Identity (Management) Crisis (Part 5): The Future of Identity Management – Identity in the Cloud

By /

If you would like to read the other parts in this article series please go to:

Introduction

In Parts 1 through 4 of this series, we took a look at the evolution of the concept of “identity,” misconceptions about identity in the IT world, and some current identity management solutions, with a focus on digital signatures. We also looked at the criteria for choosing a comprehensive identity management solution for an organization or a federated identity management solution. In this, part 5, we’ll discuss the future of identity management with a special focus on the effect of the cloud on IDM.

Official online IDs

Way back in part 1, we discussed the problem of credibility when it comes to identification credentials. Unless the party that issues the credentials is trust-worthy, those credentials are meaningless. Today online identity is verified primarily by certificates that are issued by private sector commercial organizations such as VeriSign, Comodo, and many others. But who watches the watchers? New providers of SSL certificates for web sites must undergo annual security audits, such as those performed according to the WebTrust program for certification authorities. The market for personal digital certificates is much more fragmented.

The mere existence of a digital certificate doesn’t guarantee that identity credentials are valid. Some certificates are self-signed, which means the person who issued the certificate also vouches for its legitimacy – obviously there aren’t a lot of checks and balances in that system. On the other hand, self-signing certificates does decrease the attack surface because you aren’t trusting your private key to a third party (certification authority). Self-signed certificates can be created with various software tools, including Microsoft’s makecert.exe, Adobe Reader, Apple’s Keychain and others.

In the offline world, the most credence is generally given to IDs that are issued by the government. Thus some see a government-issued online ID as the most trustworthy means of verifying online identity, and last year the White House issued a report outlining its strategy for bringing about a system of trusted identities in cyberspace. There are many practical and political issues regarding the creation of what would effectively be a digital national ID card. However, it seems the government is moving inexorably in that direction.

It is likely that such a system would be voluntary – at first. History indicates that this would eventually change. In the 1800s, drivers were not required to have licenses. In the 1970s, children were not required to have social security numbers. Today both are mandated by the government.

But there is some question as to exactly how a government online ID system would work. Would it be tied to your driver’s license or state identification card? But the federal government doesn’t issue those documents (although with the Real ID Act, they have taken more authority over the process and set standards that the states will be required to meet by 2013). Would it be tied to your passport, then? But what about those folks who don’t have passports? According to statistics as of January last year, fewer than 40% of Americans have passports. Would it be tied to your social security number? This is probably the unique identifying number that the largest number of Americans have.

Although the social security number was originally designed only for the purpose of tracking individuals’ accounts within the Social Security program and the cards were even marked “For social security purposes – Not for identification,” the armed forces have used it in place of service numbers since the 60s (Army and Air Force) and 70s (Navy and Marines). The number is now used by some states in place of a separate driver’s license number. Banks, creditors and service companies (such as cable, phone and power companies) require customers to provide their social security numbers. The social security number is used by credit bureaus, insurance companies, law enforcement agencies and just about every other entity to identity individuals.

These questions are important because, if the online ID is a “standalone” form of identification, it will be much more difficult to ensure that one individual doesn’t obtain multiple online IDs, or a fraudulent online ID that is associated with someone else or with a pseudonym. That would negate the purpose for which official IDs are designed.

If and when the myriad of issues surrounding how to issue official online IDs is solved, the next question becomes how, technologically, they will be implemented. Would a government-run certification authority validate each person’s identity and issue digital certificates based on public/private key pairs? Would it be illegal to use any but your official government-issued certificate to sign documents, send email or do business online? Would it become illegal to send messages, access web sites or engage in online commerce without a certificate? The nature of government is to keep expanding its authority, so even though these scenarios might seem far-fetched now, it’s not unreasonable to assume that one day they might all reflect reality.

The battle for the identity space

Despite government’s proclivity for power, the cogs in a massive bureaucracy turn slowly, so we probably won’t see an all-pervasive mandatory government-issued online ID (or perhaps any kind of government-issued online ID) for a long time. Meanwhile, technology companies have been vying for years to become the top identity providers, and they are constantly increasing the reach of their own identity systems by implementing single sign-on across various sites and services.

Microsoft regularly reinvents its service, which was originally called Microsoft Wallet, then became Passport and now goes by the name of Windows Live ID. The company envisioned Passport as a service that would eventually encompass all e-commerce sites as well as Microsoft’s own web sites, but it was criticized by those who feared its access to customer information would create privacy issues. At one time a number of non-Microsoft sites, such as eBay, used Microsoft’s Passport service for logon, but now it’s used for logging into Microsoft sites and services such as MSDN/TechNet, Hotmail, Xbox Live, Zune Marketplace, Messenger and other Windows Live services.

Meanwhile, Google has gotten into the identity game to an extent, linking logon across their many web services. Your Google account is used to log onto Gmail, Google Voice, YouTube, Picasa, Google Docs, the Google Wallet mobile payment system, the Google+ social network and others. The company has come under fire for its recent policy changes that now allow it to track users across its multiple products and services and combine user information from the different services. The European Commission has proposed new rules aimed at giving users the ability to opt out of such tracking.

Facebook, with its “Connect” feature, has also turned itself into an identity provider. This feature allows users to log into other web sites outside of Facebook, using their Facebook accounts.

