Burton Group Identity Blog

Blogger: Bob Blakley

DHS’ Data Privacy and Integrity Advisory Committee has issued its report on the implementation of the REAL ID Act; the report, which is excellent, can be found here.

The report’s introduction lays it out pretty explicitly:

“The REAL ID Act is one of the largest identity management undertakings in history. It would bring more than 200 million people from a large, diverse, and mobile country within a uniformly defined identity system, jointly operated by state governments. This has never been done before in the USA, and it raises numerous policy, privacy, and data security issues that have had only brief scrutiny, particularly given the scope and scale of the undertaking.

It is critical that specific issues be carefully considered before developing and deploying a uniform identity management system in the 21st century. These include, but are not limited to, the implementation costs, the privacy consequences, the security of stored identity documents and personal information, redress and fairness, mission creep, and, perhaps most importantly, provisions for national security protections.

The Department of Homeland Security's Notice of Proposed Rulemaking touched on some of these issues, though it did not explore them in the depth necessary for a system of such magnitude and such consequence. Given that these issues have not received adequate consideration, the Committee feels it is important that the following comments do not constitute an endorsement of REAL ID or the regulations as workable or appropriate.”

I’d make explicit the conclusion which the Data Privacy and Integrity Committee left readers to infer from their report:

The REAL ID act is a bad idea.  The problems with the REAL ID act listed in the Committee’s report should not be fixed, because fixing them will not address the core issues the REAL ID act raises.  Fixing the problems the Committee has identified will simply produce the best possible version of a very bad system.  If the REAL ID act is implemented, there is no chance it will meet its stated goals; there is every reason to believe it will have many unforeseen adverse consquences; and there is every reason to believe its costs will be huge in proportion to its benefits.

There are many reasons the REAL ID act is a bad idea, even if the Committee’s issues are addressed; here are a few:

1. The REAL ID act will spend an enormous amount of YOUR money on a technology which cannot in principle solve the stated problems.  An ID card does not now and cannot ever tell the authorities whether its holder intends to commit a terrorist act.  No unforgeable ID card can be produced, and if one could be produced, fraud would simply be refocused from attempts to counterfeit the card to attempts to subvert the issuance process to issue legitimate cards to the wrong people.  It is not clear that the US legal system could be bent to require people to carry and present cards in all situations of interest, and even if it could, many Americans would not want to live under the legal system which would be required.  And finally, of course, requiring the same card for lots of different high-value transactions makes the card itself a very high-value artifact, which makes the reward for counterfeiting the card very large, which makes it economically sensible to invest significant resources in developing equipment and techniques which can counterfeit the card....
2. The REAL ID act hands responsibility for solving a problem (terrorism and identity theft) to organizations (state DMVs) whose job does not involve solving these problems, who have no expertise in solving these problems, and who do not benefit in any way relevant to their own performance metrics from solving these problems.  It should be expected that states will implement the terms of the act grudgingly and ineffectively, as, from their point of view, there are only costs and no benefits.  Identity theft should be addressed by banks, not by the DMV.  Terrorism should be addressed by the state department, the defense department, and the police; not by the DMV.
3. The existence of single, federally mandated identifier for all US persons, required for all high-value transactions, will INEVITABLY create a host of secondary uses and a large number of unforeseen consequences.  Most of the secondary uses will work against individuals by denying them privacy protections and access to services.  Most of the unforeseen consequences will create risks for individuals and DMVs without involving any party who has the resources, expertise, and incentive to assume liability for losses or to mitigate risks.  I’ll go so far as to predict the first unforeseen consequence now: if this act is implemented, it will quickly be discovered that there is a large class of US Citizens who CANNOT BE IDENTIFIED in the way required by the act, because they lack the necessary documentation.  The system will then have to be modified to allow the rules to be broken for these people – and the alternative identification process thus created will become the first focus of identity thieves.

Blogger: Kevin Kampman

Last week, I received a request from one of our Burton Group consultants for help in identifying where data breaches had occurred. When he saw the list, his response was unprintable. In another comment about data breaches, University of Colorado student Carrie Roll indicates that exploitation of this information is a disaster in waiting: "If anybody thinks their information hasn't been stolen yet, then they're pretty naive. Your information is gone, and it's just a matter of time until someone decides to use it."

