I was having a conversation with friends the other day and while it may sound nerdy as hell, the topic was focused on identity. I swear (trust me) that no drinks were involved but the conversation went pretty deep, nonetheless. What is identity, how is it used, and how can it be protected? Like Aristotle and Plato before us, we modern day philosophers discussed the various aspects that make up our identity, how we can control it, and how we can selectively share it with our intended audiences. In an era when our private information has been unleashed like the proverbial opening of Pandora’s Box, how can we regain control of our identities without impacting our existing relationships or experiences?
But what about identity? What is it really, and why should you care?
When I think about identity, I think in terms of aggregation, management, and sharing. Each of these are key ingredients when it comes to users owning their own identities, but each of these can be further strengthened when we add trust to the mix. So, what is the recipe for success as it pertains to trusting identities in cyberspace? Let’s take a closer look at each of these ingredients to see.
My identity is the aggregation of all the things there is to know about me. One could trivialize this by saying it is simply all the discrete data elements about me (i.e. hair color, height, ssn, etc.) but in essence, it is much more. It consists of my habits, my history, my data, my relationships – basically everything that can be me and everything that can be tracked about me. Identity information is not found in a single location, it is distributed across multiple repositories but this informaiton can be aggregated into a virtual identity – which is essentially, me.
When we allow someone to manage their own identity, we are allowing them to control their discrete data elements, but we are also allowing them to manage every other aspect about themselves as well. You can change your mobile number attribute (data element) when you get a new phone, or you can change your address attribute when you move. But just like you can remove the cache, history, and cookies in your browser, you should be able to maintain your privacy by removing (or hiding) your identity characteristics as well. Identity management simply means that I am able to manage those aspects of my identity that are my own.
In real life, I have the ability to select which characteristics and/or information about myself that I want to share with each of my friends, family, co-workers or acquaintances. My work-related benefits stay private between my boss and I in the workplace. Conversely, I don’t share my family conversations within the office. Investment information stays private between my broker and I, yet I Tweet favorite quotes to the world. In essence, I selectively share information with different audiences based on the role I am playing at that time. Online personas facilitate the same selective sharing within the social web similar to our interations in the real world. I may take on a different persona as I interact in the virtual world and elect to share different information with each audience based on where I elect to use that persona. This also means that I can act anonymously if I so choose (which is similar to going ‘incognito’ in your browser).
Sharing data with others fulfills my desire to communicate information about me to you, but just like in real life it is totally your option to accept the validity of that information or not. To take the sharing to the next level (and address a major need on the Internet today), we need to have some method of trusting the information that we receive. Trust is transient (it changes), contextual (it is based on the situation), and 100% given by the receiving party – essentially they decide to trust you or not. In the real world we use driver’s licenses, passports, or referrals from friends to validate users and establish trust. This is no difference in the social web except for the fact that we are not seeing each other face to face and do not have the ability to provide a driver’s license as proof of identity. Hence the need for another method.
If the ingredients in the identity cake are aggregation, management and sharing, then validation is the icing on the cake; not the cake itself. While each of these ingredients are key in making the perfect cake, leaving trust out of the mix is kind of like leaving salt out of the recipe. Trust simply brings out the flavor and without it, the cake is way too bland!
(I wrote the following article for BABM Business Magazine back in May/June of 2009. The article is reprinted here with their permission.)
With the latest layoff news continuing to add chaos to the economy, CEOs need to protect their businesses in case of staff cuts, restructuring or consolidation of offices. While your company may not be planning layoffs now, there is no guarantee that in three or six months from now this will be the case. There are steps your business should take, both proactively and reactively, to ensure that your most valuable information such as customer data and contracts isn’t walking out the door with terminated employees.
Ideally, even before layoffs occur, businesses need to be prepared to protect their assets. Employees may sense a layoff is imminent and start grabbing what data they can before they get the official word. This could lead to a loss of your company’s most valuable contacts that former employees may use to compete against you. Proactive monitoring of systems, before layoffs begin, can ensure that your company’s data is protected.
There are a variety of technologies you can implement to monitor your employees’ access of specific applications. For example, you can monitor who has access to what type of database and determine if an employee is running unusual reports. Are certain employees extracting every field, downloading the data to a local disk and/or sending it to themselves over email?
