The U.S. government announced plans to put in place within the next five years measures designed to make it impossible to pass on sensitive information to the likes of WikiLeaks. They hope to accomplish this by “tagging” information so it can be tracked in case someone shares it with outsiders.

The idea of creating “information-rich information” is obviously the right way to go in addressing privacy and security concerns in the Digital Age. It is possible, technically at least, to attach rules to individual pieces of information, such as who is allowed to do what with it and what happens if someone who isn’t authorized tries to access them or pass them on illegally. In fact, that is the whole idea of “information-centric IT security, a buzzword that is gaining popularity among Digital Identity Management experts and privacy advocates.

But by publically announcing their aim of stopping another WikiLeaks-style exposure of classified information just shows that the Official Mind has yet to grasp the real implications of the Digital Revolution. “Information wants to be free” was originally a clarion call by Internet activists who believed that transparency should be the hallmarks of an open society. In fact, the real motto is best encompassed in what I once dubbed “Cameron’s Law”, after Microsoft’s “identity guru” Kim Cameron, who once postulated that “sensitive information will be leaked”.

Yes, we all need to do all we can to protect privacy and guard crucial bits of information. But we should also be prepared for the worst. IT Security can create a false sense of confidence in our own defense mechanisms. At least as important as plugging holes in the dyke is to prepare oneself for the moment when the levees break and the floodwaters start to rise. Maybe “Remember New Orleans” would be a good slogan for security professionals to hang on their walls.

I found it particularly poignant to read the name of the official in charge of U.S. government efforts to create the Totally Secure System: Jim Clapper, the Director of National Intelligence, the mention of whom bring irresistibly to mind the old nautical expression about “clapping a stopper” over something, meaning to block something effectively. “Clapper” is actually the word for a safety valve – and as any engineer will tell you, the function of a valve is to let something out before the pressure reaches dangerous levels and pieces of stuff start flying around.

Of course, controlling the release of data so that only authorized individuals are able to see and use them is in fact what Identity Management is all about – or should be.

Tell me a story!

Everybody hates passwords, because there so many of them and keeping track is tricky. And of course we all know that passwords are inherently insecure, so we would all be better off with something else. Nowadays, there’s another reason to hate password, namely the perfusion of smartphones and other mobile devices with itsy-bitsy, teeny-weenie keypads that make typing in long, complicated passwords a real pain.

Lots of people have spent lots on time trying to come up with alternatives. Biometrics? Smartcards? Keystroke recognition? Voice recognition? You name it, somebody’s done it, but so far no one has come up with anything simple and foolproof enough to convince the IT industry to shift paradigms.

One of my favorite quick fixes to the password dilemma has always been “Passfaces”, a system used, among others, by members of the U.S. Congress. It involves memorizing a certain number of faces and later picking them out of a matrix of other faces you’ve never seen before. Politicians, it seems, are especially good at remembering a face, so for them the system is ideal. Not so for normal people, as a study by the Department of Computer Science at University College London showed. “Passfaces took a long time to execute”, the authors wrote, “and participants consequently

started their work later when using Passfaces than when using passwords, and logged into the system less often.”

Okay, so maybe Passfaces aren’t such a great idea after all. Which brings me to a conversation I had recently with Christoph Althammer of a tiny German starup called Qintecs. Based in the medieval cathedral town of Regensburg on the Danube, Althammer and his friend Martin Kühnel have come up with something they call “3SID”, which at first glance looks like a spittin’ image (no pun intended) of Passfaces, but isn’t. In fact, it’s an ingenious way to avoid the need for passwords in smartphones and other devices equipped with a touch screen.

The way it works it like this: The user shoots photos with the built-in camera of his or her device and then concocts a little story. For instance if I have a picture of my wife, my daughter and, let’s say, Moran’s Oyster Cottage in Galway, Ireland (yes, I just got back from vacation, why do you ask?), the story could be: “I went with Gabi and Valerie to Moran’s” By sliding the appropriate picture over the previous one, you create a pattern which unlocks the device. Okay, it sounds a lot more complicated than it is, believe me.