This dismal outlook is closer to the truth than we want to admit. Industry has played fast and loose with identity information, and now we are all paying the price. Using common identity information for trustworthy business transactions is becoming more and more difficult, since much of the information has either been compromised or is available for a price from identity aggregators. Just doing a phone number lookup on the Internet introduces you to sources of identity information that may know more about you than you know yourself (see “The End of Secrecy”) . Not to mention the inconvenience and personal hardship that identity thefts create for those who have been compromised. Without identity attributes, we’ll soon find ourselves in a situation where interpersonal relationships are the only viable mechanism to assert that someone is who they say they are.

Businesses, educational institutions, and others have only themselves to thank for this morass. Early in my IT career (last century, enough said) I learned that Social Security numbers (SSN) weren’t unique and “not for identification” purposes. All you have to do is read the bottom of the card, which apparently, no one does. This issue is especially relevant for multi-national firms, since not every government has an identifier for their citizens. However, I quickly discovered that SSN was the common attribute for identity purposes in both North American commerce and education. So, on we went, blindly and full of faith that this would work forever. We didn’t realize that attributes were only protected to the extent that the systems that used them are secured. Although many attributes aren’t “private”, their publication or exposure lessens their value as a means to uniquely identify someone, or to assert their intent to enter into some form of relationship. 

Today, the security of individual attributes like SSN and even attributes in combination are increasingly suspect. Financial institutions are leveraging information that only the individual asserts to know (unverified in many cases) for challenge/response identification purposes. Their usefulness becomes less viable as they are used in more and more cases, and eventually subject to compromise. Since biometrics represent just another attribute, the chance that someone will compromise these is just as likely as any other information. Just a matter of time.

The pool of identity attributes is much like any other natural resource, something to be protected and preserved. As this pool diminishes, we’ll lament their passing and the perils and inconvenience their absence creates. The creation of new identity attributes will be costly, in terms of their integration with systems that consume them and the retrofitting of legacy applications. Not to mention the inconvenience to individuals. This makes the case for disciplined protection handing of personal information, risk management, and the assumption of liability for those who disclose and misuse it (see Bob Blakley’s post on the identity oracle). It also makes the case for identity services, so that the information is handled in a more controlled and manageable environment. Otherwise, we’ll be counting on birthmarks and the word of our neighbors when it comes to identity assertions.   

Blogger: Lori Rowland

This week SAP announced its acquisition of MaXware, a privately held identity management vendor located in Trondheim, Norway. The core of MaXware’s identity management offering is its user provisioning and virtualization capabilities. 

On the surface, this acquisition may seem nothing more than continued consolidation in the identity management (IdM) market. However, in reality this acquisition has deeper roots and may have a larger impact than expected. 

Those familiar with the applications side of the IT world know that SAP and Oracle have a long and colorful history. In the 90’s the PeopleSoft and SAP rivalry was at its peak. The vendor’s respective ERP applications were still evolving -- the products were differentiated feature-by-feature, module-by-module. Other players in the market included JD Edwards, Siebel, Hyperion, and a little company called Oracle (okay- maybe not so little, but it was much smaller than it is today). SAP had a stronghold on the European market while PeopleSoft sales were skyrocketing in North America.

As history has shown, the only thing consistent is change. Oracle began its buying frenzy in late 2004 with its acquisition of PeopleSoft. Since that time they have acquired JD Edwards, Siebel, and most recently Hyperion – virtually wiping out its competition with the exception of SAP. Today, Oracle and SAP dominate the enterprise application market. These vendors are differentiated not by product features but by strategy, vision, and peripheral components (e.g. services, middle-ware, security, audit, and identity management).

In 2006, Oracle entered the IdM market through the acquisition of Oblix, Octetstring, and Thor Technologies which offer access management/federation, virtual directory, and provisioning features respectively. Oracle Identity Manager is a component of Oracle’s Fusion Middleware product family. Oracle positions its IdM products as an “application-centric” solution.

SAP also made several acquisitions. In 2006, SAP acquired Virsa Systems, an enterprise application controls management vendor offering access control and separation of duties features for the ERP environment. Virsa has been re-branded SAP Governance, Risk, and Compliance (GRC) Access Controls. SAP GRC Access Controls is just one component of SAP’s GRC product family. 

In March, 2007 Oracle announced its GRC Suite which includes technologies acquired from Stellent, Inc. The rivalry between these vendors has begun to resemble a game of Battleship. SAP’s acquisition of MaXware representing a return fire on Oracle’s various IdM acquisitions. Both Oracle and SAP now have a GRC suite and an IdM offering. The interesting thing about this game of battleship is that so far no one has been wiped out.

At first glance, it appears that Oracle and SAP are merely firing shots at one another.  This is true to some degree. These vendors are each trying to bring added value to their core application and platform. The ERP business is the core business for these vendors. This is similar to Microsoft’s strategy – if customers buy peripheral components (MSWord) they are more likely to remain committed to the core platform (MS Windows, XP, etc.).  Peripheral components sustain the “cash cow.” 

SAP’s entrance to the identity management market does however change the dynamic beyond the existing rivalry with Oracle. The acquisition will have a direct impact on the identity management market. Exactly how the market will be impacted will remain somewhat unclear until SAP reveals its long-term identity management strategy and roadmap.

SAP’s acquisition of MaXware has potential to impact the identity management market in several different ways such as:

• Application-centric identity management becomes a reality. Oracle’s and SAP’s IdM offering will truly have tighter integration with their respective enterprise applications. Integrating with ERP applications will be simplified.

• Identity becomes an embedded component of enterprise applications. Enterprise applications become the trigger for identity events rather than just a consumer. This has been something that Burton Group has predicted for sometime. Both SAP and Oracle have the opportunity to make this happen.

• Identity as a service. Again this is something Burton Group has been promoting.  SAP has potential to influence identity as a service by combining its NetWeaver, SOA, standards, and identity strategies.

• Most obviously, SAP’s acquisition brings additional consolidation and competition to the IdM market.

This acquisition was probably not terribly surprising to those watching the IdM market. However, the game is not over. To be successful SAP must take the time to understand the needs of its customers (and potential customers) in the IdM market. Oracle and SAP both have the opportunity to truly impact and influence the services, IdM, security, and risk management markets while solidifying their competitive stance in the enterprise application space.

When I read the first few lines of Sun’s press release announcement support of OpenID, I almost quit reading because it seemed un-newsworthy. And for you PR folks writing press releases, here’s the kind of stuff that triggers my “so what” response: “Through its new initiative, Sun is exploring what changes and practices are needed to make OpenID applicable to a broader spectrum of business and IT challenges.” Alert the media!

But Sun’s use of OpenID as an outward-facing registry of their workforce is an interesting move. Few businesses will trust just any old OpenID provider; rather, businesses will likely accept only OpenIDs (if any) from a provider on a whitelist. By tying a corporate identity to an OpenID, the relying party can improve the assurance of the issuer and make inferences however they may.

OK, still not huge news, but Sun’s initiative has incited the right kind of dialogue among OpenID enthusiasts. Tim Bray blogged on Sun’s forthcoming OpenID provider, which reinvigorated the identity gang mailing list. I’m convinced that the actual solution won’t be nearly as rosy as Tim portrays it. I’m not sure, for example, just how confident you can be that someone holding one of these OpenID’s is really a Sun employee (or just a contractor or former executive). But in my view, Sun’s pushing OpenID in the right direction.

In fact, I’d like to see these ideas taken much further. The Diffie-Hellman qualities of OpenID can be put to much better use than the SSO use cases so often cited. It’s as if the OpenID community serendipitously stumbled onto something that is of great value and has yet to realize it. I alluded to this in a previous post. Although  the name “OpenID” is catchy, it’d be better if we didn’t think of OpenID’s as IDs; and it’d be better not to think of the URIs associated with OpenIDs as usernames. And it would be great if people could have a dozen or so of these things at their disposal.

I recently published a report at Burton Group called, “In Search of the Internet Identity System: Contrasting the Federation Approaches of SAML, WS-Trust, and OpenID,” in which I proposed an alternative use of OpenID. Here’s an excerpt:

OpenID Is for Showoffs

Although its proponents tout SSO as the most important feature of OpenID, the standard can be put to better use. The proofs in OpenID allow for a certain kind of interaction that is of great value on the Internet. Roughly, OpenID enables a person to demonstrate control over a given web property to a stranger (who understands OpenID). It’s a web version of showing someone you own a car by hitting the “unlock” button on your key fob. Although this might seem a high-tech form of showing off, it can also be used in reputation systems. For example, a user may demonstrate control over a dozen popular websites to gain access to an exclusive site. The user may also demonstrate ownership of a particular reputation (on eBay, for example).