Having a solid process for role provisioning and access management will help limit access of certain information to those people who need it to do their jobs. If levels of access to various applications and corporate information are assigned for each job description, it is easier to set up monitoring systems for each employee as well as protocols for changing passwords and other termination procedures to remove access when an employee is let go.
A good rule of thumb is to trust, but verify. Monitoring can be performed at many levels and includes database access, disc usage, and whether or not USB drives are being plugged into company computers. Monitoring can even determine if proprietary data is being sent to an email account. When it comes to access management and monitoring, CEOs and executive management need to weigh how much protection they want with how much they protection they can afford. It’s a formula that will vary for every company.
Once a company is in an action stage and layoffs are about to begin, it’s almost too late to protect and secure its data without shutting off access altogether (which may not be feasible in all cases). As a fallback plan, many companies provide their security team with a list of users they plan to let go. On the morning the layoffs are to take place, the team is tasked with acting on the list and locking out those employees from their accounts. But there’s often the lingering feeling that something was missed. Are they prevented from accessing your systems remotely? Are they still receiving their email on their home PCs? Does the employee have access to vendor accounts? Can your security team effectively map the employee to all the accounts they have accumulated over the years?
There are many types of technologies that can be used from a proactive perspective and subsequently verified from a reactive perspective. CEOs should be proactive and have an effective user provisioning solution in place. This ensures that they have accounted for all the systems and the types of system access where a user has an account. Once layoffs have occurred companies should continue monitoring mission critical systems to ensure that the access has been terminated appropriately. A security event monitoring solution on the back end can monitor log files or traffic patterns to these systems and immediately notify of any unusual activity.
Companies that have implemented centralized account management systems have peace of mind that they can quickly prevent access by employees who are no longer associated with the company. They can be certain that they have locked all accounts being managed by the system and actions such as terminations can be performed by management (ahead of time) rather than needing to involve people from the security team.
Companies that have not implemented a centralized account management system are increasing their workload and effectively putting valuable corporate assets at risk. At this point, there has to be due diligence as you have to perform these tasks manually. The potential for damage is great, however, and fallout will rise exponentially as more layoffs occur. If you have implemented a centralized user provisioning system, congratulations! If not, don’t panic, there are still tasks you can perform to help protect your assets.
- Prepare your list well in advance and give your security team a chance to locate the various user accounts.
- Work with functional managers, supervisors, or project managers to further determine the user’s access.
- Monitor system logs and network traffic to determine if any unusual access or traffic patterns appear. Respond immediately.
Even with this type of preparation, the tasks can be quite time consuming and it could take weeks to properly locate and delete access. Hence, our advice is that it’s better to take more proactive steps to avoid headaches and possible customer data and other business asset loss later on. Getting a handle on your role provisioning and user access procedures and having a plan for monitoring employee application use are good places to start.
Staff reduction is never easy and you should make the separation as painless as possible. It is unfortunate that some employees view corporate assets as their own and feel entitled to take information with them when they leave. As a business owner responsible to shareholders or even to the remaining workforce, you need to take every action possible to ensure the protection of this data.
I read an article in CIO Magazine about the plight of today’s CIOs when multi-million dollar multi-year projects go awry. The article entitled “The CIO Scapegoat” indicates that it is unfair to hold the IT department completely responsible when there are so many other business units that contribute to a project’s demise. In many cases, the CIO takes the fall for the failure and, as a direct result, they are either demoted, moved into a different organization or let go altogether.
The article goes on to provide advice to CIOs who are beginning such undertakings. First and foremost, large, complex projects should be broken up into “bite-sized” chunks and proper expectations of what will be delivered in each “mini-project” should be set – and agreed upon – with the various stakeholders.
I could not agree more with this statement and find it most concerning that this is not more of a common practice within the IT industry. In our World of rapid prototyping (turned production) and just-in-time development, to think that you could perform a multi-year project without implementing several checkpoints along the way is simply insane. This may be one of the reasons why the average life-span of a CIO is only two years within the same company.
CIOs who agree to perform projects under such conditions really need to read my previous blog entitled “Lessons Learned from Enterprise Identity Management Projects“. While it was written mainly for enterprise identity projects it has direct applicability to any enterprise project. In that article I directly address specific points about expectation setting and bite-sized chunks (did CIO Magazine read my blog on this?) and by taking my advice to heart, the average CIO might be able to extend their stay.
