Identity for the internet will balance security and privacy

Authentication, authorisation and user management are some of the oldest problems in security and the level of attention they're getting at this year's RSA conference reflects the rise in criminal attacks and regulation rather than developments in technology.

Combined with a deluge of data in the enterprise, these trends are forcing the enterprise towards what Symantec chief executive John Thompson calls an information-centric view of security: "the amount of stored data is growing at 50 per cent per year and trying to protect it all is costly and difficult." To protect what's most valuable, he predicts DRM from consumer entertainment services will move into the enterprise to protect documents. And in return, "identity management will need to expand beyond the boundaries of the enterprise, to embrace every consumer."

Identifying individuals always raises questions of privacy, as concerns over biometric identification and national ID card schemes have demonstrated repeatedly.

Microsoft's chief research and strategy officer Craig Mundie highlighted the natural tension between security and anonymity. "Increasingly the identity question is part of how we deal with trusting people, and the processes of how we manage people and their operation. Identity, and the claims around identity, are going to be critical in terms of how we find the structural balance between the privacy requirements in a given context and the security requirements."

But he also suggested that pressure for verifiable online identities won't only come from government or business. "Society will come to demand more reliable presentation of credentials and information about people in order to feel comfort, and we will see the emergence of the need for these new forms of credentialing. I think it's a natural thing, and as long as people are given the choice between having it and not having it, as a function of what they seek to gain access to, then I think we'll find a happy medium."

Passwords and more secure two-factor authentication aren't flexible enough in terms of what information they allow you to disclose about yourself, he said. "We put the CardSpace mechanism into Vista as a baby step, a way of introducing a GUI that people would be more familiar with, like they use credit cards and driver's licenses." With Microsoft's newly acquired Credentica technology this would give people a familiar way of dealing with identity, in a way that could protect their privacy.

Proving to a web site that you are an adult without having to give away your date of birth would be a significant step forward. "In one fell swoop we get beyond the liabilities of those overly broad and overly simplistic identity mechanisms, and into a world where there's a manageable strategy to present credentials on the user's side across different device categories, and then a much more integrated solution for managing it - and hopefully dealing with the cost issues on the enterprise side."

Mundie didn't go as far as suggesting that Microsoft might offer a service based on CardSpace and Credentica. But VeriSign chariman Jim Bidzos certainly dropped hints about a future public identity service based on OpenID and the secure tokens Verisign offers for eBay and PayPal.

He showed deliberately hard-to-read screens from something labelled 'My VeriSign OpenID page' and referred to social networks and online gaming sites wanting to use certificates to issue identities to users. "In the next five years, possibly sooner, we think there is going to be strong demand for a service like this."

Bidzos drew parallels with the DNS infrastructure and other core services that VeriSign already runs. "The experience we have with the domain name space, the experience we have with certificates, bring us close to an identity services that solves the problems in a way we think might suit a lot of consumers." But the service would be very different from enterprise authentication, he said.

"You can't dictate to people; it has to be an opt-in system - they have to be enticed to be your customers. Consumers have to trust the process and they have to be in control. It has to be easy to use and it's going to have to be very low cost. It gives me déjà vu. People want security but it better be automatic, transparent and free."

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook