First Day Reflections from CIS Monterey.
Follow along on Twitter at #CISmcc (for the Monterey Conference Centre).
The Cloud Identity Summit really is the top event on the identity calendar. The calibre of the speakers, the relevance and currency of the material, the depth and breadth of the cohort, and the international spread are all unsurpassed. It's been great to meet old cyber-friends in "XYZ Space" at last -- like Emma Lindley from the UK and Lance Peterman. And to catch up with such talented folks like Steffen Sorensen from New Zealand once again.
A day or two before, Ian Glazer of Salesforce asked in a tweet what we were expecting to get out of CIS. And I replied that I hoped to change my mind about something. It's unnerving to have your understanding and assumptions challenged by the best in the field ... OK, sometimes it's outright embarrassing ... but that's what these events are all about. A very wise lawyer said to me once, around 1999 at the dawn of e-commerce, that he had changed his mind about authentication a few times up to that point, and that he fully expected to change his mind again and again.
I spent most of Saturday in Open Identity Foundation workshops. OIDF chair Don Thibeau enthusiastically stressed two new(ish) initiatives: Mobile Connect in conjunction with the mobile carrier trade association GSM Association @GSMA, and HIE Connect for the health sector. For the uninitiated, HIE means Health Information Exchange, namely a hub for sharing structured e-health records among hospitals, doctors, pharmacists, labs, e-health records services, allied health providers, insurers, drug & device companies, researchers and carers; for the initiated, we know there is some language somewhere in which the letters H.I.E. stand for "Not My Lifetime".
But seriously, one of the best (and pleasantly surprising) things about HIE Connect as the OIDF folks tell it, is the way its leaders unflinchingly take for granted the importance of privacy in the exchange of patient health records. Because honestly, privacy is not a given in e-health. There are champions on the new frontiers like genomics that actually say privacy may not be in the interests of the patients (or more's the point, the genomics businesses). And too many engineers in my opinion still struggle with privacy as something they can effect. So it's great -- and believe me, really not obvious -- to hear the HIE Connects folks -- including Debbie Bucci from the US Dept of Health and Human Services, and Justin Richer of Mitre and MIT -- dealing with it head-on. There is a compelling fit for the OAUTH and OIDC protocols here, with their ability to manage discrete pieces of information about users (patients) and to permission them all separately. Having said that, Don and I agree that e-health records permissioning and consent is one of the great UI/UX challenges of our time.
Justin also highlighted that the RESTful patterns emerging for fine-grained permissions management in healthcare are not confined to healthcare. Debbie added that the ability to query rare events without undoing privacy is also going to be a core defining challenge in the Internet of Things.
MyPOV: We may well see tremendous use cases for the fruits of HIE Exchange before they're adopted in healthcare!
In the afternoon, we heard from Canadian and British projects that have been working with the Open Identity Exchange (OIX) program now for a few years each.
Emma Lindley presented the work they've done in the UK Identity Assurance Program (IDAP) with social security entitlements recipients. These are not always the first types of users we think of for sophisticated IDAM functions, but in Britain, local councils see enormous efficiency dividends from speeding up the issuance of eg disabled parking permits, not to mention reducing imposters, which cost money and lead to so much resentment of the well deserved. Emma said one Attributes Exchange beta project reduced the time taken to get a 'Blue Badge' permit from 10 days to 10 minutes. She went on to describe the new "Digital Sources of Trust" initiative which promises to reconnect under-banked and under-documented sections of society with mainstream financial services. Emma told me the much-abused word "transformational" really does apply here.
MyPOV: The Digital Divide is an important issue for me, and I love to see leading edge IDAM technologies and business processes being used to do something about it -- and relatively quickly.
Then Andre Boysen of SecureKey led a discussion of the Canadian identity ecosystem, which he said has stabilised nicely around four players: Federal Government, Provincial Govt, Banks and Carriers. Lots of operations and infrastructure precedents from the payments industry have carried over.
Andre calls the smart driver license of British Columbia the convergence of "street identity and digital identity".
MyPOV: That's great news - and yet comparable jurisdictions like Australia and the USA still struggle to join governments and banks and carriers in an effective identity synthesis without creating great privacy and commercial anxieties. All three cultures are similarly allergic to identity cards, but only in Canada have they managed to supplement drivers licenses with digital identities with relatively high community acceptance. In nearly a decade, Australia has been at a standstill in its national understanding of smartcards and privacy.
