The New Credential Order Emerges

January 11, 2013
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

We’ll soon look back on 2012 as the year the future of electronic identity credentialing began to appear out of the cloud (pun intended).For years, the electronic identity credentialing space has been trying to climb out of the siloed userID/password hole. Many initiatives and technologies have been thrown at the problem, with notable successes such as the academic InCommon and related academic federations based on the Shibboleth/SAML technology sponsored by OASIS and Internet2.

These local successes – many with millions of users, so I mean no slight when I call them local – led to the federated identity management initiatives. The US government has a lot to be proud of in this space, having initiated and then led a number of the technical, policy and practice efforts to enable federated identity management globally.

Alas, the

world of federated identity will soon be lost to the archives.

Three converging currents predict what is about to happen:

  1. For years, , common credit cards in Europe have carried a digital certificate chip. In 2012, the US credit industry committed to converting from the ubiquitous mag stripe format to a smartcard compatible with the European credit card by 2015.
  2. A bill has been introduced in Congress to direct the Centers for Medicare and Medicaid Services (CMS) to issue high assurance digital credentials to all citizens receiving CMS benefits; this encompasses every citizen over the age of 65 and many millions of others receiving Medicare and/or Medicaid services. Whether it passes or not, it points to the trend of governments credentialing their citizens. Many European and Pacific Rim nations already issue and manage high assurance digital credentials to their citizens.
  3. Verizon has announced that it is moving from being a telecom company to an e-services company. The first step in this evolution is Verizon’s fourth quarter issuance of its Universal Identity Solution, zero-footprint credential. It links to all of the subscriber’s mobile and digital devices and is both user-friendly and high assurance.

These three sources: credit industry, governments and telcos, will credential every one of us, ending the current situation in which companies, websites, identity federations and communities of interest issue many kinds of credentials. This will be accompanied by the end of debates over technology interchange protocols, trust levels, policies, goals and standards.

The new challenge will be getting the Big Dogs to adopt three of the four goals of NSTIC: interoperability, user-friendliness and privacy enhancing. (In all likelihood the fourth, voluntary opt-in, a relic of the birth of the goals in a US government office, is likely to be deemed unnecessary and irrelevant by the telcos and the credit card consortium.)

There will be clear winners in this Brave New World. US businesses would do well to align with Federal PKI Architecture and/or FICAM-approved credential issuers. SAFE-BioPharma credentials fall into this category, and are likely to be among the long-term smart options. Relying on bank-issued ATM cards, next-generation smartcard-based credit cards, and mobile-device-based credentials issued by the major telcos will also be good bets.


How Cheap is Cheap?

January 5, 2013
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

I’d like to talk about a dirty little secret in the cyber world: most system owners/operators want to do authentication and signing on the cheap. Fact is, the userID/password model in use since generation 1 of the computing lifetime is viewed by many of the online services as sufficient to their needs, while improved identity management for authentication is considered by these same managers as overly complex and expensive. Furthermore, most of the systems managers say they’ve never been attacked and don’t think they’re likely to be attacked.

There’s no arguing with the fact that the userID/password implementation is less expensive and simpler than implementing a high assurance trusted credentialing solution for authentication and signing. That said, there is a substantial hidden or overlooked cost for maintaining this rudimentary solution . The operational cost of managing a database of userIDs and passwords is buried in the overall cost of maintaining the system that houses it, but it’s real enough. As is the cost of helpdesk support (human or automated). Additionally, the risk of attack is real, and the probability of attack is getting greater, not smaller. Still, it’s hard to quantify the cost of the risk at budget time when the manager is going up against the rising cost of everything from electricity to toilet paper.

Risk calculations are part of the toolset of the cybersecurity folks, and higher assurance credentialing is one of the mitigating technologies they can deploy. But cybersecurity folks get very little respect at budget time themselves. So the usual model finds the IdM guy and the cybersecurity guy fighting over the crumbs left on the table. But I digress.

As governmental services, including the workflows of the regulatory agencies, move online, the risk assessment math changes. The formula stays pretty much the same but the numbers change. The cost of a breach goes up logarithmically.  The fines for privacy breaches are just the beginning. There’s loss of credibility among customers and business partners, opportunities for competitors to steal the cheese and the negative effects on other project budget lines when the victim is forced to spend unbudgeted funds on security consultants, repair services and new software tools to address the damage. On top of all of that, the new security practices disrupt most of the workflows in the victim’s business processes.

So what’s the cost of all this to the firm? Until the spit hits the fan, nobody wants to know. But it’s a good bet that one of the costs is the head of the underfunded cybersecurity guy, who gets to be the corporate scapegoat. In the TV drama world, he or she would find happiness in a new career selling toilet paper to industry at a higher income. In the real world, things aren’t so happy.

%d bloggers like this: