Remember Mark Twain’s “everybody talks about the weather, but nobody does anything about it”? This is exactly my take on identity: Everybody talks about identity, but nobody does anything about it.
The crux: Our identity is everywhere, largely unprotected and out of control. A new identity security framework is badly needed — one which will keep the vital parts of our identity hidden and secure, yet usable to validate and authenticate us whenever required.
The Ethereal Identity: It is everywhere..
The problem begins with the definition of identity. What is identity? What is digital identity? Are they one and the same? Where does our identity begin and where does it end? The intuitive notion of identity is a combination of user-name and password, coupled with a number of other trivial pieces of personal data and user-behavior. Is it really?..
If you ask 10 people what digital identity is, you’re bound to hear 10 different definitions. Interesting perspective can be found in these definitions: Digital Identity in Cyberspace (1998); Digital Identity (2011); Wikipedia: Digital identity.
One of the major challenges of identity security solutions is the difficultly of defining what it really is.
Enterprise identity
In the enterprise space, identity is being dealt with extensively as part of IAM/SSO, but only within the confines of “enterprise identity” — trivial user credentials and set of access rights to enterprise resources. This is a minute fraction of what identity really is.
Personal identity
The personal identity space, on the other hand, was never given serious attention, although the largest data breaches and identity-related data thefts have always occurred there (well, save for the recent OPM breach). The only identity-related services to be found today are associated with identity fraud-prevention, almost exclusively centered around financial services.
Reality check: Our digital identity resides in myriad places throughout the Internet. Breadcrumbs of our identity and our activity are all over the Internet — literally everywhere and in countless shapes and forms: User names, passwords, email addresses, formal identifiers (e.g. social security numbers), traces of financial activity and shopping activity, mails, tweets, talkbacks, messages, personal interests, hobbies, habits and behavior patterns, places we’ve been to, navigation routes we’ve taken, social data and social interaction, photos, videos, jokes, nicknames, memes, real time video streaming (a la Periscope/Meerkat)… And the list only grows as more forms of social media are introduced.
Our identity is Ethereal — like the Internet itself.
Who owns your identity?
Short answer: Not you.
Long answer:
Your “root identity” — your national identity given to you at birth, whether analog/paper or digital — belongs to the issuer, that is — the state.
The Internet is roughly divided into 2 distinct categories of players where one’s identity is stored and used:
- Unregulated, commercial, social
- Mostly-regulated, financial, health, government
In both categories, one actually gives away the control and ownership of one’s identity. In both cases the players can, at their own discretion, revoke one’s account (effectively — one’s identity).
The main difference is that the regulated players are siloed. They have severe restrictions as to the usage of the personal data of the users, and due to business and competitive reasons do not share it even when sharing is permitted.
Privacy and identity security
Let’s admit it: Privacy is gone. Not so much because of the policies of the vendors who store and use our personal data. Mainly because we so willingly give it away without a second thought, let alone leaving visible and very personal traces of our activity everywhere (tweets, talksbacks, social shares etc.).
“Identity theft”, the intersection of privacy and security — consider these 2 cases:
- When a Company Is Put Up for Sale, in Many Cases, Your Personal Data Is, Too (New York Times, June 28 2015)
- Large-scale data breaches and identity-related thefts: Adobe,Target and Anthem.
So which case is more “identity theft” than the other?
In both cases important and sensitive personal data of yours gets into the possession of entities and people you don’t know, without your explicit consent. It will be used against your will or consent, let alone your control. And to top it off, it will probably be used in a malicious or harassing way — from “innocent” and “legitimate” commercial spam to money theft.
Not only is our identity everywhere, but it’s also unprotected for the most part. No need to “steal” identity, one literally only has to pick it up.
Short recap:
- Identity is extremely hard to define
- Identity is everywhere
- Identity is out of control
- Identity is unprotected and unsecured
Now, there’s a recipe for disaster…
We have to embrace the reality of no privacy. What remains is security. We cannot compromise on our identity’s security. The less privacy there is, all the more identity security must be put in place (two of my recent posts: The Ethereal Perimeter and Identity, cyber kill chain and all that relate to this issue as well).
Harnessing the Ethereal Identity: Towards Identity Chain of Trust
One of the most successful security models is that of the certificate chain of trust. Adapting this model to identity makes perfect sense: It’s a holistic and deterministic system; it allows authentication and validation using credentials which are always hidden from sight and never exposed; and it offers an operational model which is secure, flexible and extensible.