For mine, the CIS Quote of the Day came from Scott Rice of the Open ID Foundation. We all know the stark problem in our industry of the under-representation of Relying Parties in the grand federated identity projects. IdPs and carriers so dominate IDAM. Scott asked us to imagine a situation where "The auto industry was driven by steel makers". Governments wouldn't put up with that for long.
Can someone give us the figures? I wonder if Identity and Access Management is already more economically ore important than cars?!
Cheers from Monterey, Day 1.
"All Hail the Relyingpartyrati!"
The quote "The IdP is Dead! Hail the Relyingpartyrati" is from my conclusion (reflecting the running inside joke at CIS that something has to die each year). One of my ideas is that because identification is carried out by Relying Parties, it's more correct (and probably liberating) to think of identity as being created by the RP. The best option for what we call "Identity Providers" today may be to switch to providing more specific Attributes or identity assertions. In fact, the importance of attributes kept recurring throughout CIS; Andrew Nash for example said at one point that "attributes are at least as interesting if not more so than identities".[Now it has emerged during the debates that people might use the word "attribute" in slightly different ways. I said at CIS that I treat 'attributes', 'assertions' and 'claims' interchangeably; I think we should focus functionally on reliable exchange of whatever factoids a Relying Party needs to know about a Subject in order to be able to transact. I'll blog in more detail about Attributes shortly.]
To summarise my CIS talk:
Federated Identity is easier said than done. In response, we should drop down a level, and instead of trading in abstract high level identities, let's instead federate concrete component attributes. We don't really need Identity Providers as such; we need a marketplace of Attribute Providers from which Relying Parties can get exactly the right information they need to identify their users.
- identities evolve over time in response to risk factors in the natural business environment; we need to understand why authentication has got the way it is before we rush in to federate disparate methods
- identities appear to be "memetic", composed of heritable traits relating to business rules and practices, conventions, standards, regulations, technologies, algorithms, cryptographic parameters, form factors and so on
- the dreaded identity silos are actually ecological niches; taking an identity from the context in which it evolved and using it in another is like taking a salt water fish and dropping it into a fresh water tank
- if identity is memetic then we should be able to sequence digital identities into their constituent memes, and thence re-engineer them more carefully to match desired new applications
- it is an over-simplification to think of a (one dimensional) identity spectrum; instead each RP's "identification" requirements are multi-dimensional, and best visualised as a surface.
To a great extent, many of the challenges in information security boil down to human factors engineering. We tend to have got the security-convenience trade-off in infosec badly wrong. The computer password is a relic of the 1960s, devised by technicians, for technicians. If we look at traditional security, we see that people are universally habituated to good practices with keys and locks.
The terrible experience of Wired writer Mat Honan being hacked created one of those classic overnight infosec sensations. He's become the poster boy for the movement to 'kill the password'. His follow up post of that name was tweeted over two thousand times in two days.
Why are we so late to this realisation? Why haven't we had proper belts-and-braces access security for our computers ever since the dawn of e-commerce? We all saw this coming -- the digital economy would become the economy; the information superhighway would become more important than the asphalt one; our computing devices would become absolutely central to all we do.
It's conspicuous to me that we have always secured our serious real world assets with proper keys. Our cars, houses, offices and sheds all have keys. Many of us would have been issued with special high security keys in the workplace. Cars these days have very serious keys indeed, with mechanical and electronic anti-copying design features. It's all bog standard.
But for well over a decade now, cyber security advocates speak earnestly about Two Factor Authentication as if it's something new and profound.
For a few extra bucks we could build proper physical keyed security into all our computers and networked devices. The ubiquity of contactless interfaces by wifi or NFC opens the way for a variety of radio frequency keys in different form factors for log on.
There's something weird about the computing UX that has long created different standards for looking at the cyber world and the real world. A personal story illustrates the point. About nine years ago, I met with a big e-commerce platform provider that was experiencing a boom in fraud against the online merchants it was hosting. They wanted to offer their merchant tenants better security against hijackers. I suggested including a USB key for mutual authentication and strong digital signatures, but the notion of any physical token was rejected out of hand. They could not stomach the idea that the merchant might be inconvenienced in the event they misplaced their key. What an astonishing double standard! I asked them to imagine being a small business owner, who one day drives to the office to find they've left door key behind. What do you want to do? Have some magic protocol that opens the door for you, or do you put up with the reality of having to turn around and get your keys?
We are universally habituated to physical keys and key rings. They offer a brilliant combination of usability and security. If we had comparably easy to use physical keys for accessing virtual assets, we could easily manage a suite of 10 or 15 or more distinct digital identities, just as we manage that many real world keys. Serious access security for our computers would be simple, if we just had the will to engineer our hardware properly.
Imagine a new secretarial agency that provides you with a Personal Assistant. They're a really excellent PA. They look after your diary, place calls, make bookings, plan your travel, send messages for you, take dictation. Like all good PAs, they get to know you, so they'll even help decide where to have dinner.
And you'll never guess: there's no charge!
But ... at the end of each day, the PA reports back to their agency, and provides a full transcript of all you've said, everyone you've been in touch with, everything you've done. The agency won't say what they plan to do with all this data, how long they'll keep it, nor who they'll share it with.
If you're still interested in this deal, here's the PA's name: Siri.
Seriously now ... Siri may be a classic example of the unfair bargain at the core of free social media. Natural language processing is a fabulous idea of course, and will improve the usability of smart phones many times over. But Siri is only "free" because Apple are harvesting personal information with the intent to profit from it. A cynic could even call it a Trojan Horse.
I myself will decline to use Siri while the language processing is done in the cloud, and while Apple does not constrain its use of my voice data. I'll wait for NLP to be done on the device with the data kept private. And I'd happily pay for that app.
Update 28 Nov 2011
How are we to read Peter Steiner's famous cartoon "On the Internet, nobody knows you're a dog"? It wasn't an editorial cartoon, so Steiner wasn't trying to make a point. I understand he was just trying to be funny.
Why is the cartoon funny? I think it's because dogs are mischievous (especially the ordinary muts in question). Dogs chew your slippers when you're not looking. So imagine what fun they would have on the Internet. They would probably sell your slippers given the chance on eBay.
Technologists especially have latched onto the cartoon and given it deeper meanings, particularly relating to "trust". Whether or not the cartoon triggered it, it coincided with a rush of interest in the topic. Through most of the 1990s, hoards of people became preoccupied with "trust" as a precondition for e-business. Untold hours were spent researching, debating, deconstructing and re-defining "trust", as if the human race didn't really understand it and Internet-age technologists had some fresh new understanding to offer. Really? Was there ever really a "trust" problem per se? Did the advent of the Internet truly demand such earnest reappraisal?
No. We should read the Steiner cartoon as being all about fidelity not trust. It goes without saying that you wouldn't trust a dog. The challenge online is really pretty prosaic: it is to tell what someone is. Trust then follows from that knowledge.
I maintain that we trust people well enough in the real world. It's safe to use the word paradigm here. There is a trust paradigm, namely a big amorphous system of social constructs, habits, conventions and laws that we take for granted for creating trust. The real world processes are not perfect; they sometimes break down, but not so often that the paradigm needs shifting. It's true that establishing trust in new business relationships is subtle and muti-pathed, but in routine business transactions - the sort that the Internet is good for - trust is not subtle at all. The only thing that matters most of the time is the parties' formal credentials (not even their identities) in the context at hand. For example, a pharmacist doesn't "trust" the doctor as such when filling a prescription. Medicos, accountants, engineers, bankers, lawyers, architects and so on have professional qualifications that authorise them to undertake certain transactions. And in the traditional mercantile world, the shopkeeper or sales assistant is probably a total stranger, but we know that consumer protection legislation, credit card agreements and big companies' reputations all keep us safe. So we don't actually "trust" most people we do business with at all. We don't have to.
There is an old Italian proverb that perfectly sums up most business:
It is good to trust, but it is better not to.
I say that should be the defining slogan of Internet sociology. Armed with this insight, the transition from real world to digital need not be so daunting. Trust is moot, and all those technologists can stop fretting that the concept of identity needs re-defining.
Apple is reported to have acquired the "Polar Rose" technology that allows photos to be tagged with names through automated facial recognition.
The iPhone FAQ site says:
Interesting uses for the technology include automatically tagging people in photos and recognizing FaceTime callers from contact information. As the photographs taken on the iPhone improve, various image analysis algorithms could also be used to automatically classify and organize photos by type or subject.
Apple's iPhoto currently recognizes faces in pictures for tagging purposes. It's possible Apple is looking to improve and expand this functionality. Polar Rose removed its free tagging services for Facebook and Flickr earlier this month, citing interest from larger companies in licensing their technology.
The privacy implications are many and varied. Fundamentally, such technology will see hitherto anonymous image data converted into personal information, at those informopolies like Google, Facebook and Apple which hold vast personal photo archives.
