All these identity products, or what they prefer to be called ‘solutions’ in every organisation, connecting up… if lucky- disparate applications with their own authentication, authorisation systems, and maybe Single Sign-on.. the security nightmare, but necessary in order for any sane individual to survive in this identity crisis era.
But this is IDENTITY security built around applications, instead of people, how WEIRD!
PROVENANCE is rather a nice word. I hadn’t really come across it before a month or two ago, which is weird considering I am English. It means protecting our word, here is wikipedia better definition. I see it like this because it is to do with saving the truth. George Orwell’s 1984 was all about re-writing history, living a lie. Provenance is about preserving history.
So why the interest from my side? Well everything we do online is written digitally somewhere, and I think it would be good if our word is protected, its integrity is protected, even after we die.
I heard a funny story last night. Imagine you are at the bank, and decide to change banks. You don’t like your bank anymore. So you say to them “can I take my identity with me please?”. Of course the bank refuses. Quite rightly in a way, because they may have your details in a database, but don’t have your identity. Your identity, or your digital identity, is scattered in databases, directories, excel and word files across the globe. You have no control, you cannot claim back your digital identity, because it is not an identity. Your identity is what you have in the physical world. You only have a digital identity if you own it and control it. This of course is not possible… or is it?
So what makes your identity strong? Is it you?
Think about this… it is not what you say about yourself that makes your identity strong, it is what other people say. Clearly you have some influences, but it is not you that makes your identity strong, one could say its your reputation that is the backbone for your identity strength. Or is it?
I’ve been thinking about this lately, because you know it really doesn’t matter whether you have a good or a bad reputation. So long as you have one, and people are talking about you, your identity is strong. Your identity cannot be stolen. Persons with strongest identities are prominent figures nationally and internationally. A good President or a bad President, doesn’t matter, their identities are strong.
So does your identity=reputation? I made a post about this last month. I also published a paper in 2010 on this very subject. My conclusion both times was no, they are different, and need to be treated differently. This is true. Nevertheless I need to evolve this thinking a little, as it was missing some important observations.
The fact is the more references, i.e. people that refer to you, the stronger is your identity. Hence your identity is strengthened by exposure, and then by others pointing back at you, and saying that you are who you say you are. This is not reputation, this is your personal ecosystem. It is what they say that makes your personal ecosystem vibrant with positive or negative energy, i.e. your reputation.
So what? Well if it is so straight forward, then it should be possible for your digital identity to be equally strong. As long as the reference points (other digital identities) can point at a single digital identity (you) and claim that you are who you say you are digitally, then it should work, right?
Yes, so you are under 25 years and want to buy a bottle of wine… or maybe something stronger from your local liquor store.
– You are requested for ID to prove you are old enough
– You produce ID
– ID that includes your name, date of birth, nationality, and your favourite colour and sexual orientation…. okay so I’m joking, just a little bit, here…
The problem is that the liquor store only needs to know if you are old enough to buy alcohol, nothing more…. why are we sharing so much of our personal information unnecessarily?
You are a record in a database, an object in a directory (if you are lucky), an ID card, a line of text and numbers in a spreadsheet or a Word file. You are all of these and nothing… literally, when thinking about what you are digitally.
Then let us link this into your digital communications, or what I prefer to refer to as your ‘digital interactions’…. oppps there is no linkage…umm this means you are 1s and 0s in cyberspace, with nothing connecting you -your digital identity, with your digital interactions… seems rather sad.
I love ticking boxes, makes me feel as though I’ve achieved something. It’s like a check list, each tick-box is a step closer to completing my list of ‘things to do’. It’s kind of satisfying. It is even more so when I get paid a good hourly fee for ticking boxes 😉
Okay, so I’m joking a little. Preparing an organisation for ISO27x certification is a little more complex than purely completing a checklist. Yet, however simple or complex it is, even when your organisation passes its audit, it does not prove it is secure. It does prove that you tried your best, i.e. demonstrated ‘due diligence’. Then if something does go terribly wrong, i.e. one of your user accounts is used to hack into the organisation and access information that if made public can ruin your business. Well you tried your best within the boundaries of your capabilities, so I guess that’s okay? Or is it? I guess not, if you go out of business, or end up spending the subsequent 12 months in a crisis mitigation mode!
