Identity Management: a first principle idea.

By Rick Howard

Aug 31, 2020

CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.

Identity Management: a first principle idea.

Listen to the the podcast episode.

Note: This is the eleventh essay in a planned series that discusses the development of a general purpose cybersecurity strategy using the concept of first principles to build a strong and robust infosec program. The other essays are listed here:

The Internet was built without a way to know who and what you are connecting to.

— Kim Cameron, Architect of Identity, Microsoft Corporation, 11 May 2005.

The concept of identity is fascinating. What are the things that we value about ourselves that show others who we are? Name, hacker alias, address, favorite dungeons and dragons character alignment, job, past jobs, volunteer committees, art, politics, recreation, and many, many other activities and things we belong to or support make up our personal identity. And that doesn’t even cover personas. I have my business persona, my family persona, my neighborhood persona, and my gaming persona. I share my identity personas with the communities that I belong to, but I might not like to share them with my other communities. For example, I may not want to share the persona for my level 47 chaotic neutral Tiefling warlock named Abigail with the CEO of the Cyberwire. He might not understand. (No offense Peter!)

In a transactional world though, we need to find things to attach to our identity that authenticate who we are. It is one thing to get on Twitter and broadcast to the world about how much you love the Cincinnati Reds. You can’t use that baseball love to get money out of an ATM machine, though. So we find ways to prove to our transactional partners that we are who we say we are, and not some AI bot impersonating us.

Authentication: citizenship and the first birth certificates.

In the 1850s, the British started using birth certificates to authenticate citizenship. People could present their birth certificate to a bank to get a loan for example. In 1903, Missouri and Massachusetts became the first states to require a driver’s license to operate a car. After WWI, the League of Nations championed the use of passports for international travel. In 1935, the United States Congress passed The US Social Security Act that assigned exclusive numbers to citizens. Social Security Numbers became the de facto attribute for many years to uniquely distinguish the John Smith who lived in Albuquerque compared to the John Smith who lived in Fresno.

Passwords as a method of authenticating identity.

In the 1960s, when computers started to become an essential tool to big business and government, the late great Fernando Corbató, one of computing’s founding fathers, introduced the idea of using passwords to gain access. Unbeknownst to him, Corbató provided a long list of cyber ne'er-do-wells a never- ending attack vector to break into computer systems. In fairness, though, passwords didn’t start to really break down as an authentication system until the internet started humming for online transactions, say circa the mid-1990s. As the internet scaled, passwords just didn’t cut it anymore. Astonishingly, passwords are still the thing that most people use to authenticate themselves, a technique that’ is now over 50 years old.

Directory access protocol as authentication.

In 1993, Tim Howes, Steve Kille, and Wengyik Yeong collaborated to invent LDAP or the Lightweight Directory Access Protocol. According to Juliet Kemp at ServerWatch, LDAP lets administrators organize information on the network and provide users access to it. Howes and team designed LDAP to facilitate authentication over a distributed TCP/IP network. By 2000, Microsoft included LDAP into its backbone authentication system called active directory that uses both LDAP, for user lookup, and Kerberos, for authentication. Kerberos was created at MIT in their Athena project in 1988.

Sarbanes-Oxley makes bad access control a civil tort.

In 2002, the United States Congress passed the famous Sarbanes Oxley law, which among many other things, held companies liable for bad access control. By 2006, we started seeing the first managed services for identity management and by 2010, we started seeing the first SaaS identity management services. By 2014, organizational data started to distribute across multiple data islands: traditional perimeter, private data centers, personal devices, SaaS providers, and cloud providers (IaaS and PaaS.). It was clear that on-prem identity solutions were on their way out in favor of SaaS identity services.

Identity, authentication, site-centricity, and federation.

One of the problems with digital identity and authentication is that our current systems are site-centric. Users of systems have to present the same credential information to multiple digital silos like Amazon, Netflix, eBay, and the like and these silos don’t talk to each other. Further, there’ is little granularity for access control. It’ is difficult to give only a partial credential set to a site centric portal. It is usually all or nothing. And, as I said, these sites are silos. If I routinely use Amazon and Barnes & Noble, I can individually log into each separately but I can’t ask Amazon to share the books I purchased on their site with their competitors, even though it is my information, because they are walled gardens.

If Fernando Corbató invented the beta version of identity and authentication back in the 1960s, Dick Hardt, an internet identity evangelist, says that by the mid 2000s, we had finally reached identity and authentication version 1.0 with our site-centric systems. When identity federation emerged sometime after, that probably moved us to identity and authentication version 1.5.

