Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Getting warm on Attributes

On one of the IDAM industry mail lists recently, a contributer noted in passing that:

      • "I replaced ‘identity’ throughout the document with ‘attribute’ and barring a few grammar issues everything still works."

We're getting warm.

Seriously, when will identity engineers come round and do just that: dispense with the word "identity"? We don't need to change our job descriptions or re-badge the whole "identity management" sector but I do believe we need to stop saying things like "federate identity" or "provide identity".

The writing has been on the wall for some time.

  • As Andrew Nash, CEO of Confyrm Inc. said at the Cloud Identity Summit in 2014, "attributes are more interesting than identity". The same goes for relationships: witness the Identity Relationship Management (IRM) movement.
  • The leading IDAM industry body, the FIDO Alliance, is conspicuously not doing identity but only authentication (of attributes).
  • An identity stack is emerging where relationships and abstract identities are layered on top of concrete attributes and signals.
  • The problem we're trying to solve is shifting sharply from "Who are you?" to "What are you?".
  • I've been advocating that we drop down a level and try federating attributes instead.

    "Identity" is actually a macro for how a Relying Party (RP) knows each of its Subject. Identification is the process by which an RP is satisfied it knows enough about a Subject -- a customer, a trading partner, an employee and so on -- that it can deal with that Subject with acceptable residual risk. Identification is just the surface of the relationship between Subject and RP. The risks of misidentification are ultimately borne by the RP -- even if they can be mitigated to some extent through contracts with third parties that have helped the RP establish identity.

    The most interesting work in IDAM (especially the "Vectors of Trust" or VoT, initiated by Justin Richer) is now about better management of the diverse and context-dependent signals, claims and/or attributes that go into a multivariate authentication decision. And that reminds me of the good old APEC definition of authentication -- "the means by which a receiver of an electronic transaction or message makes a decision to accept or reject that transaction or message" -- which notably made no mention of identity at all!

    We really should now go the whole way and replace "identity" with "attributes". In particular, we should realise there are no "Identity Providers" -- they're all just Attribute Providers. No third party ever actually "provides" a Subject with their identity; that was a naive industrial sort of metaphor that reduces identity to a commodity, able to be bought and sold. It is always the Relying Party that "identifies" a Subject for their (the RP's) purposes. And therefore it is the Relying Party that bestows identity.

    The mangled notion of "Identity Provider" seems to me to have contaminated IDAM models for a decade. Just think how much easier it would be to get banks, DMVs, social networks, professional associations, employers and the rest to set up modest Attribute Providers instead of grandiose and monopolistic Identity Providers!

    As Yubico CEO Stina Ehrensvard says, "any organization that has tried to own and control online identity has failed".

    There's a simple reason for that: identity is not what we thought it was. As we are beginning to see, if we did a global replace of "identity" with "attribute", all our technical works would still make sense. The name change is not mere word-smithing, for the semantics matter. By using the proper name for what we are federating, we will come a lot closer to the practical truth of the identity management problem, and after reframing the way we talk about the problems, we will solve them.

    Posted in Language, Identity, Federated Identity

  • Please. There is no perfect privacy.

    A new effort dubbed Project Enigma "guarantees" us privacy, by way of a certain technology. Never mind that Enigma's "magic" (their words) comes from the blockchain and that it's riddled with assumptions; the very idea of technology-based perfection in privacy is profoundly misguided.

    Enigma is not alone; the vast majority of 'Privacy Enhancing Technologies' (PETs) are in fact secrecy or anonymity solutions. Anonymity is a blunt and fragile tool for privacy; in the event that encryption for instance is broken, you still need the rule of law to stem abuse. I wonder why people still conflate privacy and anonymity? Plainly, privacy is the protection you need when your affairs are not secret.

    In any event, few people need or want to live underground. We actually want merchants and institutions and employers and doctors to know us in reasonable detail, but we insist they exercise restraint in what they do with that knowledge.

    Consider a utopian architecture where things could be made totally secret between you and a correspondent. How would you choose to share something with more than one party, like a health record, or a party invitation? How would you delegate someone to share something with others on your behalf? How would you withdraw permissions? How would it work in a heterogeneous IT environment? And above all, how would you control all the personal information created about you behind your back, unseen, beyond your reach?