Technically, the concept is very appealing because it doesn’t involve simply substituting a picture for a character or set of characters. The system actually uses the vectors generated on the touch screen to create a hash value which is then used as the identifier. All those Murdoch reporters using script kid tools to unlock people’s mobile phones don’t stand a chance of getting in by simply trying out all the possible combinations. You would have to actually look over my shoulder to see which picture I am pushing and where I’m pushing them, which would be tricky if I am using four or five images.

It took me about 10 seconds to get the trick, so I guess anybody could do it. And all I needed was my thumb, so I could probably do it while driving (although I don’t suggest anyone should).

But how do I reset the system if I forget my little story line, I asked Althammer. He beamed at he and showed me what I think is a really neat idea: Users are provided with a card containing an OR Code which looks like a square bar code. All you have to do is take a photo of the code marker with the built-in camera of your smartphone, type in a password [sic!], and you’re off to the races.

Frankly, even if §SID doesn’t cath on the way it’s inbvestors would like, I think the OR Code idea deserves some attention by identity experts. Why didn’t I think of that?

Anyway, Althammer and his backers have secures a patent on their investion, and they’re actively looking for investors, so if you, too, hate passwords and would like to make a mint of money providing an alternative, maybe you should gibe them a ring. You can reach him at www.qintecs.de.

Sometimes the most interesting conversations are about something you never really expected to discuss, but I digress.

No, seriously: You sometimes get sidetracked on a topic that becomes so fascinating that your meeting is almost over before you get back to what you really wanted to talk about. Take for instance a conversation I had recently with Julian Lovelock of ActivIdentity. There are lots of things I as an analyst wanted to know about their recent acquisition by HID, who are at home in the “old” world of physical access management and who obviously wanted to buy into the “new” world of logical access control. ActivIdentiy makes most of its money selling often highly customized authentication solutions to businesses, but they derive a large chunk of their income (about 20 percent) from what they call “commercial business”, which essentially means online banking.

Now, conventional thinking says that European and especially German banks are light-years ahead of the rather archaic US banking system in terms of offering customers online access to their accounts and portfolios, as well as in many other respects (nobody in Europe has used a check in at least a decade!).

ActivIdentity, Julian says, has customers in the financial industry on both sides of the Atlantic, so they know what the differences are. In a nutshell, he says, European banks are more concerned with security, while American banks worry about the customer experience. Anything that would make it hard for US consumers to understand what to do next is more or less automatically a no-starter, and if that means there is a bigger danger of the customer’s account being hacked, then so be it. If necessary the bank will simple reimburse the customer without too many questions asked and swallow the damage. Better, anyway, than watching him switch to another bank.
Read the rest of this entry »

The lowly browser has come a longs way since Marc Andreessen wrote the code for Mosaic back in his salad days as a student at the National Center for Supercomputing Applications because he was fed up with the line-mode interface intrepid Internet pioneers like us were forced to use back in the early Ninties. But Mosaic was a relatively simple program, and improvement set in almost immediately. First came plug-ins, then Java applets and extensions, and today’s web browsers are actually sophisticated and powerful packages of applications that can automatically handle anything from downloading music to playing radio or running videos. For most of us, the browser is our window to the world behind the computer screen, and in the age of cloud computing, it is poised to take over as the most important and widely used piece of software ever written.

At the Identity Collaboration workshop held yesterday in San Francisco on the eve of the RSA Conference, browsers seemed poised to take the next big step forward when Mike Hansen and Dick Hardt hosted a session which they entitled “Identity in the browser”. For that, though, the browser as we know it must be replaced by an intelligent application that stores the necessary credentials on the users machine and releases them on request by a website, thus saving us the trouble and bother of constantly typing in our user names and passwords or performing some other kind of authentication before being allowed to access content or services online.

Read the rest of this entry »

Things would be so simple if companies could just sit down and agree for everyone to use the same computers, or at least the same operating system. In a perfect world, everyone would use Windows or UNIX or Apple or Linux and IT admins might actually find time to lean back and rest their weary bones.

But since we don’t live in a perfect world, admins live in a nightmare of mixed platforms and systems where juggling sensitive data around is something Dante would have described in grueling detail if computers had been around when he wrote the “Inferno”.

Read the rest of this entry »

Okay, just because I’m paranoid doesn’t mean they aren’t out to get me, right? But I guess that’s what comes from dealing to long with IT security people whose chosen profession involves trying to outsmart some very smart people on the dark side of computing.