According to Helen Patton, the Ohio State University CISO, federation is the idea that if two partners trust each other, they trust each other’s users. If Helen travels to her trusted partner’s campus, say the University of Michigan, she is able to log on to the campus wifi network without any coordination hassles. From my perspective, federation is the associative property of trust. If the University of Michigan trusts Ohio State University, and Ohio State University trusts Helen, then the University of Michigan trusts Hhelen too.

User-centricity: SAML and OpenID/OAuth.

That’ is fine, but it’s not yet a perfect solution. One-off partnerships don’t scale. What we need is identity and authentication version 2.0 where we move away from site-centric solutions to a user-centric solution. In other words, I create and store my identity and associated personas in a trusted authorized broker. When I visit Netflix and Amazon, I direct them to authenticate me through the broker and I only give them access to the bare essential credentials required and nothing more.

In the early 2000s, two technologies emerged that would move us closer to the goal: SAML and OpenID/OAuth. SAML (pronounced “SAM-EL”l) stands for Security Assertion Markup Language and refers to a heavy weight XML variant language that facilitates one computer to perform both authentication and authorization on behalf of other computers. The OpenID/OAuth pair is a set of competing technologies to SAML that have a crazy and confusing history of internet drama. Don’t worry if this all sounds confusing. It is. For example, OAuth stands for open authentication. The crazy thing is that OAuth doesn’t authenticate anything. It simply authorizes a machine to login to another machine on behalf of a human. OpenID does the authentication of humans. By 2014, this had all settled down though. Today, according to CSO Magazine, most network operators use SAML for enterprise applications and OAuth for open internet situations.

At this point, with SAML and OpenID/OAuth, we have probably reached Identity and authentication version 1.7, up from version 1.5 that we got with federation, but still not quite at 2.0. To get to 2.0, a user centric solution, I would direct your attention to a paper written by Kim Cameron back in 2005 called “The Laws of Identity.” That might be a good place to start. He lists seven characteristics that any modern identity system should have:

User Control and Consent: The user is in charge.
Minimal Disclosure for a Constrained Use: Zero Trust for data exchanged.
Justifiable Parties: Zero Trust for exchanging parties.
Directed Identity: Omni directional and one way.
Pluralism of Operators and Technologies: Can operate with multiple technologies and multiple entities.
Human Integration: Conducive to humans interacting securely.
Consistent Experience Across Contexts: ‘nuff said.

The bottom line is that the concept of identity is probably the most important thing to get right for the future of transactional internet business. We can have all of the first principle strategies in place that you want—like resilience, zero trust, and intrusion kill chains—but being able to know precisely that Abigail, the level 47 chaotic neutral Tiefling warlock, is really Rick Howard and not the owner of a Russian influence operation run out of Novosibirsk, Siberia, is key to everything. Without it, we will not have confidence in any future system like online voting, census taking, or really any transactional interactions with our governments, commercial business, or academic institutions.

You would be right to point out that the way we do identity and authentication today, the version 1.7 that I have described, kind of works. And it does. I am able to watch Netflix, buy books from Amazon, and order hamburgers from my local 5Guys all relatively hassle free. But these site centric systems were designed by commercial firms for the purpose of making money, which I am not against, but maybe there is a loftier design goal that we should pursue. Maybe we should design our identity and authentication systems to benefit the people.

Just saying.

Identity and authentication timeline.

1960

Fernando Corbató introduces the use of passwords.

1960s - 1970s:

Computer administrators used Access Control Lists (ACLs) mechanisms to limit access.

1988

The Kerberos v4 protocol was first publicly described in a Usenex conference paper.

1993

Tim Howes, Steve Kille, and Wengyik Yeong develop LDAP.

2000

Windows Server 2000 released, the first release of Microsoft Active Directory.

1999

Microsoft introduced a product called Microsoft Passport that was soundly rejected by the internet for many reasons but mostly because it was proprietary.

2002

Sarbanes Oxley: Held companies liable for bad access control.
SAML V1.0 became an OASIS standard.

2005

Brad Fitzpatrick develops the first generation OpenID authentication protocol.

2006

First managed identity services.

2007

The second-generation OpenID specification (OpenID v2.0).

2010

First Identity as a Service in the cloud.
OAuth was released as an open standard as RFC 5849, and quickly became widely adopted.

2011

OpenID had become an also-ran, and, Wired declared that "The main reason no one uses OpenID is because Facebook Connect does the same thing and does it better. Everyone knows what Facebook is and it's much easier to understand that Facebook is handling your identity than some vague, unrecognized thing called OpenID." (Facebook Connect turned out to not be a world-beater either, but at least people knew what Facebook was.)

2012

OAuth 2.0 released; widely criticized for multiple reasons but also widely used.

2014

OpenID Connect was released, which reinvented OpenID as an authentication layer for OAuth.