Interesting read. This is essentially a WebSSO initiative with authentication based on CAC type ID cards or OpenID.
The CAC type of implementation (ID Cards) are not practical as they require everyone to have a card reader on their PC in order to do business with the government. I don’t see this happening anytime too soon.
I understand that there are several holes in the OpenID initiative. I wonder if they have been fixed (I wonder if it matters).
Either way, Sun’s openSSO initiative is well positioned as it allows OpenID as a form of authentication. The fact that the government is looking at open source for this (OpenID) bodes well for openSSO.
Link to article on PCmag.com:
Text version of the article:
Federal Government Starts Identity Initiative
As part of a general effort of the Obama administration to make government more accessible through the web, the Federal government, through the GSA (Government Services Administration), is working to standardize identity systems to hundreds of government web sites. The two technologies being considered are OpenID and Information Cards (InfoCards). The first government site to implement this plan will be the NIH (National Institutes of Health).
OpenID is a standard for “single sign-on”. You may have noticed an option on many web sites, typically blogs, to log on with an OpenID. This ID would be a URI such as john_smith.pip.verisignlabs.com, which would be John Smith’s identifier on VeriSign’s Personal Identity Portal. Many ISPs and other services, such as AOL and Yahoo!, provide OpenIDs for their users. When you log on with your OpenID the session redirects to the OpenID server, such as pip.verisignlabs.com. This server, called an identity provider, is where you are authenticated, potentially with stricter measures than just a password. VeriSign is planning to add 2-factor authentication for example. Once authenticated or not, the result is sent back to the service to which you were trying to log in, also known as a relying party.
Information Cards work differently. The user presents a digital identity to a relying party. This can be in a number of forms, from a username/password to an X.509 certificate. IDs can also be managed by service providers who can also customize their authentication rules.
The OpenID Foundation and Information Card Foundation have a white paper which describes the initiative. Users will be able to use a single identity to access a wide variety of government resources, but in a way which preserves their privacy. For instance, there will be provision for the identity providers to supply each government site with a different virtual identity managed by the identity provider, so that the user’s movements on different government sites cannot be correlated.
Part of the early idea of OpenID was that anyone could make an identity provider and that everyone will trust everyone else’s identity provider, but this was never going to work on a large scale. For the government there will be a white list of some sort that will consist of certified identity providers who meet certain standards for identity management, including privacy protection.
by Phillip J. Windley
See this book on Amazon »
Bill has read this book
|Comment: “This is a clear, consise, and easy to read book on IDM and DRM. I recommend it HIGHLY to anyone who wants an overview of IDM and its roots in the X.500 space. While Digital Identity does not specifically address certain concepts such as roles management, it is an essential resource for anyone’s library of identity management books. I understand that this book is now out of print; this is unfortunate as I was looking forward to a 2nd edition.”|
By now, many of you have already heard about the hacking of Alaska Governor Sarah Palin’s Yahoo e-mail account earlier this week (on or about Tuesday 9/16/2008). If not, here is a brief synopsys of the story.
Sarah Palin’s personal Yahoo e-mail account was compromised and the contents of her account (including her address book, inbox and several family photos) were posted to the Internet.
Someone with the e-mail address of firstname.lastname@example.org posted a message on the Web site 4chan about how he used Yahoo! Mail’s password-recovery tool to change the Alaska governor’s password and gain full access to her e-mail account.
“i am the lurker who did it, and i would like to tell the story,” email@example.com wrote.
(I have included the full text at the bottom of the post for those interested. Be forewarned that some of the language is NOT family friendly.)
The firstname.lastname@example.org e-mail account has been linked to 20-year old David Kernell; son of democratic Tennessee State Representative, Mike Kernell, and a student at the University of Tennessee-Knoxville. While David has not been included in any official investigation as of yet, his father, has confirmed that the person being the subject of the many blog posts and news articles around the Internet is indeed his son.
So how did the alleged hacker do it?
First of all, he had to identify Sarah Palin’s email address to be email@example.com. A recent article in The Washington Post indicated that Sarah Palin was using a personal e-mail address of firstname.lastname@example.org to conduct government business. But that was not the e-mail account that got hacked. So how do you get from email@example.com to firstname.lastname@example.org?
Allahpundit posted an article on hotair.com that presents some interesting ideas about how the hacker might have arrived at the email@example.com account, but for the time being — and void of any conspiracy theories — let’s just assume he figured it out.
Now that he had the e-mail address, how was he able to gain access to the account?
The hacker claims to have used Yahoo! Mail”s password-recovery tool to reset the password. To do this, you simply go to Yahoo! Mail and click on the Forget your ID or password link.
This takes you to a page where you enter your Yahoo! ID. In the case of Sarah Palin’s account, this would be “gov.palin”.
To reset your password with Yahoo! Mail, you can either have it sent to your secondary email address or you can indicate that you no longer have access to this account.
(As a side note, I do not particularly like the fact that Yahoo! shows even a portion of my secondary email account in the email address HINT. But that is another story. )
Selecting the “I can’t access my alternate email address” radio button allows you to answer questions to challenge questions as follows:
These are generic authentication questions, but in the case of Sarah Palin, the hacker had to answer one additional question that had to do with where she met her husband. The hacker guessed that Alaska’s governor had met her husband in high school, and knew the Republican vice presidential candidate’s date of birth and home Zip code, the Associated Press reported. Using those details, the hacker was able to successfully access Palin’s email account where he was able to assign a new password of “popcorn”.
The rest is simply news.
So what does the hacking of Sarah Palin’s email account tell us about security and Identity Management in general?
One of the big benefits of an Identity Management solution is that it provides end-users with a way to update their own data and reset their own passwords. This is a HUGE cost reduction for companies as it reduces the number of calls to the Help Desk. But just like everything else, there has to be a careful balance between security and convenience.
Authentication questions provide a means for users to gain access to their accounts when they have forgotten their passwords. This is the mechanism that Yahoo! Mail uses and has been adopted by many Identity Management solutions. Authentication questions are extremely convenient for companies that have password policies that are so stringent that their users cannot remember their passwords. They also come in handy after three-day holiday weekends as the day that employees return to work typically generates numerous calls to the Help Desk for password reset.
While authentication questions are convenient and produce a cost savings, a company does, however, need to take care when providing this solution. Who decides what the questions are and what happens if the end-user does not have an answer for a particular question? These are some of the issues that need to be considered. I have seen questions all over the board. Below are some of the ones that I find particularly insecure since many of them can be answered by Google searches or social engineering. In some cases, the questions cannot be answered with one answer and some cannot be answered at all.
Questions that can be answered by social engineering or search:
· What is your mother’s maiden name?
· In what city where you born?
· In what year where you born?
· What was your first school?
· What was your first phone number?
Questions that might not be answered at all:
· Who is your favorite superhero?
· What is your pet’s name?
· What is your library card number?
· What was your first teacher’s name?
· What is the air speed velocity of a coconut-laden swallow?
If you force a user to provide answers that are easily obtainable, then your risk is drastically increased (just ask Sarah Palin). If you force users to answer questions that are difficult (or impossible) to answer, then then your risk is also increased as the user may just provide a common answer to all questions (i.e. “blue”). So either way you go, it can be a difficult decision to make.
I have found that one of the best mechanisms is a an approach that allows the end user to define their own set of authentication questions while the company provides a sample set of common (yet hopefully secure) questions as well. This allows the company to have certain control, but also allows the user the ability to provide questions and answers using information that only they know. Now, I know that some may argue that users typically pick the path of least resistance and that many of them will pick easy questions (and therefore have easy answers) but by combining a set of the company-specific questions in addition to those supplied by the user the company can bridge the gap between security and convenience.
By the way, if you use an application that allows you to provide your own authentication questions, then I STRONGLY suggest that you go and provide your own security question(s) to one(s) that have meaning and applicability to you.
Here is the synopsis of what rubico said at 4chan:
rubico 09/17/08(Wed)12:57:22 No.85782652
Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.
In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bulls**t spamming.
after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code?
well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screensh**s that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.
I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
>> rubico 09/17/08(Wed)12:58:04 No.85782727
this is all verifiable if some anal /b/tard wants to think Im a troll, and there isn’t any hard proof to the contrary, but anyone who had followed the thread from the beginning to the 404 will know I probably am not, the picture I posted this topic with is the same one as the original thread.