It all begins with the ability to rely on a trusted identity — a Root Identity which is authentic, official, secure and verifiable. An identity against which all authentication and validation actions can be made, the master authenticator & validator of one’s identity.
That type of identity already exists — the good old national identity.
Once we have that trusted source, we can begin and add the rest of the building blocks.
The main elements comprising the identity chain of trust:
- Root identity: One source of verifiable identity
- Certified and trusted identity brokers (aka CSP — credential service providers)
- Participating vendors (aka RP — Relying Parties)
- End users
Granted, governments cannot become an active player in the identity game. So in order to facilitate usage of root identity in this game, new entities must be established: Identity Brokers (aka CSP — Credential Service Provider).
While root identity is the anchor of this model, identity brokers are its heart. These will be security vendors, trusted and certified by the government to use the root identities for identity security purposes. They will be connected and integrated with all participating players (RPs). They will be the identity security hub for the end users.
Every participating vendor requiring secure identity services (e.g. authentication, SSO, identity validation, transaction authorization etc.) could become a Relying Party (RP). There are no limitations as to who can become RP: Every player/vendor providing services to end-users, which require secure authentication and/or identity validation.
Examples: Ecommerce, mobile commerce, SaaS and cloud, mobile apps, ebanking, ehealth, eGov. As a matter of fact — even enterprises.
As for end-users, all they will have to do is sign up to the service and authorize the level of activity/validation they’re interested in.
Modus operandi of identity chain of trust
Identity brokers:
The purpose of the identity broker is NOT to become a single-sign-on (SSO) provider, although this capability is inherent. Its purpose is to (1) validate the users to requesting RPs, and (2) authenticate users to these RPs.
What sets the identity broker apart from the roster of authentication providers is its ability to validate users. Validation, especially if done in real-time, is the game-changer of the identity space.
Users validation lends itself to host of services the identity brokers will be able to provide, above and beyond authentication. It will allow to approve transactions, sign transaction (regardless of the signature protocol/format), carry out legally-binding actions and much more.
Mutual anonymous trust:
The identity broker must be secure & trusted, that is — comply with all required regulations and standards. It must NEVER use the stored & used personal data for any other purpose save for identity security. Moreover — none of the stored and used data will ever be shared with any external entity/user. The entire use of stored data will be done within the confines of the identity broker and never exposed to anyone anytime.
The more data the participating RPs will share with the identity broker, the more context will be added to the actions done by the identity broker. More context means more accurate and faster actions.
Since the data will be used by the identity broker to assure and validate actions carried out for other RPs, there will have to be an agreed upon formal policy of “Mutual Anonymous Trust”. Example will provide the best explanation of this trust model: One’s purchase history at one etailer will be used to validate purchase at at another vendor, without any of the vendors’ data ever shared with the each other. Or: One’s history at one bank will serve to validate upgrade account at a different financial provider.
The more vendors will participate in the mutual anonymous trust, the more fine-tuned the user validation and authentication will be. There should be a number of authentication and validation levels, as not every user validation requires using the national/root identity.
As a rule, identity broker will securely store only the minimal amount of user information and data required to carry on its tasks. Most of the other required personal data doesn’t even need to be stored at the identity broker, but can remain at the RPs.
Think of this radical scenario: User doesn’t have to submit credit card and other sensitive details at the etailer/ecommerce/mobile app. Once a transaction using a credit card is required, the request goes securely through the identity broker, to the bank, and back again, without ever exposing ANY detail of the user or method of payment. None of this sensitive information will be transmitted using the channel the user uses vs. the app. This level of security can only be achieved by adopting the mutual anonymous trust model.
A significant side-benefit of mass-adoption of this model (specifically — the reduction of exposed users details and credentials) will be an overall reduction of phishing, spam and all other malicious activity based on easy harvesting of exposed personal data.
Concluding note:
We’re beginning to see green shoots: Kantrara, UMA, FICAM, Identity Ecosystem Steering Group (IDESG) and more. Every now and then we hear clear voices urging to go that way (for instance: Amazon’s Patrick Gauthier: It is time to re-invent Digital Identity, or Salesforce’s Ian Glazer: Identity’s TCP/IP Moment). But we’re still far from decisive adoption of this (or similar) models.
The sooner we’ll get there the better. Literally — our very identity is at stake.