    Privacy is about restraint. It's less about what we do with someone’s personal information than what we don’t do. So it’s more political than technological. Privacy can only really be managed through rules. Of course rules and enforcement are imperfect, but let’s not be utopian about privacy. Just as there is no such thing as absolute security, there is no perfect privacy either.

    Posted in Privacy

    Spare us the outrage over Safe Harbor changes

    For 35 years now, a body of data protection jurisprudence has been built on top of the original OECD Privacy Principles. The most elaborate and energetically enforced privacy regulations are in Europe (although well over 100 countries have privacy laws at last count). By and large, the European privacy regime is welcome by the roughly 700 million citizens whose interests it protects.

    Over the years, this legal machinery has produced results that occasionally surprise the rest of the world. Among these was the "Right To Be Forgotten", a ruling of the European Court of Justice (ECJ) which requires web search operators in some cases to block material that is inaccurate, irrelevant or excessive. And this week, the ECJ determined that the U.S. "Safe Harbor" arrangement (a set of pragmatic work-arounds that have permitted the import of personal information from Europe by American companies) is invalid.

    These strike me as entirely logical outcomes of established technology-neutral privacy law. The Right To Be Forgotten simply treats search results as synthetic personal information, collected algorithmically, and applies regular privacy principles: if a business collects personal information, then lawful limits apply no matter how it's collected. And the self-regulated Safe Harbor was found to not provide the strength of safeguards that Europeans have come to expect. Its inadequacies are old news; action by the court has been a long time coming.

    In parallel with steadily developing privacy law, an online business ecosystem has evolved, centred on the U.S. and based on the limitless resource that is information. Fabulous products, services and unprecedented economic success have flowed. But the digital rush (like gold and oil rushes before it) has brought calamity. A shaken American populace, subject to daily breaches, spying and exploitation, is left wondering who and what will ever keep them safe in cyberspace.

    So it's honestly a mystery to me why every European privacy advance is met with such reflexive condemnation in America.

    The OECD Privacy Principles safeguard individuals by controlling the flow of information about them. In the decades since the principles were framed, digital technologies and business models have radically expanded how information is created and how it moves. Personal information is now produced as if by magic (by wizards who make billions by their tricks). But the basic privacy principles are steadfastly the same, and are manifestly more important than ever. You know, that's what good laws are like.

    A huge proportion of the American public would cheer for better data protection. We all know they deserve it. If American institutions had a better track record of respecting and protecting the data commons, then they'd be entitled to bluster about European privacy. But as things stand in Silicon Valley and Washington, moral outrage should be directed at the businesses and governments who sit on their hands over data breaches and surveillance, instead of those who do something about it.

    Posted in Privacy

    Does government have the innovation appetite?

    Under new Prime Minister Malcolm Turnbull, innovation for once is the policy du jour in Australia. Innovation is associated with risk taking, but too often, government wants others to take the risk. It wants venture capitalists to take investment risk, and start-ups to take R&D risks. Is it time now for government to walk the talk?

    State and federal agencies remain the most important buyers of IT in Australia. To stimulate domestic R&D and advance an innovation culture, governments should be taking some bold procurement risk, punting to some degree on new technology. Major projects like driver licence technology upgrades, the erstwhile Human Services Access Card, the national broadband roll-out, and national e-health systems, would be ideal environments in which to preferentially select next generation, home-grown products.

    Obviously government must be prudent spending public money on new technology. Yet at the same time, there is a public interest argument for selecting newer solutions: in the rapidly changing online environment, citizens stand to benefit from the latest innovations, bred in response to current challenges.

    What do entrepreneurs need most to help them innovate and prosper? It's metaphorical oxygen!

    Innovators need:

  • access to prospective customers, so we may showcase disruptive technologies
  • procurement processes that admit, nay encourage, some technology risk taking
  • agile tender specifications that call for the unexpected in responses, prompting disruptive technologies
  • open-mindedness from big prime contractors, who too often are deaf to inventive SMEs
  • curiosity for innovation amongst business people
  • optimism amongst buyers that small local players might have something special to offer
  • and a reversal of the classic Australian taboo against sales.