I love listening to my friend Andy Müller-Maguhn, for instance. He’s one of the founders of the Chaos Computer Club in Hamburg, who likes to scare the heck out of managers in the audience by describing the ingenious ways hackers have for breaking into other people’s systems and what all the horrible damage they can do there.

Andy is one of the good guys, of course, or so he says. And yeah, you can hire him as a security consultant, just in case. Which sort of reminds me of the young men in Naples who wash your windshield while you wait at a stoplight and rip your wiper blades off if you don’t tip them.

Which brings us in a very roundabout way to a security risk I somehow never thought of before, but now it worries me no end. The guy who stirred me up is David Ting, a charming IT professional who founded a small company a few years back called Imprivata that has been generating a lot of publicity recently for a product called “OneSIgn Secure Walk-Away”.  In fact, just last week they won the UK IT Industry’s prestigious “Security Innovation of the Year” award for it. Seems like folks in Britain were as disturbed as I was to find that there had been a serious security risk lurking under their very noses they had somehow overlooked.

Read the rest of this entry »

Remember the old New Yorker cartoon about the canine computer user telling his sidekick: „On the Internet nobody know’s you’re a dog“? That was back in 1993, but it still holds true. And while many, myself included, relish the anonymity the Net gives us, the inability to prove conclusively who is on the other end of the line can be irking, and even downright dangerous, when large sums of money or the running of critical or possibly even existential systems is concerned.

Of course, the username/password currently used by almost everybody doesn’t prove who you or I are at all. It simply proves that there is indeed an entry in a database that uses these attributes, so anybody who knows them can get in.

That’s probably okay for most use cases. After all, the world as we know it won’t come to an end if somebody highjacks my Facebook account. And for thing like eBanking or PayPal I have additional ways of protecting myself: tokens, one-time passwords or Transaction Numbers (TANs), for instance. And yes, my laptop does have a fingerprint reader built in. I don’t have an Iris scanner yet, but these things are available if needed. There are lots of other methods out there, such as systems that analyze my typing behavior or listen to my voice patterns. One of my favorites is a system called “PassFaces” which makes you memorize the faces from pictures of total strangers whom you are then required to pick out from a matrix of mugshots. Presumably, if you can recognize, say, three people, then this must be the real you knocking on my digital door.

Unfortunately, each of these methods has its foibles and weaknesses, so relying on any one of them just gets us back to square A, namely a relatively insecure system. So why not use a bunch of them simultaneously?

That’s the idea that occurred to the folks at Delfigo Security, a tiny South Boston start-up I visited recently. Their product, DSGateway, is supposedly able to analyze up to 17 different identity factors at once to create what Bharat Nair, who heads development at Delfigo, calls a “confidence factor”, and which I would describe as the probability of it really being me, as opposed to some crook or software robot trying to impersonate me.

Read the rest of this entry »

How many terrorists work for your company? Dunno? Well, see you in jail, pal!

I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: “We are sacrificing employee privacy on the altar of anti-terrorism.”

It turns out that firms are required by law to check their employees names against lists of terrorism suspects published by the United Nations and the European Union. In Germany, §34 of AWG, the Foreign Trade Law, forbids companies aiding or abetting persons or organizations that endanger national security or the “peaceful coexistence of peoples” in any way – like for instance paying them a salary. Failure to comply with this law carries heavy fines; up to 5 years in jail for the CEO, for instance.

On the other hand, European data privacy laws prohibit routine scanning of personal data without due cause. So if nobody has done anything suspicious lately, running their names past the UN or EU lists is probably illegal in many countries.

Of course, tell that to the families after some nut explodes a vest of dynamite in your company canteen and slaughters a few of your employees.

So yes, companies have to screen their own people, but when exactly? On hiring? What if the employee has a change of heart two or three years later and signs up for the Muslim Brotherhood? Does that mean you have to scan periodically, maybe once or twice a year? And if you live in a country like Germany where the works committee has a big say in these matters, how do you ever hope to convince them?

