A question of identity
by John McIntosh
According to the Federal Trade Commission, Online Identity Theft is the fastest growing crime, with Internet-related incidents accounting for two-thirds of all complaints.
The issue has got such a high profile now that it is even covered in Women's magazines. Don't ask, I just know.
What is an identity? This might seem obvious but is it? I would describe a digital identity as a set of attributes that describe an entity (be it person, process, system, server or thing) within the context of an event or request. Attributes are bound to a unique identifier, such as name, which is established through the process of authentication.
It follows that an identity management solution should provide highly granular rules and policy expression capability to enable administrators to easily define how identities are to be used within different contexts. By way of example, you might think of yourself in the capacity of citizen, employee, executive, contractor, supplier, buyer, partner, colleague, and so on. What sort of identity attributes would you have? There can be quite a mix.
Security architectures and compliance methods need to be able to support a consistent means of determining how digital identities are formulated for and applied in business scenarios and to maintain the integrity of these by constant verification.
I came across a press release the other day of a fantastic example of how once again point technology is being offered as a solution that addresses only part of the problem.
Wholesecurity claims to have developed a solution to solve the Online Identity Theft problem by extending the SSL model -- automatic, seamless protection, without downloads or upgrades -- to the point of input. The Company says that Confidence Online will provide a secure, safe experience during any online transaction or data exchange to protect against criminals' new weapons -- eavesdropping software and Trojan horse attacks.
Yeah but..that's not really the problem and, by the way, there is plenty of software out there that can more or less tell you if you have something unpleasant on your system. Why do you need more?
From Wholesecurity's Web site, it seems that it is all about confidence. To my mind, the greatest risk is that back end systems that hold more information about me than I care to think about get exposed because some admin person was in a hurry or just plain too busy.
As I look around the marketplace, there are a number of vendors along with Wholesecurity, such as Waveset, Oblix, Netegrity, RSA, Verisign and Quizid, who have parts of the identity management jigsaw but lack the whole solution. This means users have to take products from multiple vendors to build something that approaches a complete solution.
Fortunately, SAML and XACML are around as frameworks and many vendors are now supporting these, although we might question how well. However, there is still some way to go before the real-time verification issue is cracked.
Copyright 2003 IT-Director.com provides IT decision makers with free daily e-mails containing news analysis, member-only discussion forums, free research, technology spotlights and free on-line consultancy. To register for a free email subscription, click here.
For more information:
- Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
- Are you tired of technospeak? The Web Services Advisor column uses plain talk and avoids the hype.
- For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
- Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.
- Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
- Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
- Couldn't attend one of our Webcasts? Don't miss out. Visit our archive to watch at your own convenience.
- Choking on the alphabet soup of industry acronyms? Visit our helpful Glossary for the latest lingo.
- Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.