    Too often, innovative entrepreneurs are met with the admonition you’re only trying to sell us something. Well yes we are, but it's because we believe we have something to meet real needs, and that customers actually need to buy something.

    Posted in Innovation, Government

  • An identity glut on the Internet of Things

    The identerati sometimes refer to the challenge of “binding carbon to silicon”. That’s a poetic way of describing how the field of Identity and Access Management (IDAM) is concerned with associating carbon-based life forms (as geeks fondly refer to people) with computers (or silicon chips).

    To securely bind users’ identities or attributes to their computerised activities is indeed a technical challenge. In most conventional IDAM systems, there is only circumstantial evidence of who did what and when, in the form of access logs and audit trails, most of which can be tampered with or counterfeited by a sufficiently determined fraudster. To create a lasting, tamper-resistant impression of what people do online requires some sophisticated technology (in particular, digital signatures created using hardware-based cryptography).

    On the other hand, working out looser associations between people and computers is the stock-in-trade of social networking operators and Big Data analysts. So many signals are emitted as a side effect of routine information processing today that even the shyest of users may be uncovered by third parties with sufficient analytics know-how and access to data.

    So privacy is in peril. For the past two years, big data breaches have only got bigger: witness the losses at Target (110 million), EBay (145 million), Home Depot (109 million records) and JPMorgan Chase (83 million) to name a few. Breaches have got deeper, too. Most notably, in June 2015 the U.S. federal government’s Office of Personnel Management (OPM) revealed it had been hacked, with the loss of detailed background profiles on 15 million past and present employees.

    I see a terrible systemic weakness in the standard practice of information security. Look at the OPM breach: what was going on that led to application forms for employees dating back 15 years remaining in a database accessible from the Internet? What was the real need for this availability? Instead of relying on firewalls and access policies to protect valuable data from attack, enterprises need to review which data needs to be online at all.

    We urgently need to reduce the exposed attack surface of our information assets. But in the information age, the default has become to make data as available as possible. This liberality is driven both by the convenience of having all possible data on hand, just in case in it might be handy one day, and by the plummeting cost of mass storage. But it's also the result of a technocratic culture that knows "knowledge is power," and gorges on data.

    In communications theory, Metcalfe’s Law states that the value of a network is proportional to the square of the number of devices that are connected. This is an objective mathematical reality, but technocrats have transformed it into a moral imperative. Many think it axiomatic that good things come automatically from inter-connection and information sharing; that is, the more connection the better. Openness is an unexamined rallying call for both technology and society. “Publicness” advocate Jeff Jarvis wrote (admittedly provocatively) that: “The more public society is, the safer it is”. And so a sort of forced promiscuity is shaping up as the norm on the Internet of Things. We can call it "superconnectivity", with a nod to the special state of matter where electrical resistance drops to zero.

    In thinking about privacy on the IoT, a key question is this: how much of the data emitted from Internet-enabled devices will actually be personal data? If great care is not taken in the design of these systems, the unfortunate answer will be most of it.

    Steve Wilson CISID15 Rationing Identity in IoT (0 4) HANDOUTS  Data flows in Internet of Cars
    Steve Wilson CISID15 Rationing Identity in IoT (0 4 1) HANDOUTS  Imposing order IoT PII flows

    My latest investigation into IoT privacy uses the example of the Internet connected motor car. "Rationing Identity on the Internet of Things" will be released soon by Constellation Research.

    And don't forget Constellation's annual innovation summit, Connected Enterprise at Half Moon Bay outside San Francisco, November 4th-6th. Early bird registration closes soon.

    Posted in Security, Privacy, Cloud, Big Data

    On certain criticism of Frank Gehry

    A letter to the editor, Sydney Morning Herald, January 14, 2011.

    The ABC screened a nice documentary last night, "Getting Frank Gehry", about the new UTS Business School building. The only thing spoiling the show was Sydney's rusted-on architecture critic Elizabeth Farrelly having another self-conscious whinge. And I remembered that I wrote a letter to the Herald after she had a go in 2011 when the design was unveiled (see "Gehry has designed a building that is more about him than us").

    Where would damp squib critics be without the 'starchitects' they love to hate?

