RSA 2011: Identity paramount to securing cyberspace, says Microsoft

Identity is the most important element to securing cyberspace, says Ariel Gordon, principal group program manager at the identity and security division of Microsoft.

Identity is the most important element in securing cyberspace, says Ariel Gordon, principal group program manager at the identity and security division of Microsoft.

"Securing cyberspace will need work on a huge number of things, but identity is the most critical," Ariel Gordon told delegates at the RSA 2011 conference in San Francisco.

Better ways of dealing with identity would probably cut risk on the internet by up to 90%, said Peter Tippet, vice-president of technology and innovation at Verizon Business.

"Of all the problems of using the internet, the problem of trusted identity would be the most useful one to fix," he said.

Privacy is another important concern, but according to Peter Tippett, stronger identity will lead to stronger privacy if it is done correctly.

But technology alone will not solve the problem, said Gordon. There is a need for internationally recognised trust frameworks, such as the US National Strategy for Trusted Identity in Cyberspace (NSTIC).

Trust frameworks allow people who want to opt-in to use the same rules and tools to allow for interoperability, said Don Thibeau, chairman of the Open ID Exchange (OIX), which includes members such as Google and PayPal.

One way of tackling the problem of identity on the internet, is to move to a claim-based model, said Gordon.

This means internet users can authenticate only what is necessary against a recognised repository of identity information, such at the e-identity cards used in Belgium and Germany.

"A holder of one of these cards could use them to authenticate a specific claim such as they are a resident in a particular city or that they are older than 18, without disclosing any other information about them," he said.

This approach would also mean that nothing new needs to be issued, said Tippett, and all that is required is to pull together existing trusted sources to authenticate specific claims about an individual.

The biggest concern from users is that their behaviour is being tracked, so using something like the German or Belgian e-identity cards as a means of authenticating specific claims will make any framework more usable with an acceptable user experience and the necessary privacy safeguards.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.