role, PACS for physical access to buildings or rooms, email accounts, and the many IT systems that an individual might need access to for their job functions.  Most companies are in no hurry to replace all of these systems for one big system that can do it all.  That may be because there is no system that does it all, yet!  This then requires some glue to bring them all together and to manage an identity from cradle to grave across all these systems.  Should this be the HR system, some IT system, the PACS?  The method to solve this identity problem could be accomplished in a few ways depending on the procedures and policies of a given company.  Part of the key to this is to have one identity but allow as many roles as one identity might have or need giving only access to systems, information, and physical spaces as needed.  In the past it was often thought that an individual will have access to all physical space and have complete authority to do what they want or need within the IT space on any system they are given access too.  Between applications down loaded that did not have proper licensing to viruses and worms being brought into the company that have cost companies major money from either loss of productivity to loss of hard money in fines this practice of giving unrestricted access to systems has proven a bad security and business practice and separation of duty has been preached by many for quite some time now.   This restricted access to systems also in many cases bleeds into the physical space as well.  An example where limited access to IT system might be critical is the HR system which is usually limited to a few key people.  The role within the system is limited as well so an employee can not give themselves a promotion and/or a pay raise.  So the question in our fast paced environments is how do we keep up with all of these systems and make sure as people get promoted, changes jobs, or move within a company that old access are closed and new ones are opened up based on their new role or function within the company to keep employees productive and not jeopardize corporate assets? This is accomplished by standard interfaces between systems that lets one application coordinate between all the systems and keep a master list of all identities.  Sun has been in the identity space for many years and has been a thought leader in the identity management space.  Sun's Java Enterprise Systems Identity Manager (http://www.sun.com/software/identity/) is that glue, the central workflow, and a limited attribute central user data store for identities that can bring these systems, identities, and roles all together.  Because identity is really all about access control and audit this product not only manages all the provisioning and de-provisioning of identities based on roles it also does audit that can be checked against policies to be sure that access privileges fit within corporate policy.  Think how this could help if you are asked to produce a list of who had access to what and why? The ability to audit access and corporate policy in one place is critical when going through an audit of who had access to what information and why.  As the number of systems grow the cost of managing user accounts and the associated password management of those accounts across multiple systems will increase the more critical it becomes for automation of  administration.   Sun has seen great cost saving by tying HR records with employees and their current roles in an application like people soft to IT provisioning and de-provision across all systems within a companies IT infrastructure.   The ability for a CEO to sign off with the ability to have an audit trail on who had access to critical systems to meet the Sarbanes-Oxley Act of 2002 can be enough to want to automate user access provisioning and de-provisioning.  In the end going through the process to automate approval process for access to systems can lead to a more efficient workflow on granting user access to resources.  Then defining roles and proper access for those roles often help a company improve the speed for a user to become productive and often helps security in being able to define a well thought out set of resources a given role needs so extra access can be removed or denied because they do not support the persons role.

Posted at 03:25PM Jul 08, 2009 by Edward Clay in Personal  |  Comments[0]

http://blogs.sun.com/whoami/date/20090701 Wednesday July 01, 2009

Identity and the front door

  Once the decision has been made that Identity is critical to the security of IT systems an identity and identity management strategy must be setup.  Often this is as simple as an user name and password authentication method storing accounts in a local file which came as a feature of the OS and possibly some of the applications.  In many cases this is good enough and is the front door into IT resources. Identity authentication and identity management can get very complex with multiple data stores and authentication mechanisms over multiple domains, geographical areas, with multi-factor authentication requirements.  I want to only focus this entry on the front door concept. I understand that there is much more to security and good identity management than just the front door; however, it is the focus of this entry.  I will talk about why the front door is important and future entries will talk about front door security and other security strategies around identity and identity management.

  I was talking to a developer that produces product for the manufacturing industry.  He writes code that makes machines do the right thing in a manufacturing plant.  He has been around computers for years and started programing with punch cards.  Over the years I have had a few conversations about security with him and we usually end up on different ends of the argument.  In our last conversation he indicated that he felt that he really did not have anything on his computer that was interesting or of value to others.  I would guess that his corporation might think that some of his code has value and should be protected.  Even if the information seems trivial it may have value and may need to be protected in some way.  Spies and others that want to gain an advantage often start by gaining information that seems like harmless bits of information that when brought together with other seemingly harmless bits of information give enough information to help them put a picture together that can be used to leverage their way in.  His company uses standard username and password to authenticate and screen savers when systems are locked.  My friend pointed out that he changes his screen saver to a picture of a car and that car in some way is part of his password. As a security focused person this seems very insecure to me.  As we talked he also indicated that he does not lock his house ever.  He does not live in a big city, in an area of high crime,  nor has anything of real value ever been taken from his home.  He is not in an industry that is often targeted by hacker and he is not aware of his system being hacked. Some of his sense of security is based on his physical world were people are mostly honest and respect people and their property.  The problem with this is that out in the Internet world my neighbor might be anyone from any country.  With targeted attacks by both organized crime and countries that want to do harm to other countries the Internet is not quite as safe as small town America.  Then add to that "hackers" that want to break into systems for fun or profit it truly is the wild wild west. Most of these three groups do not have authorized front door access and often will use other entry points.  So who is it that we are trying to keep out with a strong front door?  Why should we really care about who is really using our systems or what they have access too?

