Tuesday Dec 22, 2009

My Christmas Wish List: Personal Identity-Persona Service

christmas_wish_list It is almost Christmas Eve.  In the midst of an insomnia episode, I conjured up a crazy notion of making a Christmas wish list of things I want from a Personal Identity-Persona Service (PIPS).   Your list may be different, but here’s mine.

  1. Secure Identity Bank Vault for my Identity Profile and Credentials.  Of all the potential Identity Providers jostling for prominence in the market, I favor my bank the most.  They take pretty good care of my money, enable me to selectively send some of my money to other people, and seem to be sensitive to the issues surrounding security, privacy, liability and potential cyber threats.  I think I could trust them to take good care of my online Identity.  Think of it as the bank providing a safe deposit box for all the Identity attributes that I want to store and use, and providing the means to selectively take out Identity attributes for presentation to other people.  This vault should be located in a secure cloud, so I can get access from any computer or mobile device of my choice.  I think this is a concept even my technology-challenged wife, mother and father could readily understand and accept. 
  2. Really Easy to use Identity/Profile/Persona Editor.  With my Secure Identity Bank Vault in place, I need a really easy to use way to fill that vault with my Identity information and maintain it over time.  This will include the information I would normally include provide to an online merchant or social network, as well as subsets of such information that I can define for the purpose of presenting different personae to facilitate different online experiences.
  3. Multiple Levels of Identity Assurance or Validation.  I want to make sure that other people can’t impersonate me by setting up a  fake Identity Bank Vault for Mark Dixon that could be used to conduct illicit transactions.  To do that, methods need to be in place to validate the claims I make about my identity, such as birthplace, social security number, credit card numbers, etc.  Progressively rigorous checks of my background information will allow me to confidently present Bronze, Silver, Gold or Platinum Identity credentials to enable different levels of online interaction.
  4. Really Easy to use Persona Selector.  I need the ability to easily select from a set of personae I have defined in the Identity Bank Vault.   For example, I will most likely have one persona to use for online shopping, one for interaction with state government, and another for using my church website.  This selector needs to be immediately accessible, probably in the browser toolbar.  For mobile use, the persona selector needs to be easily accessed and presented by any online application that requires me to log in or pay for services.
  5. Multiple Levels of Secure Authentication.  I want to make sure that no one can access and use my Identity Bank Vault or persona and credentials it contains without my explicit permission.  In some cases, I may want to simply surf the web and virtually window shop by identifying myself with a user name and password.  However, I would like to restrict access to any financial transactions or health care record access by requiring a digital certificate (probably on a USB fob) and perhaps with a fingerprint check (perhaps via that same USB device).
  6. Option to Use Separate Personae for Login and Payment.  In some cases, I may want to use an Internet Persona to poke around the web, do some window shopping and try things out.  I may want to log in to Amazon, eBay, Barnes and Noble or other merchants before I decide to buy.  None of these merchants needs to know my credit card information before I decide to buy something.  Therefore, I need an easy method for first identifying myself and subsequently presenting my payment method.
  7. Audit Reports.  I would like to get an online “Identity bank statement” each month or on demand, detailing the my use of PIPS service.  This would allow me to verify that all uses were legitimate and would help me determine if adjustments were needed in my profile or use of the service.
  8. Fraud Insurance.  If a privacy breach or other unauthrorized use of my Identity or credentials occur through no fault of my own, I would like to be insured against possible damages.  This would be similar to the fraud protection currently provided by credit card companies.

Of course, in order for a PIPS service to be worth much, social Networks, online merchants, government agencies and other relying parties will need to accept my PIPS profile and credentials.   But wouldn’t it be great if I could maintain one set of Identity and Profile information and have that available for consumption by any merchant or social network, according to my wishes?  I would be willing to pay a yearly fee for such a service, much like I pay certain bank fees now. Or, perhaps those fees would be waived if I maintained a certain account balance or averaged a certain transaction volume on a credit card issued by the bank.

Will something like this happen?  I think so.  Probably not in 2010.  By 2015? I certainly hope so.

Thursday Dec 10, 2009

Federated Identity for Electronic Medical Records

Many thanks to my good friend Jonathan Gershater for sending me the link to another excellent post about Identity and Healthcare.  I particularly like his illustration of using Federated Identity to facilitate trusted exchange of medical records between different medical service providers. 

