Breathe deep, solution providers and CIOs already juggling with the complexities of bring your own device (BYOD). After recent much-publicized breaches at Amazon and Apple, another bring-your-own element could rear its head and generate a flurry of security, management, and best-practices concerns.
This time, some pundits are discussing "bring your own identity" (BYOI), a term coined by Gerry Gebel of Axiomatics when he was with the Burton Group. So writes Dave Kearns, senior analyst at KuppingerCole, in a blog today.
Since so many Websites today demand people use their Twitter or Facebook accounts to register, the thinking goes, why can’t employees use these same login credentials to prove their identities to the corporate network or applications?
After all, corporations spend millions of dollars every year to validate the identities of employees, partners, and suppliers -- and so do service providers like Facebook and Twitter, writes Robert Block, vice president of identity access management services group at Fishnet Security, in a blog. Today, corporations are no longer shunning these social media sites and, in some industries like retail, are being pushed to adopt consumers’ social credentials as valid identities, says Block.
In addition, Facebook and Twitter are aggressively expanding and creating “circles of trust” with third parties (such as publications and retailers), so consumers can leverage them with additional service providers. And corporations are more open to discussions about outsourcing identity-as-a-service (IaaS, not to be confused with infrastructure-as-a-service), Block writes.
This makes sense: After all, many organizations are embracing other as-a-service options; why not add identity to their menu? Cloud-based identity management makes sense at a time when businesses are scrutinizing every penny they spend, looking to transform their IT use and continue doing more with less. Nothing, it appears, is sacred.
But could it mean one day employees will sign into your company’s customer relationship management software via Facebook? Or enter the corporate LAN using their Twitter sign-ons? What about privacy and users’ concerns about Facebook’s user-data policies?
As Nick Crown, director of product marketing at UnboundID writes in a really interesting company blog:
Given that the idea of leveraging one’s own identity for work purposes has been around for some time, why is this not more commonplace today? Further, why do we not see more companies serving in the role of an identity provider (IdP) out there today? Yes, Facebook Connect is an example of success in this regard, but only for a certain class of identities. No, I don’t believe we’ll see the lower level-of-assurance (LoA) credentials issued by Facebook being utilized for accessing sensitive enterprise applications. Granted, it’s feasible for Facebook to provide additional vetting and assurance for the identity information that they provide to third parties, but it is highly unlikely. Even so, there are serious conflicts of interest between their current model of selling our personal data for profit and the sensitivity associated with the access of enterprise resources. That’s not a good mix.
There have, after all, been well known cases of “verified” Twitter accounts that were quickly shown to be hoaxes. ("Mrs. Murdoch" ring any bells?) And I can quickly come up with at least a dozen friends with fake info on Facebook. But some experts say the technology, at least, is almost ready.
Running behind the scenes, OAuth could allow social media to become the BYOI (or as it’s sometimes written, BYOId) engine. It is lightweight, portable, open, and easy to implement. As Scott Morrison, chief technology officer of Layer 7 writes in Forbes:
The insight so many miss is that OAuth is not important because of its technology; it is important because of the paradigm shift it represents. OAuth is really about the delegation of control. It moves entitlement management away from central administrators, and puts this into the hands of individual users. There’s a certain common sense behind this: after all, it’s your Twitter account; shouldn’t you be the one to decide which other applications can access it?
This simple idea subverts the entire traditional model of identity management. But this is a good thing, because pushing the problem out to users is the real secret to managing identity at scale.
MDMConsult 8/21/2012 10:06:58 PM User Rank Platinum
Re: Human Token?
Yes, security has been such a major issues these days. Cited: "Its interesting that even Apple is really interested in implementing fingerprint sensor technology with its devices. Apple announced that it had agreed to buy AuthenTec for $356 million." Apple has a history of acquiring companies for their unique technology. It would most benefit enterprise companies and government
Interesting that fingerprint scanners are so common these days, but rarely seem to be enforced. They are very difficult to get around on modern laptops (but like anything else, they CAN be worked around). I used to use the fingerprint scanner on my old laptop but I got tired of it screwing up my fingerprint scans so I resorted to the traditional password method ;).
HUB Support 8/15/2012 10:28:25 AM User Rank Platinum
Re: Human Token?
Cost is always a concern. Top tier biometric security (i.e. optical scanners) would be cost prohibitive. but with the widespread adoption of fingerprint readers on laptops, I am suprised we haven't seen biometrics integrated into more mobile devices. On the surface, that would appear to be a viable authentication solution that could be universally accepted and difficult to duplicate.
Alison Diana 8/15/2012 10:07:35 AM User Rank Blogger
Re: Left up to the end user?
