Online identity: Evolve or perish!
The following identity management statement comes from the Cyberspace Policy Review issued by President Obama last year:
“Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.”
I am an avid opponent of “anonymity for all” on the Web. I do not think it is in our common interest to have anonymous communication in the public sector, but I persist with this view because the very nature of our constitution provides for free and open exchange of ideas in the public forum. With this protection in place, why would we need anonymity given the extreme handicap that it places on us in processing information?
Opinions, ideas or concepts only have value based on the reputation of their advocates. Therefore, identity is important in lending credence to one’s views. Do you have the appropriate domain of expertise? Clearly, identity is an important part of our human dialogue, as it is the basis for our assessments of credibility and the degree of trust that we assign to our interactions. So, why do we forego it on the Internet?
What should be unacceptable is the idea of an over-arching government taking control of this process. Government should not be concerned with anyone’s identity in the public forum, but the public forum should. Anyone willing to stand up in the public square does so with the knowledge that he or she will be judged based on their credentials. In fact, it is their credentials that help to make their case. Picture Charles Manson on one corner talking about morality and then imagine the Dalai Lama on another doing the same. Can you imagine a different perspective based on knowing something about who each of these people are?
Identity is important and people should require identity in order to process ideas, while recognizing that identity does not need to be absolute. We do not need to know everything about the Dalai Lama in order to weigh his thoughts on compassion. We need only know those aspects that pertain to his opus in that area. The last thing we need is a government-sponsored “matrix” of identification with respect to ideas because, per the constitution, the government is the one entity that should not care. So, how should identity be handled in the age of cloud computing?
Cloud of identities
For cloud implementations to have any meaningful contribution to the advancement of intelligence, identity has to be more than a username and authentication has to be more than a password. This includes all the extensions of that paradigm, including the outdated "n” factor authentication and certificate-based tokens. It's time for a whole new approach that will enable the application layer to enable cloud computing.
Under the current regiment, a username is something that you make up. Given the stand-alone system-centric nature of early computers, that was adequate, I suppose. You could have left the system up and open, and anyone who walked up to it could operate it, if they knew how. So, access had to be restricted by having individual usernames. Then, to add another level of restriction to the process, they added passwords.
Note the use of the term restriction. That’s all that username/password allows for. It doesn’t identify you and it is not the equivalent of identity.
Law of identity
We humans operate on identity. Without it not much would be possible. For humans, the process of identity starts before birth. After birth, a newborn must identify with its mother or perish. As we grow, we acquire greater and greater capabilities around identity. Who do we trust? How much will we share? What do we believe? What evidence do we require? And how do we vet such evidence? Identity is not an easy task at any point in the human experience. Still, we do a pretty good job and in the aggregate we have a pretty low risk as a result.
Artificial identity -- AI
Computers don’t identify people, nor do they lend credence to information. The Internet is the same because anywhere you go; you simply have to have the right key for the door to walk in. The system doesn’t care who you are.
So, how do we make this interaction more human? Is it possible to get away from the system-centric gateway approach and move to a more organic interactive identity structure? I think so, and I think the key lies in opening the technology between users, so that they can apply their identity talents to the interface.
The sixth sense
Heresy you say? People in an organic setting have an open environment. Why shouldn’t people in an online environment have an open setting? The trick is to allow open interaction among people with respect to a group. There are things that we do online that are for public consumption and there are other things that have more restricted audiences.
In organic settings, we have ways to manipulate our environment to allow us to have varying degrees of privacy with respect to a given audience. In cyberspace, we do not have this ability. What’s more, we do not have the ability to connect users and data in a manner that allows them to chain specific authorizations to capture the scope and context of that authorization. We need transparent principles of least access built into applications and the user-data relationship at very granular levels.
|Event Details||Dates of Event|
|SANS Counter Hack 2013||Nov 7 - 14|
|SANS Pen Test Hackfest 2013||Nov 7 - 14|
|SANS Korea 2013||Nov 11 - 16|
|Military Exports & Compliance Asia||Nov 12 - 14|
|NCT: Counter IED Asia, 12 - 15 November 2013, Bangkok||Nov 12 - 15|
|School Safety Symposium||Nov 13 - 13|
|Southwest Microwave Perimeter Defense Seminar||Nov 13 - 13|
|OWASP AppSec USA 2013||Nov 18 - 21|
|GovSec West Conference & Expo 2013||Nov 19 - 20|
|Southwest Microwave Perimeter Defense Seminar||Nov 19 - 19|
|Oracle 7th Annual Federal Forum||Nov 20 - 20|
|World BORDERPOL Congress||Dec 3 - 4|
|Critical Infrastructure Protection and Resilience Europe||Feb 12 - 13|