Day 2 (The Open Group Jericho Forum® Conference) was centered around the need for a digital identity ecosystem. There was a lively discussion on the effective management of identity at a global level. Plenary session
presentations in the morning brought together thought leaders from the Jericho Forum, where key questions were
asked, such as: Why do we care about identity? What are the drivers for an identity management ecosystem? Why
now? And, what is the role of government?
Why the Need for an Effective Digital Ecosystem for Cyberspace/Cloud/Critical Infrastructures – Why
should we care?
James Whyte, Head of IT Service Delivery, UK Foreign & Commonwealth Office
Following a brief introduction from CEO Allen Brown and Adrian Seccombe of The Open Group Jericho Forum,
James Whyte began his plenary speech by looking at his own career in IT, during which he has seen and
implemented a huge amount of change. He described change and IT as synonymous. Mr. Whyte went on to give
the audience an overview of F&C and explained the importance of the financial services sector to the economy. The
huge sums of money involved make these organizations juicy targets for attack. At F&C, Mr. Whyte has the same
concerns as other information security professionals: insider dealing, breaches, and attacks.
Mr. White continued by considering the changed drivers of identity, which include increased flexibility with remote
access to systems anywhere, anytime, anyhow; reduced cost and footprint; and a shift from identity to user resource
access management. The most important driver identified by Mr. Whyte was the demand for ‘i’ devices such as
iPads and iPhones.
So can we jump into the Cloud and roll out these ‘i’ devices? Is the technology secure enough to take the risk?
Suffice it to say that, according to Mr. Whyte, F&C has not widely deployed them.
In order to meet these drivers, he explained that the role of CIO needs to change from protector to enabler, and the
CIO needs to become ambivalent about how systems are accessed, where people are accessing data from, when
people are accessing data, what device people are accessing from; and the CIO even needs to be ambivalent about
the data itself. As Mr. Whyte posited, if data is really securely encrypted, why do I care where it’s stored?
However, the CIO cannot be ambivalent about identity. Mr. Whyte suggested that limiting devices, remote systems,
and remote access as well as overburdening staff with tech (fobs, biometrics, GPS, etc.) are common ways for CIOs
to compensate for the lack of good identity management.
What do I need to achieve good identity management? According to Mr. Whyte:
- Reliable and user friendly identity authentication
- Reliable and user friendly DLP
- Reliable impact mitigation
- Users to be educated and to take responsibility
Mr. Whyte concluded that the drivers for change and de-perimeterizing are huge and there has been no silver bullet
yet. He is not sure a silver bullet will ever exist, but nevertheless we need the industry to give better tools to
prevent incidents and just as importantly the industry must give tools to minimize the impact of incidents if they
occur.
How is the Jericho Forum® addressing them?
(Identity Commandments, Identity Management, Entitlement Management, Access Management) and what to
expect from the rest of the Conference
Paul Simmonds, The Open Group Jericho Forum®
Paul Simmonds kicked off his session by looking at the collaboration driver. Businesses want to communicate with
both customers and colleagues via the web. The consumerization of IT has led to a shift of power where
businesses must support certain platforms in order to satisfy the consumer. Collaboration adds business value, but
security professionals find it difficult to mitigate the risk.
Mr. Simmonds went on to pose the questions: Why identity; why now? Passwords are broken – Mr. Simmonds
noted that organizations have been trying to sell single sign-on for 30 years and he is yet to see one that works
properly. In addition, the majority of (government and private) directories will not scale, there is little, if any, trust on
the Internet outside of your locus of direct control, and spam is still rife (the ability to spoof an email address is a
lack of strong identity issue). Humans are not hard-wired for security. ‘Joe Public uses the same user name and
password for every site they visit and my mother does not, cannot, will not ever have a good head for security!’
Security is increased by designing for the way humans actually behave. Mr. Simmonds identified the fact that current authentication systems are designed to suit computers, not humans as the root of the problem. It is insanity
that security professionals understand that identity management gets worse as you scale it, he said, and yet still
think that making it larger will fix it.
We need to return to first principles and look at how people use identity and how this mirrors in the digital realm,
Mr. Simmonds said. This is what The Open Group Jericho Forum has done with its Identity Commandments. Key
considerations included:
- Identity must be separated from access management.
- Identity is not just about people (devices).
- Federation of existing IAM system will not scale.
- Strong identity is key to trust and collaboration on the Internet.
The Open Group Jericho Forum is a global consortium and feels strongly that solutions must work globally and
across organizations.
The UK Government's Aspirations for Managing Identity
The Earl of Erroll
After providing some background on himself and the various Parliamentary ICT groups in which he is active, the
Earl of Erroll opened his session by examining the balance between the citizen and the state. The citizen expects to
be protected, with the attitude ‘I have done nothing wrong, I have nothing to fear’. But what if ‘they’ get your data
mixed up? The Earl described a permanent state of dynamic tension between privacy and freedom of information.