I read though the emails… ALL OF THEM… before I posted, and what I concluded was anticlimactic, there was nothing there, nothing incriminating, nothing that would derail her campaign as I had hoped, all I saw was personal stuff, some clerical stuff from when she was governor…. And pictures of her family
I then started a topic on /b/, peeps asked for pics or gtfo and I obliged, then it started to get big
Earlier it was just some prank to me, I really wanted to get something incriminating which I was sure there would be, just like all of you anon out there that you think there was some missed opportunity of glory, well there WAS NOTHING, I read everything, every little blackberry confirmation… all the pictures, and there was nothing, and it finally set in, THIS internet was serious business, yes I was behind a proxy, only one, if this s**t ever got to the FBI I was f****d, I panicked, i still wanted the stuff out there but I didn’t know how to rapids**t all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state
Then the white knight f****r came along, and did it in for everyone, I trusted /b/ with that email password, I had gotten done what I could do well, then passed the torch , all to be let down by the douchebaggery, good job /b/, this is why we cant have nice things
I have been implementing and/or managing identity-related projects for over 10 years now and I can say, from experience, that the biggest problem with any Identity Management project can be summed up in one word: EXPECTATIONS.
It does not matter whether you are tackling an identity project for compliance, security or cost-reduction reasons. You need to have proper expectations of what can be realistically accomplished within a reasonable timeframe and those expectations need to be shared among all team members and stakeholders.
Projects that fail to achieve a customer’s expectations do so because those expectations were either not validated or were not shared between all parties involved. When expectations are set (typically in a statement of work), communicated (periodic reports), and then reset if necessary (change orders), then the customer is much happier with the project results.
Here are a few lessons I have learned over the years. While they have general applicability to major projects, in general, they are especially true of identity-related projects.
1) Projects MUST be implemented in bite-sized chunks.
Identity projects are enterprise-wide projects; you should create an project roadmap that consists of multiple “mini” projects that can demonstrate an immediate ROI. The joke is, “How do you eat an elephant? One bite at a time.” To achieve success with identity projects, you should implement them one bite at a time and have demonstrable/measurable success after each bite.
2) The devil is in the data.
Using development/test data that is not representative of production data will kill you in the end and cause undue rework when going into production. Use data that is as close to production as possible.
3) Start with an analysis phase BEFORE scoping the entire project.
I HIGHLY recommend that the first project you undertake is an analysis. That will define the scope for which you can then get a better idea of how to divvy up the project into multiple bite-size chunks and then determine how much — and how long — each chunk will take. This allows you to effectively budget both time and money for the project(s).
Note: If a vendor gives you a price for an identity implementation without this, then run the other way. They are trying to simply get their foot in the door without first understanding your environment. If they say that the analysis phase is part of the project pricing, then get ready for an extensive barrage of change orders to the project.
4) Get everyone involved.
Keep in mind that these are enterprise-wide projects that affect multiple business units within your company. The project team should contain representatives from each organization that is being “touched” by the solution. This includes HR, IT, Help Desk, Training and above all, upper-level management (C-level).
(The following items apply if you are using external resources for project implementation.)
5) Find someone who has “been there and done that”.
Ask for references and follow up on them. More and more companies say that they can implement identity-related projects just because they have taken the latest course from the vendor. This is not enough. If training alone could give you the skills to implement the product, then you would have done the project yourself. You need to find someone who knows where the pitfalls are before you hit them.
6) Let the experts lead.
Don’t try to manage an Identity Management project unless you have done so before – and more than once. I have been involved with customers who have great project managers that have no experience with identity projects, yet they want to take ownership of the project and manage the resources. This is a recipe for disaster. Let the people who have done the implementation lead the project and allow your project manager to gain the knowledge for future phases.
7) Help build the car, don’t just take the keys.
Training takes place before, after and during the project. Don’t expect to simply take “the keys” from the vendor once the project has been completed. You need to have resources actively involved throughout the project in order to take ownership. Otherwise you not be able to support the product — or make changes to it — without assistance from the vendor. Ensure that you have your own team members actively engaged in the project – side by side with the external team. To do this, you have to ensure that they are not distracted by other work-related tasks.