I’m gearing up to go to the NSTIC convened steering group meeting in Chicago next week. Naturally, my inner nerd has me reviewing the founding documents, re-reading the NSTIC docs, and combing through the by laws that have been proposed (all fo which can be found here). I am also recalling all the conversations where NSTIC has come up. One trend emerges. Many people say they think the NSTIC identity provider responsibilities are too much risk for anyone to take on. With identity breaches so common now that only targets with star power make the news, there does seem to be some logic to that. If your firm was in the business of supplying government approved identities and you got hacked then you are in even hotter water, right?
The more it rolls around in my head, the more I think the answer is: not really. Let’s think about the types of organization that would get into this line of work. One that is often cited is a mobile phone provider. Another is a website with many members. One thing these two classes of organization – and most others I hear mentioned – have in common is that they are already taking on the risk of managing and owning identities for people. They already have the burden of the consequences in the case of a breach. Would having the government seal of approval make that any less or more risky? It’s hard to say at this stage, but I’m guessing not. It could lessen the impact in one sense because some of the “blame” would rub off on the certifying entity. “Yes, we got hacked – but we were totally up to the obviously flawed standard!” If people are using those credentials in many more places since NSTIC’s ID Ecosystem ushers in this era of interoperability (cue acoustic guitar playing kumbaya), then you could say the responsibility does increase because each breach is more damage. But the flipside of that is there will be more people watching, and part of what this should do is put in place better mechanisms for users to respond to that sort of thing. I hope this will not rely on users having to see some news about the breach and change a password as we see today.
This reminds me of conversations I have with clients and prospects about single sign on in the enterprise. An analogy, in the form of a question, a co-worker came up with is a good conversation piece: would you rather have a house with many poorly locked doors or one really strongly locked door? I like it because it does capture the spirit of the issues. Getting in one of the poorly locked doors may actually get you access to one of the more secure areas of the house behind one of the better locked doors because once you’re through one you may be able to more easily move around from the inside of the house. Some argue that with many doors there’s more work for the attacker. But the problem is that also means it’s more work for the user. They may end up just leaving all the doors unlocked rather than having to carry around that heavy keychain with all those keys and remember which is which. If they had only one door, they may even be willing to carry around two keys for that one door. And the user understands better that they are risking everything by not locking that one door versus having to train them that one of the ten doors they have to deal with is more important than the others. All of this is meant to say: having lots of passwords is really just a form of security through obscurity, and the one who you end up forcing to deal with that obscurity is the user. And we’ve seen how well they choose to deal with it. So it seems to me that less is more in this case. Less doors will mean more security. Mostly because the users will be more likely to participate.
Overall, the conversations at RSA have been more focused this year than last. Most people came asking project focused questions. The most popular was two factor, of course. Many asked about auditing, some about SSO and the rest asked about controlling directory content and delegation for SoD. So I’ve been talking a lot about Defender, InTrust, Authentication Services and ActiveRoles Server, respectively. It also seems like there are more senior people here this year. Many titles with director, VP and executive in them are speaking to us. I think it’s a sign of how much more seriously identity and security are being taken now.
The biggest a-ha moment for me so far was sitting in the IDC breakfast yesterday. Sally Hudson from IDC was talking about the penetration of identity and access management technologies into applications. She mentioned how most of the technologies, SSO, TFA, etc, were not new but were only now starting to become part of the majority of applications. What occurred to me was only now is identity technology getting to the point where applications can easily consume its services. Pieces that are easy to use have great penetration, which accounts for the success of LDAP and products like Site Minder. But for more advanced identity that incorporates federation capabilities, provisioning integration, fine grained access control and other advanced functions, it’s only now that we’re seeing technologies deliver. And it’s not that applications don’t do these things now. Applications that need to federate do, applications that need access control have it. Those services are built on demand and typically without COTS help, though. With the rise of standards and the maturity of application ready toolkits and protocols, now the application teams themselves and business groups they aim to please are thinking about these things as features they would like to have for any application not just stuff with identified, immediate needs. My experience is that when the applications want it, that’s when the market is real. That time may have finally come.
Another cool thing for me was meeting some of our partners face to face. Especially cool was getting a new visual aid from our friends at NagraID Security. I’ve been pushing the idea of multi-function multi-facto devices for a long time. Now I have a working one to use as a visual aid in meetings. It has a smart card chip, OTP capabilities by pressing a button on the front, a picture printed and two different scan spots (barcode and box). I can’t wait to break it out in my next meeting with a client. I’ve already been showing it off on the show floor.
The coolest stuff I saw on the show floor at RSA:
1. Validus had an OTP card with a biometric built in all in the credit card form factor (http://validustech.com/index.cfm)
2. Aveksa, hiding out in the Novell booth, had a very slick entitlement audit and role management system with a nice demo (http://www.aveksa.com/)
3. The NSA had a booth and was giving away an awesome cipher game book. My daughter and I will be hacking away at that for a while, I’m sure.
4. Not technically on the show floor, but I got a chance to sit with someone from Bitarmor and they made me think encryption at rest could really be viable (http://www.bitarmor.com/)
5. Arcsight was giving away a smart car. And I thought our $5000 prize was big!