Identity Management Success

This post deals with a real issue in the Identity and Access Management (IAM) space and describes the concept of Identity Management and its investing effectiveness. The main question under discussion is whether it is worth investing in Identity Management or not. To find out, let’s scrutinize the notion of IdM, present-day weaknesses of the Internet Identity, and benefits and perspectives of IdM.

The Notion of Identity Management

Digital Identity Management (or simply put, Identity Management - IdM) is focused on maintaining the asserted characteristics of a user, which are created, used, and eventually deleted in an Identity system. Primarily Identity Management is used for two main purposes, which are inventory and access control. For example, shipping companies store their Identity records about packages to allow their clients to track packages en route to their final destinations. Access control is crucial for permitting only a certain group of individuals to enter a building, allowing access to various digital resources to only a number of specified users, etc.

A couple of broad issues exist nowadays in connection with Identity on the Web. They are safety that includes privacy and security, and convenience. Consider the following problems that exist in present Internet Identity Systems:

1. Unreliable Subjects Identification

Originally, the World Wide Web was designed without any reliable means of knowing exactly who or what you are connecting to. This weak side has been extensively used by hackers in a plethora of ways.

IP spoofing may occur when a hacker is able to send data to a remote machine as if it comes from another, trusted machine. He does it by modifying the data in a TCP/IP transmission and the source IP address in the IP header to make it appear that the data packet is coming from another source, so that the recipient does not suspect that the data packet was sent from a malicious source.

E-mail forgery occurs in the situation when an e-mail is sent to the recipient, and it appears to have come from an e-mail address, which the sender was not authorized to use. Because the SMTP protocol does not require any verification of the source e-mail address, forging the sender of an e-mail appears to be quite easy. It’s the same as changing the return address on a postal mailing. Moreover, without a reliable way of defining who an incoming e-mail is from, there are no effective ways to block out the unwanted spam e-mail.

Phishing is a technique that is used to illegally get sensitive information, like bank account information and credit card numbers, by assuming the Identity of a trusted party. During a common phishing attack, a user receives what appears to be official correspondence from his or her bank, PayPal, or another trusted online service. The user is then usually directed to a Web site that may seem identical to that of the trusted online service, and asked to submit his or her sensitive data.

Sensitive information can be easily leaked to hackers, who are responsible for the fraudulent transactions conducted online, as it is impossible to identify remote parties with the required level of certainty.

2. Inconsistent User Experience

The most simple registration system requires that the user selects his or her username and password. Very often they are directed through a multi-stage process, where the user must verify the e-mail address, after which a special message is sent to the user’s mailbox. Often online services use devices that are called CAPTCHAs (“completely automated public Turing test to tell computers and humans apart”) in order to prevent non-humans from creating various accounts. However, the tasks required of the users in CAPTCHAs can be inconvenient and difficult to figure out. Moreover, the extent to which an Internet user can manage his or her account with an online service varies a lot. Some online services provide quite easy ways for the user to retrieve access to his or her account in situations, where they have forgotten the password, however many online services provide no easily accessible ways to reset account passwords or even delete accounts altogether.

3. Account Management

Presently, any Internet user must often create separate accounts at each of the online services they wish to use. Each of the accounts typically requires a password be set in order to prevent unauthorized access to the user’s account. Maintaining separate accounts creates some problems.

Users do not usually create strong passwords. Published research and our own experience showed that users typically choose insecure passwords that are often based on words (known as “dictionary passwords”) that are quite easy to guess. They are not eager to change their passwords, and regularly use the same password across different accounts. The practices mentioned above leave the users’ accounts vulnerable to unauthorized access.

Internet users can’t easily keep track of the accounts. For any user, it’s quite difficult to see which accounts have been created with what online services. Users, who have forgotten about the account created years prior at service xyz may create another one.

4. Security Weaknesses

Online Identity Management systems have some weaknesses inherent in all systems. Any data that machines contain can be compromised as a result of viruses, trojan horses, spyware, etc. Hackers are able to set up monitoring systems in order to log users’ keystrokes. Operating system security holes can leave computers open to hackers attack.

5. Propagation of Sensitive Information

The task of Identity Management is often put into limiting the amount of sensitive information that is being distributed over the Internet. A user has little control over his or her personal information once it is in the hands of the online service. Information sharing is not minimized. Online services usually ask users to provide information that is completely irrelevant to direct needs. Moreover, some online services, banking services, typically use social security numbers, that were originally issued by the government in order to enable social security account holders to access their personal accounts. Extraneous information is often supplied to various online services in cases in which only basic information is needed. For instance, if an online service must verify your age, it does not need to see your birthday.

Sensitive information is shared without users consent. In many cases, some online services provide no reasons why personal information is being collected from Internet users. In addition to that, with the online service’s data handling practices that are hidden from users, sensitive data can be sold for a profit without users’ knowledge.

Account de-provisioning doesn’t occur in a timely manner. An employee that has changed the job may be surprised to find out that he or she still has access to his or her previous company’s sensitive information if access had not been disabled in time.

On the one hand, you might think that these 5 weaknesses of IM can stop you from dealing with it and investing in it. On the other hand, just try to think what you would do if you did not have IM environment implemented at your company. It is true that a good Identity Management scheme can solve all the problems mentioned above using the latest techniques and expertise or applying password synchronization or single sign on.

Identity Management Major Perspectives

1. The pure Identity paradigm: creation, management, and deletion of identities with no regard to access or entitlements.
   
2. The user access (log-on) paradigm: a smart card and the data it contains that a customer uses to log on to one or more services.
   
3. The service paradigm: a system delivering personalized, online, on-demand, multimedia, presence-based service to users and their devices.

A great number of potential solutions have been proposed in the past decade to provide decentralized Identity Management on the Internet. These solutions will hopefully remedy the problems of the present, third-party-controlled Identity Management landscape. Possible solutions are more robust federated ID systems operating according to versions of the open WS-* architecture, and simpler URL-based Identity Management systems that can become most useful for basic authentication purposes. With the increasing support for WS-* among leading software companies, it is very likely that if any Digital Identity framework is successfully introduced on the Internet, it will become this one.

InfoCard, allowing Internet users to manage Identity claims centrally, is at the forefront of the new Digital Identity revolution. Theoretically, the InfoCard system based on WS-* should solve many of the Internet’s existing Identity Management issues, and will be able to provide a means for online services establish business relationships that are based on trust and which will enable federated Identity. The successful work of any new Identity Management solution will be decided by how willing Internet users and organizations are to invest in the new technology.

Considered in the long term, Web and Internet-centric (not to be confused with classic enterprise IAM solutions, which are discussed in our other materials) Identity Management solutions have many strategic benefits. They standardize user administration and make a significant contribution to improving the data quality of user and authorization data through automation and data synchronization. Cross-platform reporting capabilities supply information that would otherwise not be available or could only be accessed with great difficulty.

Overall, if you ask me if it is worth investing in IdM, I would definitely say “yes”. Long-term implementation of IdM will smooth its possible drawbacks, and IdM will definitely be to your advantage.

Looking for more information on Identity Management systems and their advantages? Contact us today to schedule a consultation.

Until next time, all the best, of Identity Management Success
-Olga

©2003-2007 Links Business Group LLC. All rights reserved.