He then moved on to discuss the illusion of security. We will never have absolute security, he said; the government
has to be able to issue fake identities (witness protection or agents in the field being two examples), so trusting the
system is impossible. Total information access allows the good guys to identify the bad guys, but there is always
the threat of ‘Big Brother’ – what would happen if the world changed? Lord Erroll explained that the impact on the
citizen is far greater if the executive misuses personal information, than if another type of organization – for
example, a supermarket – does.
The Earl looked at three measures that already exist in this space:
- NSTIC – A new US government identity management program that places the emphasis firmly on the private sector. The danger is that a large corporation could ‘grab’ it.
- EURIM
- The Open Group Jericho Forum®. Its Identity Commandments are a big step in the right direction but they
need to be translated into plain English to achieve real success.
The major driver, according to Lord Erroll, is the ability to do business electronically and globally. He took leave with
some final thoughts, including that we are who we are, so we don’t want our identity managed by anyone else; and
the Internet can be very useful so it is imperative that we find a way to certify attributes about ourselves so we can
do business electronically.
Following the plenary sessions, attendees had the opportunity to attend track sessions. Tracks focused on:
- EA in Government
- EA in Banking and Finance
- Trusted Technology
- Service-Oriented Architecture
- Business Architecture
- Interoperability
The Consumerization Industry View from PayPal
Andrew Nash, Senior Director of Identity Services, PayPal
Andrew Nash introduced himself as senior director of identity services at PayPal and a board member of the OpenID and Open Identity Exchange Foundations. He continued by giving the audience an idea of what his talk
would cover: Identity, how consumers view their identity, and which engagements make sense?
The challenge is that identity professionals know identity is important. What’s needed is to communicate identity –
with a small ‘i’ – that consumers can engage with on a daily basis. At present, the enterprise and the consumer
have very different ideas about identity.
Mr. Nash then went over some of the trends he is seeing at the moment, including:
- Mobile devices, set-top boxes, etc. are creating an environment where users and devices are becoming the
same thing.
- Connecting identities and linking claims are accelerating.
- Identity is moving from security to enablement, which means that traditional ID and security arms dealers
are no longer leaders.
- Consumer ID protocols – OpenID/OAuth. For example, Google is using OpenID because it saves them money when their email addresses are being subverted.
- Privacy and user control issues are constantly in the news (FTC and privacy groups are also more active).
This prompts the question, how much control should users have and what does it look like from a privacy
perspective?
He then went on to ask: What does the identity ecosystem look like today? What motivation is there for consumers
to share their details? Mr. Nash used the example of delivery of goods. There is an obvious benefit to the consumer
to share their address, so it is likely that will provide accurate information.
Mr. Nash used PayPal as a further example to support his argument. Registration on the site is just a couple of
questions. A customer is then added to a loop where they are asked for more information slowly, over time.
Together, Ebay and PayPal look after 800 million consumer identities, so they know how to attract new customers. They care most about fresh meat so they make it easy to sign up by keeping down the level of engagement
necessary to allow the consumer to do something useful.
He concluded by reiterating the difference in opinion between the consumer and the enterprise on the subject of
identity.
The Jericho Forum® Identity Commandments – a deeper dive into how they advance the Identity
Ecosystem debate
The Open Group Jericho Forum members Adrian Seccombe and Steve Whitlock
Steve Whitlock started off the session on The Open Group Jericho Forum Identity Commandments with a high-level
introduction to identity using The Open Group as an example. He discussed the various pieces of information
you need to create an account on the website (in order to register for the Conference) and then compared this with
collecting your badge on the day, where all you needed was your name.
He then returned to the topic touched on earlier in the day, that humans are not naturally good at security. Secure
questions, even if you don’t lie, can be hard to remember the answers to, and users don’t generally do well with
passwords.
Mr. Whitlock finished his part of the talk with an overview of the history of digital identities. It’s expensive to create
and manage identities, so the first organizations in the space were governments, then large corporations, then third
parties. Over time, as large companies and governments started doing electronic business, standards had to be
produced. Further change came as individuals started doing things like online banking or using PayPal, and creating
digital identities not tied to any company. This was consolidated by the growth in social media that has led people to
create an additional identity. Mr. Whitlock referred to his wife, who put down January 1st for every question when
she registered for Facebook and now gets birthday cards on the wrong date each year.
The floor was then given to Adrian Seccombe, who explained the key shift in the Identity Commandments: the separation of identity and access management. He added that the Jericho Forum had also recognized the importance of challenging what was meant by identity. The Forum is focused on direction and the future, not on ‘how’ today. Mr. Seccombe said that it works on the edge of what’s possible and doesn’t expect to achieve instant
answers today. One of the key ‘hows’ the Jericho Forum is considering at the moment is how to give users control
in a way that is natural and matches their normal behaviours.
Mr. Seccombe highlighted entitlement management as an important step. A resource owner must define Entitlement
(Resource Access Rules) and access decisions must be relevant, valid, and bi-directional. He laid out resource
access rules, which included that entitlement rules should be simple and minimal, thus ensuring attribute requests
are minimized, and avoiding the over-exposure of attributes from different persona. By granting access based on
attributes (for example, proof that someone is over 18) there is no need for the actual information (date of birth in
this instance) to be shared.