OpenID not only demonstrates a relationship, but to a degree, projects the status of a relationship, because the demonstration is dynamic (not based on historical certification). Once a user can demonstrate control over a resource (such as reputation), the user can then offer it as collateral in forming a new relationship. Accordingly, in the hands of astute architects, OpenID may be used to reduce risk in relationships. (For more information, see the post “Law of Relational Risk” on the Burton Group Identity and Privacy Strategies blog.)

In short, OpenID may be a convenient, scalable way to project high quality signals to perfect strangers. (For background on the topic of signaling, have a look at the work of Judith Donath). Using OpenID in this way may also satisfy the need for multi-factor identity that I pointed out in my post on the law of relational risk:

… single sign-on (SSO) efforts are often misguided. In the interest of promoting relational continuity, the more authenticated connections the better—particularly if the user can parlay these authentications into improved reputation. Recognition of participants based on multiple channels of connectivity would be the method for improving identity assurance rather than on a single login event.

To me, these are important elements for creating functional online relations and societies. At Catalyst, we’ll be proposing other pieces of a technical architecture to support relational and social processes important to social trust. So if you have any thoughts on the subject, please drop a comment on this post!

[posted by Mike Neuenschwander]

Previous posts on laws of relation describe the dynamics of parties within a relation. But how do discrete relations combine to form complex structures, such as cultures and societies? In this post, I propose the Law of Relational Projection—a postulate on how relations relate to each other. For relations to inter-relate, there must be some notion of a boundary between relations and a theory for how loosely connected relations can coordinate activities.

The Law or Relational Projection
The law of relational projection distinguishes between parties directly involved in a relation from parties with only informational interest—let’s call the latter “observers” for now. Inter-relational dynamics are primarily based on informational projection, by externalizing information about the state, nature, longevity, and outcome of the relation. So the law of relational projection is this:

Any party with more than an informational interest in a relationship is a participant in the relationship.

Why does this distinction between observers and participants matter? Is the role of the observer so different from the roles of participants? After all, observers can influence the relation they’re observing, too—so why not treat them as the same class as the participants? The answer is that observers and participants present vastly different risks to the relation. The law of relational risk states that participants lose their contribution to a relation if the other parties don’t respond in kind. But this dynamic doesn’t hold true for observers. Because relations can exist with only loose dependencies on observers, the costs of observation are low and don’t require observers to ante up or participants to match relational contributions. But note that the law of relational projection requires that, to be an observer, a party must maintain only informational interest in the proceedings; conversely, at the moment parties interact with other participants they transition from an observer role to a participant role.

To draw a cryptic analogy to atomic theory, relational mechanics involve a kind of “strong force” (which governs the behavior of particles in very close proximity to one another, such as within the nucleus of an atom) whereas inter-relational bodies, such as observers, are influenced by something analogous to the electromagnetic force (which applies to particles outside the grasp of the strong force). For completeness sake, perhaps the gravitational force is something on a macro scale—such as how societies interact—but that’s beyond the scope of this post. Relations, like elements, therefore have a way to influence each other and to combine to form complex structures through projection of information.

This interplay of relations between immediate participants and observers also plays out in everyday experience. In a game between two teams in the National Basketball Association (NBA), the teams on the court are in an immediate relationship. The referees are also in that relationship, and by extension the NBA is also a direct participant in the relationship. Almost everyone else, including teams not playing in that game and the media, has only an informational interest in the relationship. These observers can cheer, cajole, and check the scores, statistics, and the outcome of the relationship—and plan accordingly—but their connection to the game is as an observer not as a participant. Of course, when a fan gets in a fight with one of the players on the court, the law of relational projection states that that person is now a direct participant—welcome or not—in the relation. In an NBA game (unlike on the Internet), barging onto the court has significant cost to the perpetrator. The person would be kicked out of the game, publicly humiliated, and possibly fined and sued. Accordingly, the NBA has found a stable equilibrium among observers and participants.

Relationships play out in a similar fashion in financial transactions. The immediate participants assume predefined roles, such as buyer, seller, and financer. The outcome of the relationship can be projected in terms of credit scores and seller ratings.

