4Network Security December 2006

IDENTITY MANAGEMENT

At the macro level, the advantages that accrue in the form of innumerable appli-cations and services, with enhanced ben-efits for all, can clearly be seen zipping across the ether; but that macro level is ultimately composed of individuals, and so a problem arises: it’s personal.

This article outlines the components of digital identity technologies and serv-ices, describes some of the challenges at a governmental, enterprise and individual level, and looks at a few initiatives to try to address those issues. Finally it turns to the empowerment of the individual and current moves to put identity manage-ment back into the hands of the user.

As Michael Howard, Senior Security Program Manager, Microsoft USA, said at the Information Security Solutions Europe (ISSE) Conference 2006, “You can be in the poshest place on earth, but as soon as you plug into the computer, you are slumming it with some of the nastiest people in the world.”

The juggling actDigital identity technologies and services are complex.. David Goodman, chair-man of eema describes them as compris-ing: enterprise identity management, HR applications, CRM, web access management, (enterprise) single sign-on, role-based access control, network identity management, subscriber-centric networks, federated identity manage-ment, metadirectories, (the) identity metasystem(s), local and national gov-ernment identity cards and e-passports.

In addition, it encompasses the emerg-ing ideas around personal digital identities as well as RFID, PKI, smartcards and

biometric technologies, coupled with standards that go beyond X.500/LDAP, UDDI and DSML such as YADIS, REST, Identity 2.0 and WS*. Even though the core elements that underpin most identity infrastructures remain directories, address books, buddy lists etc., how they will converge or coexist going forward remains unclear.

Those responsible for implementing dig-ital identity technologies and services have the unenviable task of juggling the differ-ent demands and expectations of all parties concerned, within governments, enterpris-es and individual user communities.

Governments race to ID cardsFor example, in Europe, governments are making haste to introduce national ID cards, with smartcards as the favoured mode of transport, and e-passports with RFID chips. In some countries such as Belgium, where citizens are used to carrying a non-digital ID card, their introduction is less problematic. By con-trast, in the UK, where the introduction of the ID card will be accompanied by the establishment of a National Identity Register (NIR), the debate thunders on.

The ID cards will hold basic identity details as well as photo identification and other biometric data such as fingerprints, facial scans, iris scans that will be linked to the NIR, which will be the government’s authoritative repository of identity data. In fact the NIR will hold at least fifty fields of information on every citizen, together with links to information held on other govern-ment databases.

The scheme is due to start in 2008 and will eventually be mandatory for all citizens. The volume of data to be col-lected, suspicion of governmental objec-tives, audit trail, invasion of personal privacy, lack of confidence in security information storage and the imposition of personal identity control are just some of the reasons for the substantial wave of resistance now being witnessed.

RFIDThe most recent e-passport launch was in Ireland, on 16 October 2006, ten days before the deadline to qualify for the US visa waiver programme. Just like the UK passport, it utilises an RFID chip that allows the information on it to be read by special chip read-ers at close distance. RFID has been around since the late forties, and is now gaining momentum as a contender in the digital identity market, not only in e-passports, but also in a whole raft of sectors including retail and manu-facturing, recycling and waste manage-ment, transportation/logistics, libraries, livestock, healthcare etc.

The concept is simple, requiring only a tag containing an identification number and a reader. The tag can be passive, with-out a power source, or active, with a power source and therefore a longer range and larger memory. However, the concern with RFID tags that contain personal informa-tion is that they may enable both identifi-cation/profiling and/or remote reading or data processing without the knowledge of the data subject.

Both of these scenarios lead to serious security issues and legal data privacy/protection implications. It has there-fore been suggested that technological improvements such as a kill order solu-tion, a blocker tag, an encryption or privacy bit (proposed by RSA) should be implemented for personal protection. In addition to technical solutions, there are also various legislative consultations underway to provide another line of defence for the individual. Only when the necessary legal and technical meas-ures are in place will this technology receive public confidence as a corner-stone of ubiquitous computing.

Identity management – back to the user

Roger Dean, Head of Special Projects, eema

Digital identity as it applies to people is the pre-occupation of corporations, governments and individuals through-out Europe and the rest of the world. It is key to ensuring a trusted relationship for billions of electronic transactions worldwide, but control must now be returned to the user.

Roger Dean

5December 2006 Network Security

IDENTITY MANAGEMENT

Multiple levelsCompanies are similarly grappling with the problem of identity at multiple levels. For example, the increasing ero-sion of the corporate perimeter, the proliferation of mobile devices requir-ing network access, the proliferation and increasing tenacity of criminals requiring network access, the swell-ing body of corporate governance and compliance criteria, and the increas-ingly mobile and rapidly switching workforce, all make secure access to the network, through some form of identity and access management (IAM) systems imperative.

But controlling identity is not enough. In a survey by the Enterprise Security Group on laptop worms, the most com-mon sources of automated Internet worms were found to be those carried in on employee laptops, those that came directly from the Internet and through the firewall, and those carried in on the laptops of non-employees. Perimeterless networks therefore demand protection for the whole infrastructure, and no one piece of technology can do that. And in attempting to protect the infrastructure, how much flexibility and freedom is the user to be left with?

Enterprise-wide security modelsThere are many different models to try to solve the enterprise security chal-lenge. For example, Matthew Lodge of Symantec, speaking at eema’s European e-Identity Conference in June this year,

described a model of complete endpoint security within the enterprise compris-ing: (known) identity + (known) loca-tion + (compliant system) state. In this model authorised users may only access systems from authorised endpoints: the system is driven by policy according to identity, location and system state and the endpoint security is continuously monitored.

As an example, BAT Industries has implemented a user and machine-based identity system. It has agents on all desktops and laptops, a centralised, security-based policy, different policies based on location, and centralised log-ging and reporting. The advantages for the individual are simplicity of deploy-ment (for 28,000 agents) and the flex-ibility to connect however they like. It also ensures that security countermeas-ures are up to date and that critical patches are always applied. However, there remains an issue with providing guest access without loading an agent onto guest devices.

Innovative applicationsThere are also some truly innovative applications appearing on the mar-ket. A good example is OneTimePass Mobile, a collaborative project imple-mented by T-Systems and T-Mobile. OneTimePass Mobile is the first service in mobile communications security applications with over-the-air person-alisation. It uses a one time password with the security token in the form of a mobile phone, which leads to a high

level of security and can be simply integrated into most applications that still require ID and password.

Importantly, a central authentication service is used, and different companies, departments, systems and applications can use the same basis of authentication tokens in the field. For the individual, an important feature is that the appli-cation is distributed, installed and set over the air, and since everybody owns a mobile phone, there is no necessity for a complicated process of distributing the token device.

At the user levelAt an individual level each system that a user accesses requires a differ-ent slice of personal identification and profile. And that information is stored on disparate databases, used with pre-cious little regard to the privacy of the individual, and managed with varying degrees of efficiency by faceless enti-ties. We’ve all heard the stories about

Figure 1: A perimeterless network means protecting all infrastructure data

The Norwegian BankID Scheme

Some vendor/user partnerships are deliver-ing excellent, industry-specific applications. A good example is the Norwegian BankID Scheme, a solution delivered by Banking and Business Solutions (BBS) and Norwegian BankID Scheme, winners of the eema Award for Excellence in Secure Electronic Business 2006. The Norwegian BankID Scheme enables Norwegian citizens to identify themselves and digitally sign documents from authorities, companies and other organisations on the Internet by using the BankID electronic identi-fication and signature system.

The banks in Norway have already issued 600,000 BankID certificates since spring 2005. This figure is expected to double within the next six months and will extend to all e-bank users in Norway: approxi-mately 2,300,000. It has worked with 182 merchants, including all Norwegian and key Nordic banks and bank groups. The project demonstrates an innovative employment of PKI to manage an e-identification and trust service which essentially gives a less costly yet highly secure alternative to smart cards. It adheres to all PKI standards and ensures a high level of end user mobility.

6Network Security December 2006

IDENTITY MANAGEMENT

swathes of personal identity informa-tion being stolen and used for unlawful gain by the criminal community.

The media does not help. Press reports that exaggerate individual inci-dents and distort facts exacerbate the problem. It’s small wonder that users do not trust the Internet. As pointed out by Microsoft’s Michael Howard at ISSE earlier this month, one third of all users are too afraid to carry out online transactions, and limit them-selves to web browsing and email which, paradoxically, are the two most popular vectors for attack. As an added irritation, when something does go wrong, computers are too complex, and the security messages they spew out too convoluted for users to understand and act upon.

The role of legislatorsHowever, technology alone will not protect users. To a large extent we already have the technology. It is how products are developed and shipped that affects users the most. And one way of ensuring that end users receive good, secure, robust products is to make sure that it is in the vendors’ interests to make them so, instead of rushing immature products to market. At the moment vendors don’t have to pay for their mistakes. ICT security guru Bruce Schneier, another ISSE speaker, terms one of the causes of such irresponsibility ‘externality’: an

effect that does not concern the person causing it.

For example, a software company produces ‘buggy’ software, but it is the purchaser of the software who suffers and not the developer, so he doesn’t care. In Schneier’s opinion there are two ways to solve the problem of externality: regulation and liability. In the US, for example, there were many phantom withdrawals made from the early ATMs. The US courts ruled that unless the banks could prove that the customer had made the withdrawal they had to give the money back.

That gave banks an incentive to do something about security and install cameras. In the UK the opposite was the case so banks did nothing to cor-rect the problem until the law changed. Regulation and liability thus help to internalise externalities and align inter-est with capability, resulting in good products and fewer headaches for the user.

