One of EMA’s advantages in having a base in Colorado is our proximity to a number of thought leaders in identity management, and nowhere is this more evident than at conferences such as the Cloud Identity Summit, an aptly-named event held in recent years here in Colorado’s high country (nearly as close to the clouds as one can get and still have one’s feet on the ground), and hosted by our Denver neighbors at Ping Identity.
With our focus on “Security as a Service” here at EMA, it seemed fitting to tune into this year’s Summit, held this past week – but what I took away from this event may be even more relevant to the acceleration of data-driven security that I’ve been seeing in the last several months.
Although a number of foundations for identity management have already been laid, the field continues to unfold. The need to rationalize identity in the enterprise with third party services and hosted technologies is clearly a factor in this evolution (certainly at this event, given its theme) – but so, too, is the proliferation of social networks, new mobile devices, and identity defined by the individual’s personal activity (as opposed to identity assigned by the enterprise). These factors were all in abundant evidence at this year’s Summit – but underlying all these was an even deeper and more consistent trend, calling out where tomorrow’s identity technologies may well be headed.
That trend is centered on a large and growing volume of information – available from a myriad of sources – that can help assure more precise identification, more finely-grained authorization, and more accurate defense against identity and access fraud and abuse.
An increased focus on identity attributes was one example of this trend evident at the Cloud Identity Summit, in talks by Ken Klingenstein and others. In essence, attributes are factors about users (and, sometimes, things – such as mobile devices) that can help better determine appropriate access to specific resources and limit the wider exposure of more sensitive identity information.
Attributes have long played a role in digital identity. Federation techniques, for example, enable me to access a third party service provider’s application by asserting my attribute of being an employee of a subscribing company. The third party application can authenticate me by transparently (to me) validating that assertion with my employer, which keeps me from having to log into the application separately. An extension of this example merges attribute-based access control (ABAC) with role-based identity when my access is based on the ability to translate my role as a customer of service A to my role as purchasing agent at company B.
These are only a few identity attributes, however. Consider the possibilities when applications are made aware of others. If I’m a citizen of a country having strict requirements for maintaining the privacy of my personal information, the application can be made aware of this and keep me from needlessly exposing sensitive data (and the application provider from violating privacy laws). Knowing my language preferences can enable an application to deliver content in my native tongue, or the services with which I’m most familiar. Validating the professional status of physicians and caregivers and their relationships to specific clinics, hospitals or other entities can help protect sensitive patient data. Accurate identification of first responders can help better manage access to sensitive information under emergency conditions. Verifying that someone is of legal age to enter into a transaction, financial account data and creditworthiness on both a personal and a corporate level, dynamic attributes that arise in real-time collaboration …the list goes on.
Given such examples, it’s easy to see how the range and variety of attribute data could readily grow. An increased focus on identity attributes also aligns well with those who collect and provide information about consumer behavior, creditworthiness, certifications and affiliations, and similar data, suggesting how those already in the business of managing this information could play a greater role in the future of digital identity. It’s not hard to see how this trend could give rise to “attribute providers” in the business of collecting and validating attribute data and making it available in new and creative ways.
The information explosion could also call the need for identity or attribute validation itself into question in some cases. Identity techniques such as federation focus on validating the assertions or claims users make that entitle them to access protected information. But consider the amount of information about people and their activity that needs little if any validation, due to its sheer volume and availability. In his talk on “The Death of Authentication,” Bob Blakely gave an interesting example of how authentication could be replaced by recognition, based on the information that can be learned about people and their characteristics from the mobile devices they carry. We are already familiar with mobile and social applications designed specifically to tell us about people and things nearby, as well what can be learned from social networks in hiring new personnel, for example. All this information could be used to build a more accurate picture of identity based on its sheer ubiquity and availability.
This potential can, of course, be taken much farther. Today, the technologies of risk-based authentication help to distinguish legitimate from fraudulent access attempts – when someone using the same username and access credentials attempts to log in from two vastly different geographical locations within a few minutes of each other, for example. Consider, then, the wealth of digital evidence of behavior – and how much of that can be applied not only to understanding an individual and their personal preferences and tastes, but also whether or not someone seeking access within a given context really is who (or what) they claim to be. A more complete picture of the context of access could also help refine access controls to protect the most sensitive information from exposure in networks beyond enterprise control. Better and more responsive access to ever increasing amounts of this data could go far toward refining both authentication and authorization, greatly improving the ability to distinguish fraud or an attack from legitimate access.
As we already know, however, the opportunity for learning more about individuals presents a dilemma: How do we strike a balance between using this information to protect the things we care about, and the need to preserve privacy?
Much of the data that can be mined for greater insight into identity and behavior that informs the authorization decision may already be available, through sources that legitimately collect this information, or at least have collected it with either the implicit or explicit consent of individuals. But that’s still an awful lot of information out there. And even when controls exist, people may simply choose not to use them – if they are usable at all. Facebook is often cited as a prime example of a resource, as Dick Hardt put it, “driven by access to information about the user rather than just which user it is.” Yet Facebook has been through so many changes in the way it handles privacy that it’s difficult to keep up with them all. Even so, many simply cough up the information that applications seek in exchange for something they want, regardless of the fact that, once information is exposed in today’s digital world, the genie may be out of the bottle.
Much investment has been made in identity technologies that give individuals tools for better controlling the information they share with third parties – a concept at the heart of pioneering identity initiatives such as the Liberty Alliance in years past. How will emerging approaches balance the opportunity of data-driven identity with its challenges?
These are some of the questions that face those on the threshold of what data-driven identity seems likely to become – and an exciting moment in the evolution of identity it is. Though not without its risks, a data-driven approach to identity also offers a tremendous opportunity for better protecting the information assets people care about, as well as making applications more responsive to individuals and better serving their needs.
How the answers to these questions play out will have a significant impact on the future of data-driven security well beyond the realm of identity management.
- Ping Talk Blog: Ken Klingenstein: Attributes, attributes, attributes (pingidentity.com)
- Canadian G-Cloud Identity (canadacloud.biz)
- New Standards Effort Targets for Privacy, Data Control (readwriteweb.com)
- Clouds and COINs (cloudbestpractices.net)