One of the most important principles to observe in information security management is the KISS principle. Users will only accept solutions that are fast, cheap and simple. Security is a “grudge purchase”. Most people aim to avoid it, or minimise the time, money or resources required. It’s not surprising. Security restricts what people can do. It makes information systems more complex. And much of the time it irritates users. As Professor Fred Piper once reminded me, if a security system isn’t a pain to use, then it’s probably not secure. That’s one reason why we don’t have perfect security, and why we tend to end up with a bunch of less-than-fully-secure solutions.
At the same time however, we need more enabling science to help us build better future security solutions. So any advance in theory or applied research is welcome, regardless of its current cost, complexity or feasibility. It’s a pleasure therefore to see that the Jericho Forum has finally published its “Identity” Commandments. These fourteen principles represent an impressive step forward in the theory and potential future practice of identity management.
The problem is that these principles will be undecipherable and irrelevant to most IT managers. This is not new. The history of identity management is littered with broken dreams, failed theories and flawed products. Role-based access, digital certificates, smart cards and single-sign-on all proved to be disappointments. I know of no identity management programme that delivered on its original vision.
After three decades of sophisticated research and development, the vast majority of organizations have yet to progress beyond simple solutions such as passwords and Secure ID cards. There’s an important learning point here for security managers who wish strengthen their identity management systems. New solutions must be as simple as possible and build on proven solutions rather than experimental ideas.
It’s important also to think beyond traditional approaches. If that appears to contract the previous point, then ask yourself why GSM phones and satellite set-top boxes manage to deter fraud without the need for any passwords. The answer is that they exploit device authentication mechanisms. This is an example of a simple solution that most CISOs tend to overlook, despite the fact that virtually all professional laptops and servers now come equipped with unique authentication codes embedded in tamper-proof chips.
We might not be able to predict with certainty what the next big thing in security will be, but one thing we can be sure about is that it will be something that’s simple, cheap and fast.