Thursday June 25, 2009
Thursday June 25, 2009
What problem is Identity trying to solve
After having and interesting conversation with a fellow security about identity and if it is really needed at all; I thought I should write this entry. I spent some time thinking about what problem is being solved by knowing who someone is. Google or yahoo does not really care who you are when you access their sights. You may have a user name and password to access some of their site content like email for example; however, that does not really mean they know who you are. When you purchase an item at a store do they really care who you are if you give them money and they hand you the product? The discussion also pointed out that knowing an identity did not stop the 9/11 terrorist attacks in the US, did not stop the Enron scandal, or many other criminal activities. So why are we in the IT industry so worried about identity? Here a few key reasons for having a valid identity that can be traced to a person.
1. Need to know access of information.
Corporate trade secrets need to be protected and given to only a small group of people that have a need to know. In the government there are secrets around weapons, military strategy, location and type of new technology development, and travel plans of critical government officials. Personal medical records or your personal financial records one might not want just anyone seeing. This is just a few of the “need to know” type items that could be listed.
2. Audit.
Once someone is given access the need to know what they have done can be critical. One could argue that you only need the use ID not the real person. I would say that if a bad event takes place in which you need to take them to court or have them arrested that you need to have a physical person that can be physically arrested and taken to court.
3. Critical access for modification.
This is access to bank accounts, IT systems, payroll systems, medical records, corporate accounting systems, critical secret development project, and security control systems. Again this is to name just a few.
The hard part is knowing what level of assurance do I really need to know about who has access to what systems and/or information. For quite sometime we seem to have believed that just a username and password is enough. People have spent a lot of time figuring out how strong a username and password should be. Many have thought about alternate methods of authentication (smart cards, biometrics, USB devices, one time use passwords generated from special devices that may or may not require a pin, etc..); however, the simplicity and low cost of implementing (most systems have this by default) a simple username and password has dominated IT infrastructures. The first problem is really how do I know who I have given access too? An employer will have some process for bringing an individual into their corporation. It could be just “my name is ...” which is trusted, to something as simply as an US Government I-9 form requirements, all the way to biometric samples (like fingerprint) taken and run against data bases , lie detector tests given, and a background investigation to check for criminal activity with privet door to door investigators going 10 or more year back into your history to verify who you are and what type of person you are.
Once the determination is that a person is who they say they are to an acceptable level then a method of tracking them is needed. This could be as simple as a username and password, imbedded PKI/or an unique identifier in a device (think cell phone), all the way to a three factor authentication requirement. I should point out that no matter how strongly you authenticate someone it will have little power if the systems are not secure.
None of this stops all criminal activity. What it does is stop fraudulent activity which if you are auditing, reviewing audits, and keeping systems secure will provide a way to know who did what and that only those you wanted on the system are the ones on the system.
Until my next installment of why identity matters or who am I. Have a good one, Ed Clay.
Posted at 03:11PM Jun 25, 2009 by Edward Clay in Personal | Comments[0]
Comments: