After a whole series of conversations following the Slashdot post, I need to clarify the relative roles of idenity mangement from a digital perspective and the broader perspective of identity & transaction management.

Most of the conversations these days on the topic of identity management center around digital identities. Without a doubt, that’s the hot area and it’s huge. As an information security professional it’s near and dear to my heart.

However hot digital identity may be, organizations taking a broader perspective can leverage identity for even greater value. That’s the premise behind the Identity Initiative, to encourage organizations to develop a synergy between the identity for their network and what they can do across the enterprise. The concept of Identity & Transaction Management encompasses the realms of digital identity management and all the transaction infrastructure where identity can be physcially used across the enterprise. Think university ID cards meets digital certificates.

Last week was the National Association of Campus Card User’s (NACCU) annual conference. Other obligations kept me from attending for the first time since 1997. That and the beginning of the events log got me thinking aobut what are the “Don’t Miss Events” as it relates to Identity & Transaction Management.

For those looking to draw additional value from your identity management initiatives, college campuses are a great place to look. Unlike most corporate organizations, higher education often leverages their identity for value added services while neglecting security. Add that solution set to a corporate or government security stance and you have a recipe for a broad identity.

NACCU just passed and Card Tech/Secure Tech is just around the corner. IDWorld is emerging as a strong fall conference for identity. ISCWest is the premier spring physical security event. ASIS takes the physical security lead for the fall. I’ve always enjoyed the RSA conferecne, especially with my PKI experience. Moving to the straight transaction side, NAMA (vending) and FSTech (food service), NACUFS (more food), and IPI (parking) are all good shows. NACAS, NACUBO and ACUHO all offer oppotunities to learn about how higher ed draws additional value from what they traditionally call “card programs.” Educause in the fall offers another really good chance to look at hgher ed identity, this time from the IT perspective.

Wow, I know that seems like a lot, but I barely touched on the information security opportunities and left out the government conferences entirely. Please drop us a comment or email, to let us know which events you get the most out of. Check our events calendar and feel free to submit any we missed.

CTST, ISCWest and NAMA almost overlap in the coming weeks in Vegas. I however, will be attending an Infosec conference in Orlando and then heading down to Ft. Lauderdale for the International Parking Institute conference. Don’t laugh, there’s a lot of money in parking and we always want security around our cars.

One of our readers, Kafka, asked if had heard of SXIP. Great timing.

Last week I suggested that well provisioned identity would go a long way to solving both the access control (authentication) and transaction security. That’s not much of a stretch and there are several really good digital identity frameworks emerging. Which ones are your favorite?

Looking into the details of each, I become more convinced that we are missing a big step, provisioning. We become enamored with the technologies and the frameworks, but miss the whole point of “who says you are(not) a dog.”

We had quite a dustup last week as one of Microsoft’s key people mentioned that Longhorn is moving to two factor authentication. So what? Once you move beyond local logon and move outside your home and enterprise, it doesn’t matter how many forms of authentication you have. I only care if someone vouches for your identity.

Today, your bank plays that role with the major credit cards and most merchants effectively assume that risk by honoring them. To paraphrase the commentary CIO Magazine it’s reaching the point where either the consumer, the bank or the merchant will blink and then we have problems. Of course, if we had well provisioned identity nobody needs to blink.

So, back to my original point, what are your thoughts on the different established and emerging digital identity frameworks? What about provisioning frameworks? Has anybody heard from Identrus lately?

Digital ID Programs

xdi.org

sxip.org

Identrus.com

Yesterday was very busy, with our posting on Slashdot about the impact of Microsoft’s move away from passwords. Our only hiccups came from the Comments functions and I appreciate the interest shown. Identity, security and privacy are always hot topics in the /. community and we hope to offer more soon. In any event, please come back and participate in the conversation.

Bret Tobey

How to Save the Internet, or On the Internet Everyone Should Know You’re a Dog

The CIO Magazine dated for the Ides of March has an article on “How To Save The Internet.” It raises some very interesting questions about the role and lifecycle of the internet. With a “doom and gloom” tone, the article lists several big ideas to “save” the internet from its security problems. Here’s one simple “Big Idea” to fix a lot of security concerns. Identity.

That’s it. Give everyone meaningful identities for communities they conduct transactions in. Aside from simply malicious attacks, access control and transactional security are the real base concerns for internet security. Most information posted to the internet is designed for public consumption so the largest concerns are integrity and protecting administrative access. The information with value and transactional sites account for the greatest exposure.

By “Meaningful identities” I mean well provisioned, well managed identities for organizations and individuals. These go a long way towards reducing that risk with the right identity management infrastructure. If you’re a dog, those with assets or transactions to protect need to know that.

The technologies exist for identity management and access control are mature. What we do not have is agreement and what it takes to provision and identity we can trust across multiple applications. Until then we will have a wide range of identity “silos” and a pile of post notes with passwords.

What is Identity & Transaction Management(ITM)? A quick survey of infosec magazines shows that identity management is a hot area. With broad industry efforts like SAML and the Liberty alliance, dozens of vendors and big boys like Microsoft joining the game in earnest, it’s big and it’s absolutely necessary.

But it’s only part of the picture. Identity management in technology discussions generally refers to someone’s online identity and how it relates to various access control schemes. The problem is that’s only one aspect of an organizational identity. Organizational identity can be an intangible asset, like goodwill and should be managed accordingly.

Identity & Transaction Management (ITM) covers the broader area of managing the full lifecycle of identity and all the physical and logical infrastructure to make that identity valuable in an organization. For most organizations it starts with security, but a tremendous amount of value can be added through better service and increased sales. Remember how shocking it was to find out that most people would give up passwords for a candy bar? If we trade our passwords for tokens as security experts recommend and Microsoft intends to do, that number goes down. It goes way down when that token is the same thing we ue to buy candy bars. Give it a positive value (food) for the user drives a much higher compliance than a negative value imposed by the organization (password loss). Think about it and post your comments.

Much of what is posted at www.identityinitiative.com are thoughts and sources exploring the implications of Identity & Transaction Management. As the book, The Identity Initiative nears completion much of that will be posted here for validation. Your feedback is important because we’d rather look silly on the blog than in hard cover.

During a security panel at CEBIT Detlef Eckert, Microsoft’s Senior Director for Trustworthy Computing, commented that Longhorn would abandon passwords in favor of two factor authentication. As reported on Vnunet.com, Microsoft’s new operating system was making the move to “bring the level of trust business needs.” While the panel generally agreed better digital identity was needed, even two factor authentication still leaves some bases uncovered.

Cryptography guru Bruce Schneier raised some concern over whether faith in two factor authentication would leave other vulnerabilities. Specifically citing the man in the middle and trojan attacks, Schneier did agree that two factor was better than simple passwords. His concern was that the implementation cost for remote internet authentication would not be justified by long term fraud reduction.

For local authentication, which covers much of what Microsoft operating systems do today, two factor authentication is a boost. As Microsoft continues to move into the broader realm of identity management many people will be concerned about their intentions. Two factor authentication generally requires more robust provisioning and management which may explain Microsoft’s intention to move their Identity Server into the default server package. Robust existing efforts like SAML and the Liberty Alliance should be concerned by the new competition. Organizations and users also need to pay close attention to how Microsoft and others position to control their identity platforms.

The Harvard Crimson Online :: News This article highlights that new methods of distributing information shift ethical boundaries. Harvard is revoking the admission of 119 applicants who “peeked” at acceptance letters residing on the servers of their online application partner, ApplyYourself. An anonymous hacker posted the information on how to access the letters in the Business Week B-Schools forum.

At the very least, these students were guilty of trespassing and poor judgement, justifying Harvard’s actions. Other schools, such as MIT have taken stands in support of Harvard. While the applicants are responsible for their own actions, both Harvard and ApplyYourself exhibited sloppiness, if not negligence.

University associations and identities are some of the most valuable. As the reach of learning institutions extends with online teaching, recruiting, seminars, episodes like this show that universities need to take a broader approach to managing their identities. Traditionally, universities have been at the cutting edge of identity management, but only within the ivy walls. As the categories of recruit, applicant, alumni, resident, seminar participant, etc…, become more a part of the university community their identity and association needs to be managed, too. In this case schools could take a sheet from the corporate playbook with federated identity and extranet access control. We’ll be watching to see how much is learned from the crushed hopes of Harvard’s B-School applicants.

Relevant Links

http://www.applyyourself.com/

http://forums.businessweek.com/bw-bschools/start

http://www.reuters.com/printerFriendlyPopup.jhtml?type=oddlyEnoughNews&storyID=7841543