"Prevent identity theft -- protect your Social Security number" is the headline on my Social Security statement that I receive each year around tax time. We hear about identity theft a lot these days, but as CIOs, we need to think about the issue from the point of view of the enterprise entrusted with the "identities" of our users and customers. I'll explain what is meant by identity in this context and how it must be managed to securely facilitate relationships to business applications. What is an identity?
In the simplest terms, an identity is some method that verifies you are the person you say you are -- those distinguishing attributes that only you can provide to authenticate yourself. It can be a single pass code or a set of numbers, such as a Social Security number, or a complex procedure, such an encrypted key. The identity interacts with a process that determines what level of security you may possess and which services or activities you may participate in after completing an authentication challenge. Associated with this process is a set of global attributes that contains information about you. It might be your name, email address, pin/user password, credit card number, or Social Security number. It might be less obvious information such as how you want your home page to appear, affinity programme memberships, or recent purchases. In part, it enables a positive user experience by retaining history or preferences about you. If well guarded, the use of this information can make an e-commerce experience easy for the user. However, e-commerce is not just about the user experience -- it's about the merchant or business entity's responsibilities to protect the user's identity. Network identities
Having an identity and having a network identity are different subjects. A network identity is a construct consolidating multiple identities. An identity, as described above, is one aspect in a description of a person's network identity. You can authenticate to one business application with a set of credentials known to that business application and get one experience. But you may need to present another identity to authenticate to another business application with a set of credentials known to the second business application. The credentials may not be the same, and the information about you may not be the same or even known. Besides the irritation of remembering another set of user identification and user passwords, you may not have entered the same information (or wanted to), or the information may be used in a slightly different manner. To describe this in another way, user account information is scattered across isolated applications, even though users are members of overlapping multiple communities of interest and commerce. The information is overlapping. With a network identity, the synergies abound: online banking with investment possibilities, credit card and utilities payments, and any number of other possibilities. With the realisation that the overlapping information is consistent, the experience across different sets of business applications within a community of interest will be consistent. For instance, while doing online banking, I may be servicing my loan or working with my savings or checking account. Information affecting one set of applications would be relevant to another. The security problem enters when your network identity needs to transcend a business entity or a number of discrete sets of applications within a business. Each set of applications requires credentials and, therefore, you, the user, may be challenged multiple times. Obviously, with a single set of applications, a simple identity will suffice. But with a wide range of business applications, you can very easily lose control; each application might enforce authentication and authorisation very differently, including what and how to challenge. The basis of decision could be on different policies (rules) that are inconsistent between business processes (say between the online banking information passed to the mortgage application) or on islands of dissimilar information collected by each business application (say reversing two digits of a Social Security number). For the business community, this becomes more of a problem than just an irritation. An ad hoc security implementation lays open the real probability of a security breach and the associated fines that come with it, whether it's disclosure of financial information or the release of restricted information that is subject to government regulation. And then there is the (missed) opportunity cost of enhancing affinity relationships (cross-selling).