According to Schultze-Melling, there are loads of even more mundane problems to consider. For instance, Osama Bin Laden would hardly use his real name when joining your company, and probably not even one of the score or so aka’s he is also listed under in the UN list, but would chose an entirely new name instead. How about different spellings? After all, for an Arab speaker, Ahmed Gamdi, Ahmad Al Gamdi, Ahmet Gamdi, and Ahmed Al-gamdi could very well be one and the same guy. There are more than 32 spelling for Lybia’s Colonel Gaddafi (or Qadhafi, Kadafi, Gadhafi, Qaddafi, etc.). Are you legally required to check them all?

As ist that wasn’t bad enough, you can try telling it the cops who come to arrest your boss because one of your employees gave to the local chapter of the Holy Land Foundation which funds Hamas or the National Development Front in India that finances Al-Qaeda. The UN and the EU, not to mention the US Department, publish lists of organizations they consider to be affiliates or fund raisers for international terrorists. Unfortunately, hardly any new employee mentions this in his hiring questionnaire, so what should you do? Periodically ask all your people whether they have joined a terrorist organization lately? Maybe hand them the list and ask them to make appropriate check marks. And what if they refuse — do you fire them? Anyway, answering in the affirmative could constitute an act of self-incrimination, so requiring it would itself be illegal in most civilized countries.

Until now, most HR departments have dealt with these questions in the handiest possible way – by ignoring them. Out of about 20 companies represented at the IAPP meeting, among them a few on the Fortune 100 list, only two raised their hands when I asked who has ever conducted a scan for terrorist suspects within their organizations.

My feeling is that this illustrates the legislative confusion surrounding identity and privacy on the governmental level, but it also points out some tough questions that need to be answered by identity pros before we can hope to achieve anything like a balanced approach to the legitimate concerns of citizens, employees and consumers about how authorities and employers handle their personal data on the one hand, and the requirements of businesses, bureaucracies and, yes, terrorism fighters on the other.

Somehow the Hofbraeukeller in Munich, one of my favorite city’s nicest beer garden restaurants, seems to lend itself particularly well to long, meandering discussions of identity management. It’s the place the U.S. participants at the European Identity Conference regularly gather for their pre-conference pigs’ feet feast, and since it’s conveniently located around the corner from where I live, I often use it as a meeting place for visitors from all over the world. I mean, if you’re in Bavaria, by all means go to a Bavarian place for lunch instead of one of the ubiquitous sushi stalls.

I thought my latest guest, Tom Stewart, CFO of MultiFactor Authentication out of Irvine, CA, would be thrilled, but it turns out he spent two years working for Intel in Munich, so he’s been there and done that. Which is okay, because it gave us more time to get down to basics about his company’s strategy and products.

Tom is in the business of making security tokens obsolete. I know you’re going to hate this if you just gave a pile to RSA or Verisign, but MultiFactor believes that hardware-based strong authentication is poised to go the way of the dodo.

Of course, software tokens have been around for quite awhile, but they are often considered to be weaker than hardware tokens, or else they require some fancy PKI architecture to make them safe enough for serious corporate use.

Well, think again, Tom says. His “SecureAuth” system sits inside the firewall and handles full bidirectional X.509 authentication for apps and other systems without any tokens or PKI infrastructure and, more importantly, at a fraction of the cost. The system used to connect the client with your company network is proprietary, but it uses SAML or any other system you want to use to connect to outside applications or SaaS providers. Just how they do it and whether it really works the way they say it does is beside the point here, but readers are invited to visit their website at www.multifa.com for a free online demo and as much nerdy prose as you can stomach. (Tom is a marketing guy, but he is apparently surrounded by a team of true, dyed-in-the-wool techies.)

Personally, my attention perked up when Tom began to describe the way SecureAuth acts as a kind of gatekeeper for Active Directory (in 90 percent of cases, he says) or any other directory service you happen to be running.

This seems especially exciting to me when you consider it in terms of Cloud Computing, where we are seeing a rash of new cloud-based identity services. Bob Blakley of Burton described what he calls the “ability to build a virtual identity provider using a multitude of different services”. At the Catalyst Conference in San Diego a few weeks ago, he expressed his surprise that, unlike what everyone was expecting, providing identity services for the Cloud wasn’t turning out to be “this big monolithic thing”. Instead, the market is building a set of small specialty firms that handle identity tasks and offer discrete billable units that companies can put together. Ping, for instance, integrates PingConnect with Google Apps so a user’s Google ID can be used for single sign-on across some 60 online services.

