User-Managed Identity Starts at Home

Secure Personal IdentityRecent news about intrusions into the online accounts of public figures like U.S. presidential candidate Sarah Palin and prominent companies like Twitter remind me of the not-too-distant past. These appeaer to be bellwether events pointing out that the general public is starting to realize the protection of their identity starts with what they can (and should) control. It sometimes takes high profile cases like this to energize action, a cycle that appears to repeat itself.

About 8 years ago I took on the challenge of securing the digital borders around the e-commerce systems for the Kraft Group’s sports properties. At that time, I could see a storm cloud gathering on the networked horizon as we built a system to unify all of the current properties and set the foundation to build out a series of interconnected portal communities. Looking forward, I knew that it was only a matter of time before a major press-worthy event would raise everyone’s awareness regarding the protection of user privacy, in the form of personally identifiable information (PII), and associated payment information.

Our business strategy was to build a core commerce engine that could handle online transactions embedded within each separate portal. Key to our success was enabling users to have a persistent identity throughout their engagement with our products. In this way we could minimize the barriers to their interacting with our content, as well as streamlining the purchase pipeline. Essentially, once users logged into any of our portals (to access premium/personalized content, manage accounts, and purchase products), we were able to effectively cater to them by simplifying their experience.

The problem with this single-sign-on model was that if a user account was compromised, the intruder could have free reign over the victim’s PII and associated payment information. I had to make the case for going the extra mile(s) by designing strict access control procedures, knowing that something bad was going to happen to a company soon and that we should be ahead of any reactionary solutions imposed upon us. I had a feeling that after some bad press, the e-commerce industry would be pressured to lock down the porous borders that were relatively common at the time.

Just such a case occurred in 2004 when hackers were able to access an estimated 8 million credit card numbers from BJ’s Wholesale Club. It took a few years for details of the incident to emerge, but it was clear even then that there were two primary issues: insecure access points, and poor audit logging. Regardless of whether it was an inside job (as was initially assumed) or an outside hack (which it turned out to be), BJ’s (among other compromised companies) had poor access control and monitoring.

This, as well as other similar incidents, prompted the creation of the Payment Card Industry Security Standards Council, founded in 2006 by American Express, Discover, JCB, MasterCard, and Visa. The payment card industry thus began requiring strict practices and controls around systems that perform above a modest threshold of transactions. It was a strong move, in advance of looming legislation, that helped steer wayward companies toward better practices. Regardless of the critiques of their programs, it has succeeded in shining a light on many problems needing to be addressed.

Fortunately, by the time the PCI guidelines hit the market, we were able to breeze through their audits. The commerce engine we’d built was tighter than what they required. It’s rare that you can so easily point to a situation like this where the extra capital cost on the front end so clearly saved money that would’ve been required to retrofit a running system.

Now, here’s where the history lesson circles around to become informative for current events. We should learn from these cases of identity intrusion and address the core issues. The obvious lesson is not to be cavalier regarding the protection of your email accounts. After all, they are your core identity asset in today’s online world. Be careful when setting up your email account and follow common sense when selecting passwords and associated “remind me” features.

Beyond what you can do for yourself today, the industry needs to step up it’s game, too. Fortunately, there are a number of efforts currently under way to help protect your identity. They just need to be more whole-heartedly embraced and helped to mature by the major players in the market. What’s uniquely interesting about many of the emerging solutions is that they’re user-centric, rather than being centered around any one company’s digital security practices. This focus helps solve the root problems: privacy protection starts at home, and it’s not a simple matter of more/better cyber-security and encryption.

For more information, and to become involved, I highly recommend following the open standards development relating to user-managed identity:

And, of course, the Internet Society Trust & Identity Initiative. Tell them I sent you.

July 22nd, 2009 | Commentary | , , , , , , | Leave a comment

Kantara to Build a Trusted Bridge

Kantara Initiative At the ID Workshop leading into the RSA Conference, we announced the impending formation of the Kantara Initiative. To those following the Identity Community, this wasn’t really ground-breaking news as we’ve been working on this for the past year or so (under various monikers). What was worth mentioning in the workshop, however, was that we’d signed a number of founding member organizations (including the Information Card Foundation, Internet Society, DataPortability Project, XDI.org, Project Concordia) and put out a call for more to join before the launch in a few months.  Oh, and we settled on the name.

After much (much) debate, the founders settled on the name Kantara as it is a Swahili word for “bridge” and has Arabic roots meaning “harmony”. And yes, we know that some people believe it should be spelled “Qantara” (while others want to add a trailing “h” on the end, too). In the end, there was strong support for the name as it blends key points of the group’s mission to:

Foster identity community harmonization, interoperability, innovation, and broad adoption through the development of open identity specifications, operational frameworks, education programs, deployment and usage best practices for privacy-respecting, secure access to online services.

Beyond the announcement itself, the bridge-building we hope to facilitate already struck a positive chord throughout the RSA Conference. Of the meetings I attended, here are a list of them where Kantara was mentioned (either by the presenters or in audience questions):

  • Fostering Collaboration and Opportunities in Identity Management
  • Federate Access Policy, Not Identity
  • Building Authorization into the Enterprise Identity System
  • Cloud Computing and Identity Challenges
  • Identity Management for the Cloud: Challenges, Opportunities, and Best Practices
  • Identity and Privacy Models

In each case, the comments were positive and hopeful. Like opening a new birthday present, the IdM professionals were excited to play with the new group. Our goal, of course, is to make sure the Kantara Initiative lives up to our collectively high expectations. Taking a page out of the Concordia playbook, the initiative will provide neutral ground for all participants. There is no cost for participation, and all contributors are welcome. The playing field is level, and we’re excited to see what projects take advantage of the unique opportunity to have a truly open dialog.