I totally agree, JAdams. As you say, most people I know have checked-off the auto-save for Facebook, Twitter, Flickr, etc. There's theft and loss; also, think of the amount of time peoples' phones are left unattended, which would allow bad guys to gain access, if BYOI was a mainstream reality. I get why this concept has support; I just don't know how it could be done securely and consistenly. It is very interesting though.
Alison Diana 8/15/2012 9:45:07 AM User Rank Blogger
Re: Human Token?
Interesing points, HUB, and biometrics certainly make a lot more sense than our continued (and expanding) use of passwords. (Please make it end, someone!!) It would be interesting to see if there's any information out there that compares the cost of equipping mobile devices with biometric security technology vs. the cost organizations currently pay for identity management solutions. Guess I've given myself an assignment...! Although, of course, the price-tag of biometric solutions would drop with widespread adoption.
When it comes to ID cards, I think we loop back to theft/loss/abuse, so I don't know that they'd be useful on their own. But perhaps they could be used in combination with some other form of ID/authentication? It's a really interesting problem, one that demands a more streamlined solution, that's for sure. With so many mobile devices out there today, with so many more employees working remotely, it's vital that organizations get a cost-effective and user-friendly solution to this conundrum.
Alison, I definitely think that it's going to be an uphill battle when dealing with people securing their social networking information. Like you said, everyone has their devices setup to automatically check (well, most everyone I would 'assume') and not everyone secures their devices (I see this trend in older users, personally) so it's definitely going to be a problem.
Great suggestions, HUB. I too believe that biometris is the ultimate verification tool. It's hard (sadly, not impossible) to mimic someones biometrics. Well, it probably is darn near impossible to duplicate... I could see in the future, thieves pulling stunts like we see in movies where they some how get ahold of a persons "stuff" :).
HUB Support 8/14/2012 9:43:51 PM User Rank Platinum
Human Token?
Social networking as an identity validation tool sounds like a risky proposition. However, I do envision some form of BYOI taking root in the future. One way to improve security would be to integrate some type of universal token into the mix. I am inherently distrustful of mobile devices being a reliable token (for some of the 'theft' reasons Alison describes, but there are more reliable options. In the near future, State issued ID cards could be used for validation (lets put those mag stirps and barcodes to work!).
I'm always a proponent of biometrics as the ultimate validation tool, eliminating the need for an text based login. As time (and tech) progress, I predict the person themselves will become the validation tool. In this tech-age, aren't text based logins starting to feel a bit anachronistic?
Alison Diana 8/14/2012 4:11:35 PM User Rank Blogger
Re: Left up to the end user?
It sounds a bit iffy to me, too. Think about how easy it is to create a Facebook account; as I recall, all you need is a valid email that's connected to a few other people. If you were determined, you could create several email accounts for multiple fake individuals, each of which would be 'friends.' You'd then have, say, 20 'people,' with their own 'lives,' validating each other. Now, I don't have the reason/time/incentive to do that; nor, I'd imagine do you, @jgregc! But I can believe there are some nefarious folk who could -- and who would do it at more extreme lengths than 20 to make it even more believable.
Of course, these 'people' wouldn't be employees of a company so I don't know how that step in BYOI could work. You'd then have the worry that people would do a good job of protecting their social media IDs, identities that are often automatically checked on smartphones, tablets, and notebooks which are easily lost and stolen. I think this could be a real challenge for IT and CSOs. I look forward to seeing how developers address this. I do know the topic isn't going away!
Right now I am trying to digest this, asking myself whom should be responsible for validation of a person being, well, themselves. If a quote in the article was followed – "pushing the problem out to users is the real secret to managing identity at scale" – then it would be the responsibility of the end user to build up a reputable history of actions that would stand up to the scrutiny of validation.
I have to wonder - would not someone looking to fake an identity work much harder in establishing one than otherwise? And I wonder exactly how much we can count on the average person to maintain a viable identity history, preferably one without gaps. It might be that it works better on paper than in practice. Of course, I've been wrong about such things before.
Forget mobile devices. The next big tech trend could be wearable computing, technologies integrated into dresses, shirts, jeans, shoes, and glasses, that share data via the cloud. Take a tour through our slideshow and check out the latest IT styles!
Cloud service provider Zumasys wanted to be proactive, not reactive, in its support to customers. So it found a monitoring solution it could use internally and resell to clients.
SMBs in the United Kingdom have been somewhat slow to adopt cloud in a meaningful way, in part due to a lack of awareness about the technology's cost benefits. Service providers can turn this around through education and personalized attention.
Through its unified storage offerings, Storage Made Easy simplifies knowledge workers' access to data spread across organizations' multiple databases and storage devices.
Ever wonder what other companies' datacenters look like? This slideshow gives you a sneak peek at how some operations use today's latest server, networking, virtualization, and cloud technologies within their datacenters.
To save this item to your list of favorite 21st Century IT content so you can find it later in your Profile page, click the "Save It" button next to the item.
If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
