Online identity needs to be fixed, says Microsoft’s Kim Cameron

The state of identity technology on the internet is cause for concern, says Kim Cameron, architect of identity at Microsoft.

“We have inherited an identity infrastructure that is a hodge-podge of ad-hoc responses by people who did not understand the threats,” he told the Eema ISSE 2016 security conference in Paris.

“We have to deal with a conjunction of amateurism and increasingly sophisticated threats – not from college kids, but from PhD graduates working in criminal organisations and nation states,” he said.

But the good news, said Cameron, is that most company leaders are beginning to understand the need to improve this state of affairs to avoid legal liability and damage to company reputations.

“Legislation is also starting to be introduced, and this is a good thing because the internet has been an unsupervised playground that needs to be regulated,” he said.

The other positive development is the availability of cloud-based infrastructure that can be harnessed to take care of online identity infrastructure problems, he added.

According to Cameron, Microsoft is working to use cloud-based technologies to “democratise” the availability of affordable, high-availability identity infrastructure.

“The withering away of the enterprise domain boundary [with the advent of the internet] means identity technology must evolve from an app-to-domain federation model to an app-to-world federation model,” he said.

The loss of the domain-era single truth means is allowing people to take advantage of a variety of identity providers, said Cameron.

Microsoft is pursuing the idea of an identity “engine” that can augment claims by picking them up from specialised “claims providers” that can assemble and arbitrate claims to deliver a “claim set” that an app can act on, that can apply authorisation policies based on the claims, and that can invoke additional processes and workflows to strengthen confidence where necessary.

“Enterprises need a way for their applications to navigate a whole series of different information sources about the identity of customers, partners and even employees, but these sources will be increasingly external to the organisation, which is a complicated thing to set up and manage,” said Cameron.

There is a need for a new and different kind of technology that operates on behalf of the enterprise and manages its relationships with its customers and partners, he said.

“There is a need for a platform in the middle that is able to connect the producers and consumers of identity,” he added.

Cameron called on all enterprises to “clean up their game” and manage their relationships with their own customers in a more “professionalised way”.

“This would bring about an immense change in the quality of the internet, because the internet is essentially the relationship between individuals and organisations or other individuals,” he said, pointing out that the task of professionalising the way organisations relate to their customers is key to redefining the way the internet works.

“The world is at a stage now where the identity infrastructure must be simplified and professionalised, and I believe this is an absolutely essential new component that we have to bring to life,” said Cameron.