Kantara Announcement Tweet RaceThe Tweet Race: As you can tell from the photo to the right, Eve Maler (a.k.a. @xmlgrrl) was apparently happy that her Kantara announcement Tweet beat mine. I’m relatively convinced, however, that she cheated by typing her’s in advance (only needing to hit “send” from the stage), while I had to type mine on the spot. In fact, her announcement blog post also won. Hmmph.

April 24th, 2009 | Pointers | , , , , , , | Leave a comment

Reason to Choose an Identity Provider

Buried in a post about OpenID user experience by Chris Messina is a concise bit of advice for users:

picking an identity provider should be like picking a bank or credit card provider: as a fourth-party service provider that advocates for your interest, since you’re their customer!

The “fourth-party” reference is to an article titled “Get ready for ‘fourth party’ services” by Doc Searls in the Linux Journal.

Personally, I’m not a fan of the introduction of this term for the new party around the table. I like to think that a “third party” working on the user’s behalf fits the bill just fine. Following an object-oriented mindset, the third party can adopt the properties relating to it’s responsibility in a transaction without being locked between two others (necessitating a fourth).

What I do like, however, is the concept Chris clarifies later:

Instead of agreeing to terms of service that disclaim all responsibility to you, the customer, I hope that competition in the identity space will lead providers to actually take responsibility for their services — charging good money for doing so. If your account gets hacked — no problem! — your identity provider can put back the pieces and make things right again! You could even take out online identity insurance in case your identity is ever stolen — so you can always get back to your life and recover your data without the hassle and interruption when it happens today.

To unpack this a bit, I see a compelling use case for identity providers emerging, possibly piggy-backing on the PCI Security work. So far, the first quote about picking an IdP is falling on deaf ears as users don’t really think about their choice. They use what they use and that’s about as far as it goes. What users need is a compelling reason to think in terms of choice, and the model Chris suggests might be it.

I spent some time helping to build an affinity card system with MBNA a couple years ago, and that process was telling. As it relates to this discussion, I can easily see that they would jump on the opportunity to capture a market like this. All that needs to happen is for someone to write up a clear business plan around the concept. In fact, I’ll bet there’s an MBA student out there somewhere looking for their thesis.

In a nutshell, here’s what I think this looks like:

  1. Credit Card Company (C3) sets up a new product based on it’s current card-based account system.
  2. C3 stands up a full service identity provider (possibly built using the Higgins Identity Framework)
  3. For high value services, C3 executes federation agreements with key nodes.
  4. C3 contracts with an insurer to cover losses due to ID theft / masquerading (rates most likely locked to the NIST levels of assurance as codified by the Liberty Alliance Identity Assurance Framework).
  5. C3 then advertises the new product to it’s existing customers (ID validation fees waived as an incentive)
  6. Users now have a reason to choose C3 as their IdP for all high value applications (and might as well use them for everything else, too).

C3 still has to convince it’s customers (and attract new ones) to see value in paying for a secure IdP. I don’t believe this is too far away from happening organically, so now’s the time for a C3 to start working on the product line.

Further, it’s distinctly possible that Id end points are going to force the issue by requiring verified identity assurance and security beyond what your run-of-the-mill OP can provide. Hence services like MyID.is (which has it’s own issues, of course, but that’s the direction). If a C3 gets in the game, I have a feeling they’ll be able to build a more effective federation of trust, even when used in an anonymous context.

April 8th, 2009 | Commentary | , , , , | Leave a comment

Parity, Azigo and Benefit Reminder I-Cards

It’s exciting to see Paul, Jack, =Drummond et al. at Parity releasing a useful customer app under their Azigo brand. They’ve taken the serious foundational work of Higgins and built on top of it a helpful I-Card application.

Their new I-Card offering is called “RemindMe“, and it’s designed to interact with sites you visit that include available membership benefits. By downloading the RemindMe I-Card (assuming you already have the Azigo Card Selector and associated Firefox plugin), you’ll start seeing overlays on various sites (like during Google searches) notifying you of available member offers.

For example, if you’re a member of AAA, you might not realize that the hotels you’re researching for your next trip will give you a discount. Azigo’s RemindMe I-Card will pop a notification into the search result page. Beyond benefiting members, the organization gains visibility as the overlay will appear for anyone with RemindMe, encouraging people to join to access the offer.

Based on a recent post by Phil Windley, it looks like they’re using the Kynetx Network Service to power the overlays. It makes sense to leverage their APIs and focus on the card management experience.

It’ll be interesting to see whether the I-Card model will take off, though. It’s going to be tough convincing people to buy into the experience enough to download a card selector application and then install various I-Cards. If they can hitch their wagon to a useful application, they should be able to go along for the ride, but they’ll need a compelling value proposition to overcome the download.

December 31st, 2008 | Pointers | , , , , | Leave a comment