Facial recognition systems obviously need to be trained. Members will upload photos, name the people in the photos, and then have the algorithm run over other images in the database. So it seems that Apple (in this case) will have lists of the all-important bindings between biometric template and names. What stops them running the algorithm and binding over any other images they happen to have in their databases? Apple has already shown a propensity to hang on to rich geolocation data generated by the iPhone, and a reluctance to specify what they intend to do with that data.
If facial recognition worked well, then the shady possibilities are immediately obvious. Imagine that I have been snapped in a total stranger's photo -- say some tourist on the Manly ferry -- and they've uploaded the image to a host of some sort. What if the host, or some third party data miner, runs the matching algorithm over the stranger's photo and recognises me in it? If they're quick, a cunning business might SMS me a free ice cream offer, seeing I'm heading towards the corso. Or they might work out I'm a visitor, because the day before I was snapped in Auckland, and they can start to fill in my travel profile.
This is probably sci-fi for now, because in fact, facial recognition doesn't work at all well when image capture conditions aren't tightly controlled. But this is no cause for complacency, for the very inaccuracy of the biometric method might make the privacy implications even worse.
To analyse this, as with any privacy assessment, we should start with information flows. Consider what's going on when a photo is uploaded to this kind of system. Say my friend Alice discloses to Apple that "manly ferry 11dec2010.jpg" is an image of Steve Wilson. Apple has then collected Personal Information about me, and they've done it indirectly, which under Australia's privacy regime is something they're supposed to inform me of as soon as practical.
Then Apple reduces the image to a biometric template, like "Steve Wilson sample 001.bio". The Australian Law Reform Commission has recommended that biometric data be treated as Sensitive Information, and that collection be subject to express consent. That is, a company won't be allowed to collect facial recognition template data without getting permission first.
Setting aside that issue for a moment, consider what happens when later, someone runs the algorithm against a bunch of other images, and it generates some matches: e.g. "uluru 30jan2008.jpg"-is-an-image-of-Steve-Wilson. It doesn't actually matter whether the match is true or false: it's still a brand new piece of Personal Information about me, created and collected by Apple, without my knowledge.
I reckon both false matches and true matches satisfy the definition of Personal Information in the Australian Privacy Act, which includes "an opinion ... whether true or not".
Remember: The failures of biometrics often cause greater privacy problems than do their successes.
The value proposition of cloud computing is basically that backend or server-side computing is somehow better than front-end or client side. History suggests that the net benefit tends to swing like a pendulum between front and back. I don't think cloud computing will last, for there is an inexorable trend towards the client. It seems people like to keep their computing close.
It's often said that cloud computing is not unlike time-slice computing of the 1960s. Or the network computers of the 1980s. These are telling comparisons. So what was the attraction of backend computing in past eras?
In the 1960s, hardware was fiercely expensive and few could afford more than dumb terminals. Moore's Law fixed that problem.
In the 1980s, it was software that was expensive. The basic value proposition of the classic Sun NetPC was that desktop apps from you-know-who were too costly. But software prices have dropped, and the Free and Open Source movements in a sense outcompeted the network computer.
In the current cycle I think the differences between front and back are more complex (as is the business environment) and there are a number of different reasons to shift once more to the backend. For consumers until recently, it had to do with the cost of storage; filesharing for photos and the like made sense while terabytes were unaffordable but already that has changed.
A good deal of cloud 'migration' is happening by stealth, with great new IT services having their origins in the cloud. I'm thinking of course of Facebook and its ilk. A generation seems to be growing up having never experienced fat client e-mail or building their own website; they aren't moving anything to the cloud; they have been born up there and have never experienced anything else. A fascinating dynamic is how Facebook is now trying to attract businesses.
For corporates, much of the benefit of cloud computing relates to compliance. In particular, security, PCI-DSS and data breach disclosure obligations are proving prohibitive for smaller organisations, and outsourcing their IT to cloud providers makes sense.
Yet compliance costs at present are artificially high and are bound to fall. The PCI regime for instance is proving to be a wild goose chase, which will end sooner or later when proper security measures are finally deployed to prevent replay of payment card numbers. Information security in general is expensive largely because our commodity PCs, applicances and desk top apps aren't so well engineered. This has to change -- even if it takes another decade -- and when it does, the safety margin of outsourcing services will drop, and once again, people will probably prefer to do their computing closer to home.
Still, if cloud computing provides corporates with lower compliance costs for another ten years, then that will be a pretty good trot.