Global Identity Foundation issues security industry call to arms

The Global Identity Foundation issues a call to arms to the security industry, blaming most 2014 breaches on a "broken identity" model

2014 was a bad year for information security, with the annual cost of cyber crime to the global economy estimated at around $445bn, according to Paul Simmonds, chief executive of The Global Identity Foundation.

This failure is linked to the continued lack of a global digital identity, he told the European Information Security Summit 2015 in London.

“We do not architect for de-perimeterisation, we have an obsession with control, we lack an identity that can be used across all entities,” said Simmonds.

The security industry should be ashamed of itself that the only way internet-based communications can be used securely is within little silos of control.

For example, Simmonds said Skype can be used securely only within a company using something like Silent Circle encryption services, but there is no interoperability outside that private locus of control.

“This is how we operate: locus of control is required to make our security systems work,” he said.


Identity beyond the perimeter

According to Simmonds, the concept of identity and access management is also inherently flawed because it cannot be separated, does not have a built-in risk component, and is “horribly binary”.

For example, he said, Microsoft Active Directory only works well when everything in an organisation can be included in a single locus of control.

“However, it does not work well in a de-perimeterised environment, but that is exactly what the business needs on a daily basis,” he said.

In April 2006, the Jericho Forum – on which the work of the Global Identify Foundation is based – published a set of commandments, a set of principles developed for working in a de-perimeterised world.

These principles dictate that authentication, authorisation and accountability must interoperate and exchange outside a single locus of control.

“The problem is that, while relatively few users of Active Directory can use the SAML authentication standard to log on to another system using Active directory, even fewer can accept SAML from someone else,” said Simmonds.

“There is the core of the industry’s problem. Typically, it is about a 10:1 ratio between those who can give out SAML from their Active Directory and those who can accept if from someone else, and while it is asymmetric like this, it is not going to work.” 

Simmonds believes the key lies in separating company identity from access management, so that access management systems can accept identities from other systems.

“This would mean that we could accept the existing identities of auditors and other temporary workers, without having to create new accounts for them on our company systems,” he said.

This will enable companies like Boeing to avoid situations where they have 300,000 registered on their identity and access management system, but only 100,000 are Boeing staff.

This creates an excessive number of identities, and that can be extremely challenging for many companies to manage properly, said Simmonds.

Credentials and context

Another key indicator of failure with regard to digital identity, he said, is the fact that the average internet user has 6.5 passwords to maintain 25 web accounts – meaning each password is shared across 3.9 websites.

“As things stand, it is really difficult for users to be secure, with some websites not even allowing non alpha-numeric characters to be used in passwords,” said Simmonds.

He believes identity is a mix of privacy, trust, security, anonymity, risk and particularly context.

Simmonds ascribes many of the recent data breaches to a lack of understanding of the context in which an identity credential is being used.

“Privacy and anonymity go together and, if you get those right, then the context is yours to add to it. Together they can be used to derive trust, and from trust you can make good risk decisions – and from good risk decisions you get security.”

Another failing of the security industry, said Simmonds, is that security professionals tend to get “bogged down” by thinking about identity in terms of people.

“Identity is actually about much more than people; it is about the devices they use, it is about the organisations they are involved with, it is about the code they use on those devices, and it is about the agents that act in their lives,” he said.

Despite the fact that there are five entity types, the information security industry has concentrated almost exclusively on just one.

“It is this obsession with just people that is among the things that are stopping us from moving into this brave new world of context and risk,” said Simmonds.

Entitling personas

But within the narrow focus of people, he points out there is a need to introduce into the digital world the concept of persona, which is in common usage in the physical world.

“You may not trust Paul Simmonds the information security professional to take your 11-year-old white-water kayaking, but you would trust Paul Simmonds the qualified kayak instructor to do so,” he said.

“These are two different persona that apply to the same person, and each provides a different context for making a risk decision, so we need to look at risk differently in the digital world.”

In the physical world, the persona of Paul Simmonds the kayak instructor is validated by joining the entity Paul Simmonds to the entity British Canoe Union that issues credentials only Paul Simmonds can use.

“I can then assert that I am qualified to teach white-water kayaking to satisfy the entitlement rules of any instructing facility, and there should be an equivalent in the digital world,” he said.

The Cloud Security Alliance defines “entitlement” as making a risk-based decision about access to data or systems based on a trusted identity and attributes of all the entities in the transaction chain.

“A provider of internet banking wants to know there is a high enough level of immutable linking to the person at the end of the transaction to their identity credential, they also want to know the state of the device that is being used: Is the device location coming from the trusted zone in the device chip? Is the device using a secure protocol, has the code been signed? And so on,” said Simmonds.

If an HR manager accesses a corporate HR system using a company-issued laptop connected to the corporate network, and then goes home and tries to access the same HR system using a home computer over a Wi-Fi network, the level of access should change because the context has changed, he told Computer Weekly.

The more information a service provider can get about the identity and the attributes of all the entities in that transaction chain, the better that service provider can make a risk calculation about whether to go ahead with a transaction or not.

“Using this approach, service providers can make it much more difficult for cyber criminals to satisfy entitlement requirements, and context makes risk-based decisions much easier,” said Simmonds.

Localised risk management

In this approach, the decisions around identity are taken by the entity assuming the risk, and not by the IT department.

“Currently if the Active Directory asserts an identity for a user, that is accepted by every business system connected to the corporate network instead of taking a risk decision based on more than just Active Directory,” said Simmonds. He believes businesses need more detail around user identity.

In the approach proposed by The Global Identity Foundation – a not-for-profit organisation set up to research and facilitate the development and implementation of global digital identity – attributes and identity must be signed by the authoritative source for those attributes.

“Ultimately, it is the British Canoe Union that says I am a qualified kayak instructor because they are the authoritative source in the UK,” said Simmonds.

An identity has to work online and offline, he said. “I have seen too many systems that work only online, which has limited application in emerging economies,” he said.

The internet of things (IoT) presents various security challenges but, using this approach to identity, it is easy to ensure control of a smart lightbulb, said Simmonds. For example, if there is a way to limit that smart lightbulb to members of a particular household.

“I want to be able to say only users who can assert membership of my household can operate the lightbulb rather than needing a unique app for every IP-enabled 'thing' on my smartphone,” said Simmonds.

“We need an authoritative source of attributes and better trust in the global ecosystem to enable proper control over devices and agents in the digital world and the practical use of things like e-voting.

“There is an urgent need to extent identity to all entities, and we need to be able to make better risk-based, business-led decisions about access rather than IT-led decisions.”

The Global Identity Foundation believes that solving the problems around digital identity is crucial to reversing cyber crime trends.

“We really have no choice but to find a way of making it possible,” said Simmonds.

Global identity framework

The Global Identity Foundation believes that, by taking a different approach to identity in which only authoritative sources can assert attributes, it will be possible to create a global identity system that will be truly privacy enhancing; that scales globally; and that supports all entities in a single identity eco-system that is globally accepted by all parties who need to rely on a digital identity with a known level of trust.

The foundation was set up to provide a global neutral meeting ground for all stakeholders, in the shape of a not-for-profit organisation, free of influence from sponsors or governments.

“While SAML and the Fido Alliance seek to provide answers to specific problems, the foundation seeks to establish a framework in which they all sit and which provides standard ways of doing things to enable a standard code set for identity to emerge that is an open standard, continually updated and peer-reviewed,” Simmonds told Computer Weekly.

“The acid test would be a digital identity created in the US that would be acceptable by China in the same way as China accepts the validity of a US passport.”

Simmonds issued a call to arms for all stakeholders to get involved and throw business problems at the model the Global Identity Foundation has developed to prove its validity or identify ways of improving it further.

“Everyone knows identity is horribly broken and we all have to work together in an effort to find a way of fixing it,” he said.

Read more on Privacy and data protection