    Letter as published

    Ironically, Elizabeth Farrelly's diatribe against Frank Gehry and his UTS design is really all about her. She spends 12 flabby paragraphs defending criticism (please! Aren't Australians OK by now with the idea of critics?) and bravely mocking Gehry as "starchitect".

    Eventually Farrelly lets go her best shots: mild rhetorical questions about the proposal's still unseen interior, daft literalism about buildings being unable to move, and a "quibble" about harmony. I guess she likewise dismisses Gaudi and his famous fluid masonry.

    Farrelly's contempt for the university's ''boot licking'' engagement with this celebrated architect is simply myopic. The thing about geniuses like Gehry and Utzon is that brave clients can trust that the results will prevail.

    Stephen Wilson, Five Dock

    Posted in Culture

    Biometrics Privacy Trust Mark Development - Stage 2

    The Biometrics Institute has received Australian government assistance to fund the next stage of the development of a new privacy Trust Mark. And Lockstep Consulting is again working with the Institute to bring this privacy initiative to fruition.

    A detailed feasibility study was undertaken by Lockstep in the first half of 2015, involving numerous privacy advocates, regulators and vendors in Europe, the US, New Zealand and Australia.

    We found strong demand for a reputable, non-trivial B2C biometrics certification.

    Privacy advocates are generally supportive of a new Trust Mark, however they stress that a Trust Mark can be counter-productive if it is too easy to obtain, biased by industry interests, and/or poorly policed. There is general agreement that a credible trust mark should be non-trivial, and consequently, that the criteria be reasonably prescriptive. The reality of a strong Trust Mark is that not all architectures and solution instances will be compatible with the certification criteria.

    The next stage of the Biometrics Institute project will deliver technical criteria for the award of the Trust Mark, and a PIA (Privacy Impact Assessment) template. A condition of the Trust Mark will be that a PIA is undertaken.

    Please contact Steve Wilson at Lockstep swilson@lockstep.com.au or Isabelle Moeller (Biometrics Institute CEO) isabelle@biometricsinstitute.org, if you'd like to receive further details of the Stage 1 findings, or would like to contribute to the technical research in Stage 2.

    Posted in Trust, Privacy, Biometrics

    A letter on Free Speech and the Right to be Forgotten

    An unpublished letter to New Yorker magazine, August 2015.

    Kelefa Sanneh ("The Hell You Say", Aug 10 & 17) poses a question close to the heart of society’s analog-to-digital conversion: What is speech?

    Internet policy makers worldwide are struggling with a recent European Court of Justice decision which grants some rights to individuals to have search engines like Google block results that are inaccurate, irrelevant or out of date. Colloquially known as the "Right To Be Forgotten" (RTBF), the ruling has raised the ire of many Americans in particular, who typically frame it as yet another attack on free speech. Better defined as a right to be de-listed, RTBF makes search providers consider the impact on individuals of search algorithms, alongside their commercial interests. For there should be no doubt – search is very big business. Google and its competitors use search to get to know people, so they can sell better advertising.

    Search results are categorically not the sort of text which contributes to "democratic deliberation". Free speech may be many things but surely not the mechanical by-products of advertising processes. To protect search results as such mocks the First Amendment.

    End.

    Some of my other RTBF thoughts:

    Posted in Privacy, Internet, Culture, Big Data

    Good, better, BlackBerry

    In the latest course of a 15 month security feast, BlackBerry has announced it is acquiring mobile device management (MDM) provider Good Technology. The deal is said to be definitive, for US$425 million in cash.

    As BlackBerry boldly re-positions itself as a managed service play in the Internet of Things, adding an established MDM capability to its portfolio will bolster its claim -- which still surprises many -- to be handset neutral. But the Good buy is much more than that. It has to be seen in the context of John Chen's drive for cross-sector security and privacy infrastructure for the IoT.

    As I reported from the recent BlackBerry Security Summit in New York, the company has knitted together a comprehensive IoT security fabric. Look at how they paint their security platform:

    BBY Security Platform In Action

    And see how Good will slip neatly into the Platform Services column. It's the latest in what is now a $575 million investment in non-organic security growth (following purchases of Secusmart, Watchdox, Movirtu and Athoc).