The problem as I see it is multidimensional and not limited to this list:
1. Reactive security – We are so focused on doing the security stuff that we understand, i.e. ticking boxes, that we don’t get to the core of the problem.
2. Product-focused security – Even if we think it can be solved with a product, there are so many security product vendors out there touting the ‘magic bullet’, nobody knows who or what to believe anymore.
3. Mis-alignment of security spend with LoB – Every security product implemented often does not address the fundamental business need. Evidence of this is when new security products/services come out of the IT budget, not from the Line of Business (LoB)
4. BandAid security – Due to point (3), lack of LoB ownership for security spend means no sponsorship. This can result that even if security spend is approved, e.g. security mitigation effort needed to meet compliance requirements, the effort can be likened to a ‘BandAid’ approach to fixing what needs fixing.
5. Non-contigious defense-in-depth security – Due to all of the above your security infrastructure is not contiguous. The ‘defense-in-depth’ approach to your security programme recommended by security experts maybe deep, but full of holes.
6. Information that moves – Our digitised society has changed the parameters on how we should be doing security, however in our organisations we are still thinking as though information is static and can be contained. It cannot.
Fixing all of the above is pretty daunting, and it has become generally acknowledged today that no way can it be guaranteed that the confidentiality and integrity of information assets owned by your organisation are fully protected. So what’s my view on this?
Well it is fun clicking boxes and I’ve made a lot of money during my career in this activity 😉 But I guess you’ve figured that I feel that it is not quite as satisfying as I made out at the beginning of this post. To try and simplify things I see roughly 2 tracks in my head. The first is business security, and is the linkage from business needs to scoping. The second is how to do this from a technology perspective, and this I’ve grouped as: people-centric, device-centric, and information-centric.This is to reflect the fluid nature of information today, that cannot be contained by building a fortress around it.
B1. LoB – What is the need?
Firstly security needs and spend must come direct from the LoB. They know best their business, and know what needs protecting more than I do as the security expert and your IT department. The most important question to be asked is:
1) “What can ruin your business?”,
2) and, “What do you need to be compliant with?”.
Clearly security spend is commiserate with what you want to achieve. For example if a vendor wants to sell you a DLP product across your whole company, think twice, and ask this question what is it needed for (1: to protect from ruin) or (2: to be compliant)?
B2. Keep it small
Take one business process at a time and fix it using the following 3 principles.
How we do identity control today is the weakest link in the security chain. See my previous posts on this. I call it identity control not identity management, because it is about control and traceability. For your organisation, and for the identity holders. Your organisation and your employees are continually a part of digital interactions, and all of those that you share together, belong to your organisation!
T2. Device-centric security
Take a look at what the Trusted Computing Group is doing with the chip. I normally refer it to putting “security at the ‘chip’ level”. This is not technically accurate, but it confers a meaning around that the security is at the microprocessor level of the device rather than at the Application layer. If you liken it to a house, it means that you have walled in all your windows (Application layer), and the only way in is through the door (ground-level) with high-level security controls linked intimately to your digital identity -that of course follows the people-centric approach to identity control 😉
T3. Information-centric security
This is all about protecting and adding traceability to your information, wherever it is stored. Examples include your mobile workforce and their mobile devices. Then where is your critical information when at rest, in a public or shared cloud? Well this information should be encrypted using a key-fragment approach. This means, 1) your cloud provider cannot see the contents of your information in the cloud, 2) you hold the key, and 3) a fragment must be collected from a key-fragment central store, that could be owned by yourself, so you have traceability on who is accessing what information in the cloud through key-access patterns.
Now that I’ve finished with my little ‘brain-dump’ on you guys, I guess I should get back to ticking boxes 😉