Security in Identity Management is this week’s hot topic in London, with a Conference at DTI tomorrow on the subject of “Ensuring privacy and consent in identity management infrastructures”, followed up by an IAAC Conference on Wednesday on “Government's Role in Identity Assurance”. Although there's a strong Government flavour to these events, they are subjects that affect all of Industry.
It’s about time too. For the past three decades we’ve all lived with leaky network perimeters, insecure platforms, poorly designed access control systems and inadequate management of access rights. Not to mention the risks presented by information brokers and organised crime infiltrating our call centres to gain access to identity information or sensitive database records. On top of that we now have a growing backlash of citizen concern about what happens to all the sensitive customer information they give up to vendors and service providers. Are these organisations applying adequate safeguards? Are they selling it off to the highest bidder?
So there’s a lot to do. Start with a few regulations requiring reporting of incidents and security standards for safeguarding sensitive citizen information. Californian Law SB 1386 and the PCI Security Standard are both making a big difference to the attitude of organisations. They may be painful but they work. Then try to bridge the gap between the sophistication of the security standards community and the practical realities of actually implementing federated identity management. There is a need for a lot more guidance on best practice in action. Finally address the human factors, including how to design systems that are less susceptible to human mistakes and social engineering. It’s a big, big field. And it requires immediate attention by Government, Industry and Academia.
Comments (2)
The Data Protection Act holds more than enough power for "safeguarding sensitive citizen information" - honestly, do the people who attend these conferences and put forward these views actually KNOW the 8 principles off by heart? It never appears to me that they do. Remember this BCS suggestion:
FISH (Fair processing)
SWIM (Specific)
ALL (Adequate)
AROUND (Accurate)
REEFS (Retention)
ROCKS and (Rights)
SUNKEN (Security)
TREASURES (Transfers)
Combine this with Kim Camerons 7 Laws of Identity and you've got yourself a framework. Why do we keep having to look for the creation of more answers, more standards or more laws. We've enough already. People just need to learn them, adopt them and adapt them - taking appropriate responsibility for the data which is entrusted to them.
Equally the potential of a Breach Law is all good and well, more rhetoric - but what actually ends up happening is that people are told more about how badly organisations behave and what difference does it make? Do they change their ways (the organisations) or do customers go elsewhere? No on both cases, in the main. Honestly, when will all this self serving madness end??!
Posted by Andrea Simmons | July 12, 2007 3:19 PM
Posted on July 12, 2007 15:19
Andrea,
I agree there are some good frameworks in place. But they don't have teeth. Breaches of the Data Protection Act don't have the same impact as failure to comply with FSA regulations. You need clear, measurable and auditable standards to make organisations sit up and take notice. I believe that there's still a lot more to be done, because what we've had for the past two decades in existing Data Protection legislation has not hit the spot.
Posted by David Lacey | July 13, 2007 10:56 AM
Posted on July 13, 2007 10:56