One problem with all of these is that many individuals maintain more than one Windows Live or Gmail account, because they need multiple email addresses for different purposes (such as home, work and “throwaway” – an address to enter in web sites that require one but that may sell the addresses to spammers). In the case of Windows Live, I set up multiple accounts because I wanted two separate blogs on the Windows Live blog site (although Microsoft has since abandoned that effort and users have moved our blogs to WordPress). Even with Facebook, whose Terms of Service require users to have only one account and to use their real names, many people violate that rule and have separate accounts for work and play.

The other problem is that with each tech company having a separate identity service for its own (and some select other) sites and services, no one has “one online identity to rule them all.” While this may be good from a privacy point of view, it results in an easier time for terrorists, run-of-the-mill cybercriminals, spammers/scammers, stalkers and others who want to hide their identities and/or impersonate someone else online.

The mobile revolution and identity

The use of mobile devices in general and smart phones in particular has exploded in the last several years. According to research firm Canalys, 488 million smartphones shipped in 2011 – more than the number of PCs and tablets (around 415 million). Their figures show this as a 62.7 percent increase over the previous year. The sales of smartphones in 2011 are expected to grow by another 32% in 2012, according to HIS Suppli analysts. Even Intel is getting into the act, teaming up with Lenovo and Motorola to create a phone based on the Atom processor.

According to research from Kantar Worldpanel ComTech, almost half the population of the U.K. now owns smartphones. Last summer, Pew researchers estimated that 35 percent of American adults own smartphones. This came out to about 42 percent of all cell phone owners.

With smartphones in the hands of so many people, and that number growing so fast, it’s logical to consider the possibility of tying users’ identities to their mobile devices. Whereas landline numbers were typically shared by entire families, mobile phones tend to be more personal, with each family member having his/her own phone number. And with number portability across carriers, mobile phone users tend to keep the same number even if they change devices or providers.

Further, the mobile phone has become an item that most owners carry with them everywhere they go, like their keys or wallets. In fact, it’s predicted that eventually the mobile phone will replace both of those. With Near Field Communications (NFC) technology, which is already being built into the newest smartphones, one can make a payment by simply holding the phone near a terminal device to make the credit card transaction. No physical card is necessary. NFC could also be used for electronic identity documents (in place of drivers’ licenses or ID cards) and can be used as electronic keycards to open doors or even, with the proper technology built into vehicles, to start cars.

The use of smartphones to provide proof of identity would present some problems that would have to be solved. Obviously there must be security mechanisms in place to prevent criminals from using stolen phones to steal identities and impersonate the phones’ owners. Credentials would need strong encryption and phone logon would need to be protected by strong passwords/PINs or (preferably) two factor authentication (such as fingerprint scans).

Identity in the cloud

The move “to the cloud” – for everyone from home computer users to enterprises – brings new challenges for identity management. It also brings a new need for and focus on better online identification solutions. In the past, network security was based on security boundaries, with everything within the local network’s perimeters being defined as trusted and everything outside of those perimeters considered untrusted. Firewalls at the network “edge” were the designated sentinels that protected those users and resources on the inside from those on the outside. With cloud computing, the edge is disappearing – or at least it’s becoming extendable and elastic. The problems associated with Identity in the cloud are complex, so much so that there are working groups and conferences dedicated just to this topic.

The two technologies that are set to shape the future of computing are the cloud and mobile computing, and these two naturally converge as users increasingly access cloud services through mobile devices. Companies utilizing cloud services will need to establish root trust credentials with the cloud service. Organizations will still want to have control over their security policies, and need to be able to associate them with the cloud enabled processes so that identities and authentications are preserved when they correlate cloud transactions across infrastructure boundaries. They require endpoint security for user authentication as well as endpoint transaction security from mobile services.

Cloud identity solutions are being worked on by both hardware and software companies; an example is Intel’s Expressway Cloud Access 360. Any such solution needs to be compatible with existing Federated standards (SAML, OAuth, Open ID) and enable client-to-cloud single sign-on from mobile devices and PCs connected to both home and corporate networks. Monitoring, auditing and policy enforcement are important considerations.

Microsoft’s Windows Identity Foundation (WIF) is an SDK that developers can use when constructing identity-aware applications to be deployed in the cloud (as well as on-premise applications). It’s built on Active Directory Federation Services and Windows Azure Access Control Services, which supports OAuth 2.0. There is a WIF extension for SAML 2.0, as well. WIF relies on claims-based identity – that is, security tokens issued by a security token service (STS) containing a set of information about the user along with a digital signature. Claims-based identity relies on the STS to authenticate the user, rather than having the application do it.

Regardless of the particular implementation, multi-factor authentication would make management of identity in the cloud far more secure, whether the cloud is accessed from smartphones (as discussed above), from PCs/laptops, tablets, kiosks and public computers, smart TVs, entertainment consoles, or more exotic means (wearable computers, Internet-enabled kitchen appliances, etc.). That is likely to eventually lead to biometrics as a commonplace form of identification.

Summary

In this five-part series, I’ve examined the issues surrounding the concept of identity, both historically and as it applies to modern technology and an Internet-connected world. Identity is a complex topic, and the technological solutions for managing identities can be even more so. The purpose of this paper is to point out the intricacies of dealing with identity and to give the reader an overview of the solutions currently available, and what may be coming down the pike in the future.

If you would like to read the other parts in this article series please go to:

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top