January 19, 2011 at 11:19 pm | Posted in Cyber Security, Identity Management | 1 Comment
Tags: 1Password, CA, Cardspace, Drop Box, Facebook, Google Docs, Higgins, Identity 2.0, Identity Management, LinkedIn, Live Mesh, Microsoft OneNote, Mindmeister, MobileNoter, OAuth, SSO, Trusteer Rapport, Twitter
I enjoyed reading a good natured rant about the vagaries of managing your identity online on the Des Res blog the other week. If, like me, you work for a large organisation, you’ll probably be obliged to follow strict rules on selecting a password for access to corporate systems. If, again like me, you use a lot of websites that require you to select credentials for logging in, you may struggle to manage a large (and constantly growing) set of strong passwords without writing them down. In these circumstances, it’s very tempting to re-use the strong password for your work systems for other purposes.
Identity 2.0 or digital identity has long promised to solve these problems in a world where a user can potentially have one online identity, with a pre-certified proof which is submitted when required for authentication. This model is represented by Microsoft’s Cardspace and the open source Higgins project, but has been slow to gain momentum. However, in recent years, a number of the larger IAM vendors, starting with CA Technologies, have added support for these technologies to their Web Access Management products.
Multiple Identities Online
Of course, being able to use a single identity and set of credentials for all your online activities is a real “good news/bad news” story. The convenience of managing a single set of credentials comes at a price: it’s quite conceivable that your visits to different websites could be aggregated and correlated, to build a far more comprehensive (and revealing) picture of your online activity than you might feel comfortable with. It’s also true to say that not all web sites we visit (and register for) justify the same level of strength in authenticating our identity. For example:
- Online Banking: There’s so much at stake if your banking credentials become compromised that it’s obvious to all but the hard of thinking that those credentials should never be used elsewhere. In a previous post, I described how my bank allows me to be warned if I try to re-use internet banking credentials on another site, by providing me with a free copy of Trusteer Rapport. This protection can be easily extended to other high risk sites.
- Social Media: As I’ve described on these pages before, I use a wide range of social media applications (in the widest sense of the term) to maintain my contact list, collect and collate information and publicise this blog. Each site requires a separate set of credentials, but increasingly I’m offered the chance to sign in to one application using the credentials from another (very often, either Twitter or Facebook). This makes use of the Open Authentication (OAuth) protocol. OAuth allows the user to authenticate with their chosen service to generate a token. The token can then be used to allow another application to access resources for a given period of time. So, for example, when configuring Tweetdeck, I authenticate in turn to Twitter, Facebook, LinkedIn and Google Buzz and authorise Tweetdeck to use the OAuth tokens to retrieve data from those applications until I revoke that access.
Single Sign On
This still leaves a wide range on different sites that require a login. I use a wide range of Cloud Services, including Drop Box (of which, more in a moment), Windows Live Mesh, Mind Meister (for collaborating on mind maps), MobileNoter (for sharing and synchronising Microsoft OneNote) and of course, Google Docs. These (or at least the data I entrust to them) are important enough to me to warrant good quality credentials and together they make a good case for Single Sign On. With more than 10 years’ experience in Identity Management projects, I’ve always viewed SSO as primarily a user productivity tool, with some incidental security benefits. However, I came across a story on Mashable, describing tools for managing web passwords and quickly realised that I could:
- Store all my credentials in a single location;
- Secure them with a single strong password, which never leaves my machine;
- Synchronise that credential store across multiple computers by locating the credential store on Drop Box;
- Use the same, synchronised solution on my iPhone.
So, armed with these requirements and the Mashable product reviews, I eventually settled on 1Password. As well as a management app, which sits in the system tray, 1Password installs a plug-in for all the modern browsers (I’m using it with IE and Firefox) which detects when you’re completing a registration or login form and prompts you to save the credentials. Next time you visit the site, just press the 1Password button to login. Incidentally, the Mashable article mentions that 1Password is primarily a Mac product, with a Windows version in beta. The Windows version is now in fact available as a paid-for GA product.
So, in conclusion, it’s possible to figure out a strategy to at least simplify sign on and credential management to a wide range of web sites and applications, each with differing needs for strength and protection. By and large, the tools to do this a available for free and even the commercial components I chose are available for a very modest fee. All in all, the benefits far outweigh the modest outlay of time and cash.
January 20, 2010 at 3:09 pm | Posted in Human Factors in Security | 2 Comments
Tags: Facebook, group identity, human behaviour, Identity Economics, LinkedIn
From the age of 16, for the next 15 years, I served in the Royal Navy. Like all uniformed, military organisation, a vital part of the induction process is learning the etiquette attached to membership. I don’t just mean the rules necessary for large and (at that time) wholly male groups to live and work in extremely close proximity, away from their families for long periods. Nor do I just mean the discipline on which lives can depend in a fighting force. Finally, I don’t just mean the quaint and unique traditions that come from 500 years of history. What I mean is the way in which servicemen (and women) are expected to dress (both in and out of uniform) and to behave (whether on duty or not), particularly when in the view of the general public.
The pressure to conform to these standards (which generally far exceed the norms for society) is immense and is imposed by one’s peers, not through the hierarchy. Having said that though, the lessons a 16 year-old learns from a Gunnery Instructor tend to stay learned for life! A good example is the practice of saluting. Saluting is always a mark of respect to the Monarch. So, we face the mast and salute at morning Colours and at evening Sunset, we face the ensign and salute as we board the ship or go ashore. And, we salute officers, because they hold the Queen’s Commission and that’s what we’re acknowledging, not the individual. To illustrate that point, from their inception in November 1917, the Women’s’ Royal Naval Service (WRNS) were not formally part of the Royal Navy, having their own rules and organisation. WRNS officers did not hold a commission and thus, Royal Naval personnel were not required to salute them. This all changed on 1 July 1977, when the WRNS became subject to the Naval Discipline Act.
Why am I telling this long winded story? Well, although I left the Navy nearly 30 years ago, MrsV1951 and I still live in a naval town, so seeing uniformed RN personnel in the town centre is a common occurrence. A few days ago, in search of sanctuary and free wi-fi, I was headed to a local coffee shop and I happened to be following a naval officer, in uniform. Coming in the opposite direction were two naval ratings, also in uniform. They passed without even acknowledging the other’s presence, much less saluting. I was incensed, not just by this, but by the fact that the ratings were wearing their blue denim working uniforms (never, ever worn ashore in my day) and the officer was drinking Cola from a McDonalds cup as he walked! Why was I so annoyed? Maybe I’m just becoming a curmudgeon (I’m certainly old enough to qualify).
And then, today, an article in the Times by Daniel Finkelstein shed some light on my disquiet. Finkelstein was discussing how group identity has an impact on how we behave. This phenomenon has attracted the attention of the Nobel Prize-winning economist George Akerlof. Together with Rachel Kranton, he developed the idea of Identity Economics. The central concept is that we adopt an identity to fit in with our peer group and that preserving that identity is one of our major economic drivers. In their book “Identity Economics: How Our Identities Shape Our Work, Wages, and Well-Being” (to be published next month), they describe how the Armed Forces successfully exploit this behaviour to make service personnel adopt the identity of the service to build team spirit and morale – all the attributes that make every serviceman and woman determined to do their best for their colleagues every time. And they know that their colleagues will do the same – essential in the face of extreme danger (I served much of my time in submarines, where extreme danger was always close by, though rarely due to hostile action). So, maybe that explains my annoyance. What I saw was members of a peer group of which I am (subconsciously?) still a member not obeying what I think are the norms of group behaviour. If Akerlof is right, then I see that (subconsciously?) as a threat to my identity.
So, finally, what’s all this got to do with Identity Management? Well, it seems to me that some of the more perceptive commentators in the security industry, including David Lacey and Bruce Schneier, are saying that the real challenge for security professionals is to address the behaviour of the humans in the system. And, if Akerlof is right, then those humans have a composite identity, where each segment represents a peer group with which they identify and carries with it a set of behavioural norms.
It seems to me that this is reflected in the different behaviour people exhibit in revealing personal information on sites such as Facebook and LinkedIn. They expect to be able to portray an appropriate “face” to their peers in these different environments, without them interacting. And this, allowing a user to control who can see which parts of their identity profile and under what circumstances, is where we’re going to need some technology.