Burton Group Identity Blog

Blogger: Kevin Kampman

Last week was an identity theft week for me. First, I was contacted by a local news reporter for background on who was most vulnerable to identity theft. In the same period, I received a mailing from the US Postal Service with an insert from the Federal Trade Commission on preventing identity theft. I then received a solicitation from a financial institution offering to sell me identity theft insurance. I guess if the fox has to watch the henhouse, it might be worth asking you to pay for the inconvenience…

To top it off, I took notice of the seven-year-old boy in Illinois who was notified by the IRS that he owed $60,000 in back taxes. It appears that a 29-year-old stole the child’s information not long after he was born, then used his identity for jobs, goods, and services. The perpetrator was subsequently charged with felony identity theft. The article does not say if the IRS backed off from trying to collect from the seven-year-old. One can only hope.

It will be really unfortunate if this child bears the stigma and the associated costs of this incident. The truly guilty parties are those who failed to properly vet the stolen identity information in the first place. When business starts to accept their responsibility for accepting stolen identities, we won’t be made to pay for their lassitude, and the chickens will truly be safer.

I am concerned that business and government may both be aligned to blame the individual, when in fact they own the responsibility for the failure to protecting the individual’s interest. Accepting stolen credentials is really their problem. Until we recognize this fundamental characteristic, and the associated changes that need to occur in business and government, stories like this will continue to make headlines.

Blogger: Gerry Gebel

Over at the Privacy Law blog, I found a post about the troubles Life is good finds itself in because it “collected sensitive information from consumers and failed to secure it in compliance with its own privacy and security policies.” This incident reminds me of what I've said about web site privacy policies for a long time. Typical privacy policies have two sections: the first section expresses the sincere concern of the internet property when handling your personal data and they share at least some of their intended uses of your data. The second part of the policy then goes on to say exactly how the internet property is going to violate your privacy by evaluating traffic patterns, sharing data with partners, etc.

Of course, as long as we insist on overloading simple e-commerce transactions with personal data, then bad things will happen. No amount of encryption or other security practices can provide the internet property with 100% assurance that the sensitive data it is now custodian for will never be abused or fall into the wrong hands. A regular litany of data spills reminds us of the increased risk a merchant takes on when it must manage excess personal data. The data model currently used for e-commerce (and even in bricks and mortar sites) is straining under pressure from all sides. Visa and others behind the PCI standard are enforcing higher fines for non-compliance, as noted by Mark Mac Auly. The National Retail Federation, an industry organization, pushed back in an open letter to Visa and MasterCard. In dispute are the rules of what credit card data elements should be stored and for how long, among other issues. One of the primary purposes for storing credit card and customer data is to settle potential transaction disputes. The situation illustrates the tension between credit card companies, banks, and merchants regarding the collection, use, and archiving of transaction data.

My colleague, Bob Blakley, has blogged here about the identity oracle concept - a potential ingredient to a solution for today's personal data collection maladies. He also commented on the Life is good incident here. Bob's emphasis on the importance of intermediaries and agents for transactions makes a lot of sense. Consumers register with trusted agents, whose business depends on the protection of sensitive and private information. Retailers benefit if they can rely on intermediaries to reduce transaction risk - the retailer only receives payment approval codes for example, instead of credit card number, expiration date, CVV code, etc. The equation works if the cost of the intermediary services is less than what the merchant could lose as a result of a data spill plus the cost spent in implementing security controls. Sounds like there is a business model in there somewhere.

Getting back to my earlier point - it's not the privacy policy that is at issue. It's the data collection policy that must be examined - especially as it relates to transaction metadata. Now is the time to think about new data models that are better suited to 21st century commerce.

Blogger: Gerry Gebel

Lately, I’ve been thinking a lot about the big challenges of the identity management industry as it’s currently constructed. The tag line I’ve been using is that “the end of command and control is near” – as far as the way we approach the administration and control of access to systems and resources. Our collective IT admin culture is to control every aspect of access to systems in our domains – registration, credential issuance, authentication, access administration, and so on. Such an approach is reminiscent of the x.500, top-down hierarchical ways that are so difficult to implement within dynamic, fluid organizations. This works relatively well, however, if most resources and users exist under the same roof – but that is rapidly changing as businesses and organizations become increasingly distributed. Can IdM technologies and administrative practices keep up with the pace of change?

The current generation of IdM products actually reinforces the traditions of centralized control structures. Technologies such as user provisioning, federation, and of course PKI rely on excessive coordination and orchestration to be optimally implemented. Highly distributed and massively scalable organizations can’t operate in this manner, and it’s not too far from your future to tackle problems like: onboarding 100 million new users during a weekend marketing campaign, enabling 500 new joint ventures or partnerships and decommissioning 600 others in a couple months, or operating an application that reaches a billion users. How well do you think it will work with today’s tools and approaches?

Evidence of change and evolution is all around us. The globalized economy applies pressure to and creates opportunities for modern organizations. Enterprises are driven to focus on core competencies – and outsource or offshore every thing else. Software as a Service (SaaS) companies continue to emerge and are growing steadily, some studies estimate that SaaS applications will represent more than half an organization’s business application portfolio over the next 5 years.

Executive management understands new business dynamics and seeks ways to leverage it for business advantage. IT and security departments, for the most part, haven’t gotten the message yet. It’s hard to let go of the command and control mindset that’s been ingrained in our thinking. You’ll recognize the ailment if you see or hear symptoms like:

• Access to our applications is only permitted if we issue the credentials

• I don’t trust their identity management systems or practices

• We must collect as much data on partner users as we do for our own employees in order to vet them

• “Can’t we solve this with PKI?”

Technologies like federation help us make incremental advancements beyond the command and control approach. If we permit authentication to occur outside our domain and project this information through a federation exchange, that’s a sign of progress. However, federation products, as they are currently constructed, still require considerable coordination between parties in order to establish the connection:  we focused on this issue at Catalyst last year. So, it was interesting to see the recent video sparring between Sun and Ping Identity regarding what they’ve done to address this from a technology perspective. To follow up, we recorded a podcast this week with Sun, Ping Identity, and Covisint – which will be available soon on the podcast site.

More incremental change is what we can expect in the near term until different identity business models emerge. Similarly, the introduction of OpenID and information card systems purport to change the dynamic by providing more user control over identity data, but this is in name only – business still determine what attributes are required to complete an e-commerce transaction and the user can select an information card that matches the business’ criteria. Real change happens when third party identity agencies and intermediaries proliferate and are utilized by Internet properties. Identity oracles, as described here, are examples of intermediaries that are beginning to appear in the marketplace.

Identity-based intermediaries and agencies handle the heavy lifting of identifying and vetting individuals, freeing enterprises and other relying parties to concentrate on managing access to applications. It’s another step toward more scalable and manageable business applications. At Burton Group we are dedicating a fair amount of time to exploring new identity business opportunities, in addition to all of the more tactical research areas we cover. Please join in the conversation throughout the year and especially at Catalyst in June and October.