Sourcing your identity management may appear to make good business sense, but does it really? After all, companies are sourcing just about everything else related to their IT. But Tom believes, and I agree, that identity management is the last thing you want to see going out the door. “As long as you control the directory, you control everything”, he maintains. Letting external service providers make changes or allowing them to make copies of your directory, which some do, is simply asking for big trouble.

My feeling, and it’s nothing more than that, is that companies will be very cautious in moving towards the cloud, choosing a step-by-step approach rather than taking the sudden plunge. As much as small and medium-sized enterprises would love to say goodbye to their IT and concentrate on their core business, they should draw the line at their directory, be it active or otherwise.

In fact, you could probably make a case for keeping only your directory and sourcing everything else, but then what is the poor CIO to do? Anyway, directory services might actually prove to be the Last Man Standing as corporate IT gradually disappears into Cloud-cuckoo-land.

The Personal Data Eco-System (diagram by Iain Henderson and Drummond Reed)

Another reason I really love Twitter: It takes you places you might never have found on your own. Take a recent post by xmlgrrl, a.k.a. Eve Maler of Sun Microsystems, a terse pointer to a posting by Iain Henderson of Mydex on rightsideup.net entitled “The Personal Data Eco-System” which provides by far the best theoretical overview that I, at least, have seen on the true nature and function of personal data.

The text is an abstract of a session Ian and his pal Drummond Reed of Concordance, who is also a trustee of identitycommons, held at a recent West Coast VRM Workshop and which is also intended as an introduction to the Kantara workgroup where they hope to explore these scenarios more deeply. The focus of the piece is on what Iain and Drummond describe as “Personal Data Stores”, a slightly confusing term for a kind of data warehouse in which to store all the personal data available about me (or you) so that it can be used for anything from paying a credit card bill to scheduling a doctor’s appointment or even planning a home move.

But where it gets really exciting is when the two start to discuss what kind of data there is about me (or you) , what the relationship is between the different kinds of data and how they interact. Basically, they divide all personal data into five categories:

• My Data (information about me that I, and only I, own and control)
• Your Data (information about me that someone else – e.g. an organization or the government – owns and controls)
• Our Data (information about me that is accessible to both me and them, e.g. buyer and seller)
• Their Data (information about me that is owned and sold by third parties such as a credit card company)
• Everybody’s Data (information about me that is in the public domain, e.g. my postal address or an electoral roll)

Iain and Reed have created the absolutely fascinating flower-like Venn diagram pictured above explaining how and where these separate sorts of data intersect to create what they describe as a “Basic Identifier Set” in the middle. This for them is the “core personal identity data and they believe it will enable a working “personal identity eco-system” for providing services and ensuring transactions sometime in the future, with the individual functioning as the “un-knowing point of integration” of data about themselves.

They describe in detail the various dynamic flows of data between the different categories, such as from My Data to Your Data where individuals provide information about themselves under certain conditions (think the “tick boxes” on web forms indicating whether I want to receive your newsletter if I buy your product) or from Your Data to Their Data as an organization shares information about me with another organization, something which can happen legally (as in identity federation) or illegally (then it’s called identity theft).

I find the Henderson/Reed Diagram an extremely illuminating intellectual achievement since it illustrates the huge complexity involved in addressing issues of identity, both digital and analog. I’m not so sure whether I agree with Iain’s conclusion and forecast that over time (“in 10 years”) some 80% of customer management processes will be driven from a “My Data” perspective. He argues that the rush for user-generated content, as well as economic reasons, will cause organizations to move to a user-controlled model of identity management.

Well, I’ve been around long enough to know you can multiply a given prognosis involving a ten-year timeframe by a factor of between two and ten and still wind up way out in left field. But I do think they are right in assuming that there is a business case for moving towards user-controlled identity. Whether it will be, as they suggest, that allowing a vendor to mine my Personal Data Store for my consumer habits, and especially my buying intentions, will be incentive enough, or whether the prevalent model will be a simple upfront deal – give me your personal information and I will give you a rebate or cash in hand – I don’t know, but until we find out it might be a good idea to contenplate the wonderfully symmetric flower petals of the identity eco-system diagram and ponder it’s implications.