Making Child’s Play Out of Transactions
In online environments, the infrastructure for setting up and playing such games is woefully sparse outside the gaming community. But a general infrastructure that would be a valuable asset for improving trust online. The infrastructure should enable people and organizations to create a playing field, define the roles that are necessary for the relationship to function, and provide transparency to would-be-participants about the degree of symmetry among roles. And during the progression of the game and after its completion, there must be some way to project information about its status and outcome. Such an infrastructure would allow for stronger and widely diverse relationships, while allowing successful games (relational patterns) to be efficiently replicated on a grand scale.

On Participants and Interlopers
The law of relational projection qualifies a party as a participant whenever the party’s involvement is more than passive (informational). The law is objective, without regard for participants’ intentions in the relation or whether the party is even welcome. Where most people prefer to think of an evil doer, interloper, or criminal as a party outside the relationship, the law of projection states that the party is actually a participant regardless of how the other participants feel about it. In this model, then, evildoers are always insiders and play a role in the relation.

Resilient relations acknowledge the role of the evil insider and put controls in place to make attempts at exploitation costly to the perpetrator. Online systems must alert participants to the presence of new participants, for example. And entering a relationship should require some degree of cost to the perpetrator / participant; defection from the relation should be met with loss of contributions.

Projection and Federation
The law of relational projection helps clarify some confusion over federation approaches. One problem is that IT organizations usually don’t strongly type federated connections as purely informational (observer) or relational (direct participant). In so doing, they straddle a fine line between projecting the status of a relationship and attempting to control others’ resources and security infrastructure. Informational federations require almost no trust framework (such as contracts, collateral, social protocol), because the parties exchange information but provide no assurance of action. Relational federations are based on the dynamics of relational mechanics (such as relational risk and relational symmetry) and require highly structured or ceremonial interactions. Where these differences aren’t appreciated, organizations may over-engineer informational federations or create confusion by mixing styles.

Federation standards also differ in the types of federations they provide. OpenID is, I believe, at its root an informational, observational protocol. In contrast, protocols such as Liberty Alliance ID-FF, WS-Trust, WS-Federation, SAML are meant to facilitate relational interactions.

Projection and Privacy
Projecting relational information rather than personal information offers important privacy benefits, because the true identities of direct participants can be replaced by information about the relationship itself. In the example of two basketball teams playing a game, information about individuals takes second place to information about the teams and result of the game. Identification of the individual, as it were, fades into the background; what matters is the outcome of the game. Yes, the NBA tracks personal statistics and rewards players for various accomplishments. But those statistics are projections of another relationship (the players’ relationship to the NBA) and are designed to reward good citizenship among the players. And of course the NBA doesn’t generally post personal information such as their players’ personal phone numbers and social security numbers in the course of reporting on a game.

Similarly, individuals and organizations can play “games” with predetermined roles, rules, and playing fields without committing much personal information to the relationship or its informational projection.

The Relational Association Theorem
At the heart of every identity federation scheme to date is the notion of an identity provider (IdP) that generates assertions about a party. Some of the “federati” have prognosticated on the emergence of third-party identity brokers that enable identity transactions for individuals and businesses. But in practice, a generic third-party IdP has proven difficult to sustain. Bob Blakely called into question the business model of such an idea in a previous post.

The law of relational projection provides further tools for evaluating the effectiveness of an identification broker. If a broker does more than “gossip” (that is, simply exchange information about data subjects), the law says the broker is a party to the relation and not just an observer. But it’s unreasonable for a single broker to be a participant in all of an individual’s (or an organization’s) relations. This line of reasoning leads to a theorem on aggregating identifications, which is:

It is impossible to manage all of a party’s relational associations (identities) externally from the party

Passport didn’t fail for lack of trust in the Microsoft brand as a credential broker. Identity brokers fail when they are automatically pulled into relations in which they are unwelcome. The best a third-party IdP can hope for is enabling relations for individuals within a functional domain. This theorem therefore leads me to believe that technologies like Idemix (now at Project Higgins) and Credentica’s U-Prove are critical to the success of wide-scale federation. Though today these technologies aren’t available in consumer products, they could enable users to aggregate their relational artifacts while verifiably maintaining the integrity of claims they didn’t create.

[posted by Mike Neuenschwander]