    According to BlackBerry,

      • Good will bring complementary capabilities and technologies to BlackBerry, including secure applications and containerization that protects end user privacy. With Good, BlackBerry will expand its ability to offer cross-platform EMM solutions that are critical in a world with varying deployment models such as bring-your-own-device (BYOD); corporate owned, personally enabled (COPE); as well as environments with multiple user interfaces and operating systems. Good has expertise in multi-OS management with 64 percent of activations from iOS devices, followed by a broad Android and Windows customer base.(1) This experience combined with BlackBerry’s strength in BlackBerry 10 and Android management – including Samsung KNOX-enabled devices – will provide customers with increased choice for securely deploying any leading operating system in their organization.

    MyPOV

    The strategic acquisition of Good Technology will also give the Identity-as-a-Service sector a big kick. IDaaS is become a crowded space with at least ten vendors (CA, Centrify, IBM, Microsoft, Okta, OneLogin, Ping, Salepoint, Salesforce, VMware) competing strongly around a pretty well settled set of features and functions. BlackBerry themselves launched an IDaaS a few months ago. At the Security Summit, I asked their COO Marty Beard what is going to distinguishe their offering in such a tight market, and he said, simply, mobility. Presto!

    But IDaaS is set to pivot. We all know that mobility is now the locus of security , and we've seen VMware parlay its AirWatch investment into a competitive new cloud identity service. This must be more than a catch-up play with so many entrenched IDaaS vendors.

    Here's the thing. I foresee identity actually disappearing from the user experience, which more and more will just be about the apps. I discussed this development in a really fun "Identity Innovators" video interview recorded with Ping at the recent Cloud Identity Summit. For identity to become seamless with the mobile application UX, we need two things. Firstly, federation protocols so that different pieces of software can hand over attributes and authentication signals to one another, and these are all in place now. But secondly we also need fully automated mobile device management as a service, and that's where Good truly fits with the growing BlackBerry platform.

    Now stay tuned for new research coming soon via Constellation on the Internet of Things, identity, privacy and software reliability.

    See also The State of Identity Management in 2015.

    Posted in Security, Identity, Federated Identity, Constellation Research, Big Data

    Card Not Present fraud trends (sadly) back to normal

    The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. For years, Lockstep has been monitoring these figures, plotting the trend data and analysing what the industry is and is not doing about it. A few weeks ago, statistics for calendar year 2014 came out.

    CNP trends pic to CY 2014

    As we reported last time, despite APCA's optimistic boosting of 3D Secure and education measures for many years, Card Not Present (CNP) online fraud was not falling as hoped. And what we see now in the latest numbers is the second biggest jump in CNP fraud ever! CY 2014 online card fraud losses were very nearly AU$300M, up 42% in 12 months.

    Again, APCA steadfastly rationalises in its press release (PDF) that high losses simply reflect the popularity of online shopping. That's cold comfort to the card holders and merchants who are affected.

    APCA has a love-ignore relationship with 3D Secure. This is one of the years when 3D Secure goes unmentioned. Instead the APCA presser talks up tokenization, I think for the first time. Yet the payments industry has had tokenization for about a decade. It's just another band-aid over the one fundamental crack in the payment card system: nothing stops stolen card numbers being replayed.

    A proper fix to replay attack is easily within reach, which would re-use the same cryptography that solves skimming and carding, and would restore a seamless payment experience for card holders. See my 2012 paper Calling for a Uniform Approach to Card Fraud Offline and On" (PDF).

    Abstract

    The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the world. The universal Four Party settlement model, and a long-standing card standard that works the same with ATMs and merchant terminals everywhere underpin seamless convenience. So with this determination to facilitate trustworthy and supremely convenient spending in every corner of the earth, it’s astonishing that the industry is still yet to standardise Internet payments. We settled on the EMV standard for in-store transactions, but online we use a wide range of confusing and largely ineffective security measures. As a result, Card Not Present (CNP) fraud is growing unchecked.

    This article argues that all card payments should be properly secured using standardised hardware. In particular, CNP transactions should use the very same EMV chip and cryptography as do card present payments.

    With all the innovation in payments leveraging cryptographic Secure Elements in mobile phones - the exemplar being Apple Pay for Card Present business - it beggars belief that we have yet to modernise CNP payments for web and mobile shopping.

    Posted in Security, Payments, Fraud