  First, why is the front door so critical to information security?  Much like the physical world the front door is all about keeping honest people honest.  In the physical world the front door is where those that live inside have key access and those that live outside knock and ask to enter.  In the IT world it is the place where only those with a key (having the authorization to authenticate) should pass through.  If identity matters; there is usually some vetting process of a given user before they are given authorization (like an username/passwor) to gain access to system. 

  Secondly, which key to use?  There are many options on authentication mechanisms that could be used.  Options like biometrics, smart cards, PKI, one time use passwords, and standard username/password to name a few.  It can be hard to know which one or ones to use for any given resource.  The thrust of this entry is not around picking an authentication mechanism.  I will point out that systems should be evaluated to understand what authentication mechanism is best for the location and environment of the users and their systems.  What are the abilities of the users to use the method of authentication.  It is critical to understand for the data stored on the system what level of a surety that a user is who they say they are should be required.  What authentication method used and why could be a long paper and will not be part of this entry.  I will point out a few issues with the often used username/password as the authentication mechanism (the key to the lock on the front door).  Some of the problems with username/password systems include:

  • people often share this information (lone out the key)
  • write down the information and leave it someplace (leave the key under the mat)
  • use passwords that are easily guessed (still use a skeleton key lock that is easily picked) much like my developer and his clue on his screen saver.

   Thirdly, why should we really care?  The front door is all about audit, traceability, and privileges (capabilities).  Lets start with audit.  In the physical world those that enter the building are watched by others that are already in the building.  In my home that is my family in my office that is my co-workers.  The bigger the population or building the less this self monitoring works.  In large environments there is often a guard or other person that is responsible for checking identity of those that enter in large work places.  Once we know that those in the building should be in the building how do we know what they did?  In my house we know who is doing what most of the time.  We can hear water running look around and know who is taking a shower or see dishes left out and figure out who did not put them in the sink.  We have very loose auditing in our family and I would say that is also true in most work places.  In large environments there may be camera monitoring systems of what people are doing which is recorded.  In each case there are physical eyes that see a given amount of activity within the physical space which is used to audit activity as good or bad within that space.  In the IT world once someone uses the front door there should be an audit trail created on what that user is doing.  We audit because we need to know what has happened or is happening on a system. All processes have some type of ID to them that can be traced back to a person, application, or OS function.  Through these processes we can tell what or who is using resources, has modified data or applications, or did something that caused a problem on the system.  If audit is on, configured to gather the right data, monitored, protected, and understood it can be used for forensics on what happened on a system or systems and used in court to prosecute violators.  Some of the key things that need to take place for audit to work are:

  • Proper vetting of identities.
  • Access controls in place that give a good level of assurance that the user on the system and the person identified with that user ID are one and the same.
  • Good layered security is in place to be sure user on system is not a hacker/impostor.
  • Activity has taken place which as been monitored, recored and understood.

Then if an activity is illegal, out of policy, or procedures one could prosecute or discipline the individual for that activity.

  Finally, the other side of the front door access control is privilege control.  Within my house there are many rooms and some are open to all that have access to the house like my living room.  On the other hand my bedroom is not open to all that  enter my house.  My bedroom is only used by those that I have given permission to enter.  There is even a bit more security around my gun room where there are guns, gun powder, and ammunition and this room has additional locks to gain access.  In a computer there may be different levels of privileges given, for example:

  • General user privileges
  • Specific admin privileges (printer admin, user account admin, network admin, etc..)
  • Unrestricted admin/root privileges

Depending on the OS and application there could be many levels of privileges given to a user to preform any number of given job functions while denying access to other functions within the system.  It is critical to think about separation of duty and least privilege when setting up a layered access and privilege strategy.  This type of approach should be part of a good layered security strategy.

   Identity is about access control, privileges, and audit ability.   Identity and identity management needs to be tied with a good layered security approach to be effective.  I will talk about layered security in regard to identity and identity management in the future entries.

  Have a good one, Ed.


Posted at 02:18PM Jul 01, 2009 by Edward Clay in Personal  |  Comments[0]

http://blogs.sun.com/whoami/date/20090625 Thursday June 25, 2009

What problem is Identity trying to solve

Identity is critical for "need to know access", audit, and critical account or system that could be modified.[Read More]

Posted at 03:11PM Jun 25, 2009 by Edward Clay in Personal  |  Comments[0]