Putting the users in controlWhile enterprises and governments have traditionally imposed identity control on the user and/or customer, partner etc., such top down control is becoming increasingly irksome to many players. If, as seems likely, the swelling ranks of ICT insurgents win the day, that model is set to change. As Microsoft’s Kim Cameron

noted in his seven laws of identity: “A system that does not put users in control will – immediately or over time – be rejected.” The following projects repre-sent some current initiatives that start to put a measure of control back into the users’ hands.

Federated identity managementFederated identity management intro-duces the notions of identity provid-ers, circles of trust and WS Federated Identity. In David Goodman’s view, federation goes a long way towards addressing the persistent problems of dis-tributed entries and web single sign-on for Internet users. Although federation suggests user-controlled profile manage-ment, realistically there is still some way to go. Federated solutions provide: • identity mapping across partners with

the benefits of single sign-on and user information exchange

• cross-domain identity lifecycle man-agement through the provisioning of users and linking of user identities

• secure application interaction using web services technology.

“Enterprises and governments have traditionally imposed identity control from the top down, but such control is becoming increasingly irksome to many players.”

Federation makes the first step forward from application-oriented, enterprise-focused systems to a trust-based, dis-tributed service for individual personal identities.

Personal digital identity for individualsTwo initiatives that aim to give users some real control over their identity management are:

Figure 2: BankID Common Operational Infrastructure

7December 2006 Network Security

The identity management (IM) market includes the set of technologies and products that enable the use of digital identities. Today, a great many products deliver such functionality. In particular, the IM market consists of technologies

that enable authentication of partici-pants and the authorization of transac-tions among users and online resources, as well as the administration of user accounts in online systems. Digital identifiers (such as smart cards and PKI

systems), web-access management, user provisioning, federation, and directory products belong to the IM market.

The identity-management market continues to enjoy phenomenal growth, both in terms of sheer capital invested in the market and in awareness of IM in the popular consciousness. Nearly all major software vendors – including BMC, CA, EMC, Entrust, HP, IBM, Microsoft, Novell, Oracle, Red Hat, Siemens, and Sun – offer IM suites of varying breadths.

The front guardThis “front guard” of major software vendors has invested significantly in the IM market, mostly through acqui-sition, and now benefits from strong growth: some of these companies claim

Identity management market shifts – who’s out there? Mike Neuenschwander, research director, Burton Group

Selecting identity management products requires investigation. The market has proven problematic to standardize, has drawn a disproportionate degree of governmental regulation, and there is no clear market leader.

• Project Higgins, led by Novell and IBM, who are working to develop open-source software for user-centric identity management, and

• Microsoft’s CardSpace (formerly known as InfoCard), now available in the beta release of Vista, which will enable identity to be managed from the desktop.

Higgins is a software framework that relies on service adapters that connect to external systems using that system’s native protocols or APIs. Higgins breaks up a person’s identity into pieces or ‘services’ and lets computer users dictate who can access what parts of their iden-tity information, within applicable pri-vacy guidelines and laws. Organisations using ‘smart’ applications, built with Higgins’ open source tools, can share specific identity information, such as their telephone number or buying pref-erences, according to rules set by the individual, or by an authorised third-party service provider acting on their behalf.

CardSpace is the code name for a Windows WinFX component that provides a user interface and related

services that allow the Windows system to interoperate with service providers and identity providers using the WS-Trust and related protocols. It reduces reliance on usernames and passwords; provides a consistent experience for login and registration; helps users avoid phishing attacks; and provides support for multi-factor authentication.

“Federation makes the first step forward from application-oriented, enterprise-focused systems to a trust-based, distributed service for individual personal identities.”

ConclusionThis article has outlined just a few of the ideas that have been put forward to help solve the problems associated with digital identity. There will be countless others, in countless different configura-tions, but one thing is sure: striking

the right balance between the different requirements of different stakehold-ers is critical to success and can only be achieved through collaboration. As Commissioner Viviane Reding said to delegates at ISSE: “Although security is crucial, the protection of fundamental rights, including privacy and data pro-tection, must balance the measures for security. If they don’t, the take-up of technology by citizens will not come to a good end. And that is why we have to get this equilibrium between indus-trialists, governments, administrations, citizens and the private security com-munity.”

About the authorsRoger Dean is Head of Special Projects and a founder of eema, a European e-business trade group with 135 member organiza-tions, launched in 1987. He has been involved in the formation and interoper-ability of several standards and standard bodies, such as X.400, X.500, XML, “T”scheme, Emeritus, Web Services, e-pro-curement data and content standards. He spearheaded ISSE (Information Security Solutions) 2006. The article was co-authored by Juliet Hoskins, Editor, eema.

IDENTITY MANAGEMENT MARKET

IDENTITY MANAGEMENT

Mike Neuenschwander