A user of any (Healthcare) ServiceProvider, who has been issued a digital identity by the trusted IdentityProvider, may seamlessly interact with the healthcare providers (SPs). The user will present the digital identity issued by the IdP, the SP will verify the Identity, and the user will be granted access to the Service Provider’s application. However, based on the user’s attributes and role, the functionality available to the user will vary.  A physician may alter a medical record but only within their specialty ( a dermatologist cannot alter a prescription for spectacles). A pharmacist may view but not alter the prescription for insulin in a healthrecord.  A patient may only view but not alter their medical record.

Federated Identity for Electronic Medical Records

Tuesday Oct 27, 2009

Identity Trend 10: Internet Identity

This post is the tenth in a series of eleven posts I am writing about key trends in the Identity Management industry.

Much of the traditional Identity Management market grew up meeting needs of Identity Management for enterprises, but, of course, Identity plays a large, essential role in the external Internet as well.  Modern enterprises are increasingly interconnected using the external Internet, but usually when we speak of Internet Identity, we are discussing the relationships between individuals and online service providers, as opposed to users of internal enterprise systems.  In this context, at least two major characteristics of Internet Identity Management are substantially different than Enterprise Identity Management.

  1. Super-scale. Internet Identity systems must scale to accommodate hundreds of millions or billions of individual Identities, as opposed to hundreds of thousands in the largest enterprise Identity systems. Internet scale is enormous.  Billions of people in the world have online accounts, and most online users have several online accounts, often across multiple devices.   The administration of these enormous quantities of identity credentials is currently highly redundant, error prone and costly.  Yet demands for privacy and security impose high standards on these Identity systems.
  2. User-managed Identities.  Rather than supporting the typical “assignment” and “administration” of identity credentials in enterprise setting, Internet Identity systems typically allow users to “choose” and “manage” their own identity credentials.  Ubiquitous standard methods do not yet exist to allow a common set of Identity credentials, managed by individual users, to be used with multiple online service providers.  The current default method is for each service provider to act as its own “Identity Provider” as well as being a “Service Provider” or “Relying party” that accepts a standard credential.  For example, Google, Yahoo, Facebook and Amazon.com each operates its own Identity Provider function without allowing a user to use a common set of identity credentials across all these major service providers.  While technical standards exist to enable a common Identity Provider serving multiple relying parties, we have not yet seen broad acceptance of an Identity Provider / Relying Party Identity infrastructure.

Multiple companies such as Facebook, Google, Yahoo, PayPal and Equifax have expressed interest in becoming Identity Providers for the Internet.  Certainly they have demonstrated the ability to provide highly performant systems at Internet scale.  Some relying parties have begun to demonstrate acceptance of Identity credentials from such Identity Providers, but clear winners haven’t yet emerged.  For example, Facebook and Google both provide facilities for other online sites to accept their Identity credentials, but uptake by relying parties has been fairly limited so far.

The biggest obstacles slowing widespread acceptance seem to be:

  1. Business Model. Lack of a clear financial business model to support the separation of Identity Providers from relying parties.  It is yet unclear what financial compensation should be provided to an Identity Provider by a Relying Party.  What business model is financially sustainable? 
  2. User Control.  The desire of big service providers to maintain exclusive control over their own user base.  Online service providers recognize that huge value is inherent in a large user base, particularly when combined with usage data that can be mined to provide context and preference information as discussed in my recent blog post.
  3. Ease-of-use vs. Security. Tension that exists between the need for a secure Identity credential system and the need for extreme ease-of-use by online users.  Some methods, such as Infocard/Cardspace and OpenID, have definite ease-of-use advantages over traditional systems, but serious concerns exist about whether either system can support high levels of security or Identity Assurance.

An example of cooperative efforts to address these challenges is the US Government Open Identity Initiative, which seeks to leverage existing industry credentials for Federal use of Internet Access.  Trust frameworks from organizations such as the Kantara Initiative, OpenID Foundation, InfoCard Foundation and InCommon Federation are being considered.  Google, Yahoo, Paypal and Wave are participating in this project as Identity Providers.  While the current focus is on enabling Infocard/Cardspace and OpenID for low-security access to government websites, concern has been expressed that neither method would be sufficient for higher security needs.

Recommendations:

The following questions may be in order as you consider how your organization will address Internet Identity:

  1. How many online users do you have now?
  2. How fast are you growing?
  3. What specific security and privacy assurance levels must you provide?
  4. How could easy-to-use, yet highly secure Identity credentials help you and your users?
  5. Will you be willing to rely on a third party Identity Provider to authenticate users to your site?
  6. What control do you want to entrust to your users to manage their own Identities?
About

Discovering Identity was founded on blogs.sun.com in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at DiscoveringIdentity.com. In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.


The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today