He laid out the steps needed to achieve this:
- Step One: Inventory information assets
- Step Two: Classify information asset sensitivity
- Step Three: Define resource access rules: claims based, do not simply populate an access control list
(ACLs will not scale in the cloud)
- Step Four: Define claim (for example over 18) and define attributes required (date of birth)
Mr. Whitlock drew the session to a close by reflecting that attributes are the most sensitive part of identities.
Organizational Intelligence
Richard Veryard, Director, Next Practice Research Initiative, UK
Organization intelligence is not just technology. With this statement, Richard Veryard kicked off his session, part of
the EA as a Business Discipline track. Instead, it is simultaneously a question of how the organization is configured,
and how the technology is configured to support the organization.
He went on to supply a definition: organizational intelligence is a critical measure of the management capacity of
an organization in a demanding competitive environment. It depends on many things including:
- Appropriate organization structure and culture
- Appropriate management practices
- Good use of appropriate technologies
- Coordinated action and innovation
The success of a technology depends on how it is used. Mr. Veryard illustrated this by looking at knowledge management – an area where lots of implementations fail because they are not synchronized with the corporate
culture.
Enterprise architecture is about people, business, and technology. This includes management practices, organization structures, platform architectures, knowledge base, and technology adoption and use. Mr. Veryard then
discussed two trends:
- Trend 1: Organizations are looking for new ways to operate (edge-driven organizations).
- Trend 2: There is a plethora of technologies aimed at making the enterprise smarter; for example, real-time
business intelligence, social networking, network-centric systems.
Organizations need to implement both trends together.
Mr. Veryard compared the attributes of a stupid organization with an intelligent one. Stupid organizations ignore the
environment around them, cannot discriminate between the important and the trivial, respond incoherently to crisis,
and fail to learn from mistakes. Stupid organizations may contain very clever people (but who don’t talk to each
other) and very sophisticated technology (but poorly wired together). Intelligent organizations, on the other hand,
detect and interpret weak signals of significance, mobilize coherent response to complex opportunity, take a rational
approach to risk and uncertainty, and encourage high-quality decision-making throughout the organization, collective
learning, and innovation.
All these capabilities are both technical and social and must be looked at together to achieve organizational intelligence.
Enron and the myth of talent: Mr. Veryard explained that the culture of Enron was to hire talented people and tell
them to think of clever things to do with the money they were given. There were critical loops missing from this
process and critical blind spots in the way Enron was managed. The business managed to lose vast sums of
money without even knowing it was happening. How, he asked, can an organization be so stupid?
In comparison, Mr. Veryard referenced an incident that happened at Microsoft in 1995. Bill Gates sent a memo to
the whole of Microsoft about the importance of the Internet. This was a key moment in the history of the software
industry. He had taken time to increase his view of its importance: “Now I assign the Internet the highest level of importance”. This is an example of a gradual shift in opinion leading to a pivotal shift in direction and the memo to
the whole company is evidence of collective responsibility.
As the amount of data increases (Mr. Veryard used a retail example, looking at customer data, store data, and
product data), the system only works if there’s enough coordination and integration across the organization to allow
it to function intelligently as a whole. Mr. Veryard wrapped up by focusing on enterprise architecture strategy and
looking at the two contrasting agendas. We are moving from simplify and unify to differentiate and integrate.
Jericho Forum® Panel Session
Moderator: Stuart Okin, CEO, Comsec Consulting
Panelists included John Arnold, Guy Bunker, Andrew Yeomans, Steve Whitlock
This session was an informal discussion of the topics covered by the security track/Jericho Forum® Conference
throughout the day. Moderator Stuart Okin started out with some introductions. Participants included a selection of
The Open Group and Jericho Forum members – for example, Thomson Reuters, Barclays, Boeing, Capgemini,
Nokia and NASA – as well as some members of the press.
To begin with, there was a focus on why there is currently a need for the Identity Commandments and why identity
is such a big issue now. Today’s identity systems are built by single enterprises exclusively to meet their own
needs. Companies are trying to do it in what they believe is the cheapest way possible: user name and password.
The discussion then moved on to password failure and password fatigue. The biggest problem, panellists said, is
that they’re shared so information leaks out and they are also restricted to only 26 characters (or six on a
mainframe). Returning to a popular topic of the day, it was remarked that the qualities that make passwords strong
are the same ones that make them difficult for humans to use. It is incredibly difficult to educate users to choose
something strong and memorable.
The push to a new identity management ecosystem is likely to come from consumers. The Zeus Trojan attacking
banks is an example of an issue that will encourage consumers to pressure their banks to find a new way. Identity
must be linked to the core ID of the person but single factors are just too weak. Proliferation of the user ID is the
issue. The key shift is from the enterprise-centric ‘We’ll cause you to have an identity’ to the user-centric model. At
this point, Mr. Seccombe stressed that he is not opposed to an authenticator; he is opposed to a plethora of
authenticators.
The discussion concluded with an examination of the practical steps needed to achieve a new identity management
ecosystem:
- Cultural change within organizations
- A standardized way to move forward
- Intelligent devices that can identify you by sight and sound
