Security and risk professionals know what to do with security vulnerabilities: we mitigate the risk directly as best we can, and put in place compensating controls when we can't change the underlying dynamic. But in the age of the customer, upping our game in authentication strategies has forced us to take a harder look at an area that, generally speaking, is not our specialty at all.
Last summer, Forrester published a Customer Authentication Assessment Framework that leveraged some exciting academic research called “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes” out of the University of Cambridge Computer Laboratory. (Gunnar Peterson has a recent post highlighting the arc and nature of these researchers' work, and even has a nice back-and-forth in the comments with contributor Cormac Herley of Microsoft Research.)
Data Privacy Day is on January 28. But isn't all hope lost when it comes to the P-word? Interestingly, Daniel Solove is one key expert who doesn't think so: His recent Year in Privacy roundup sounds a number of positive notes, largely having to do with regulatory pressure driven by public pressure. In the age of the customer, we really can see "water wear away stone" when ordinary people demand change.
My colleague Fatemeh Khatibloo recently published some must-read research on contextual privacy: a framework for negotiating the collection and use of personal data that ensures a fair value exchange for both the customer and the business. Don't miss the blog post where she lays out some takeaways:
Privacy isn't dead, it just needs redefining.
Privacy will be a market differentiator.
Privacy technology will disrupt the marketing ecosystem.
If you ever need a belly laugh, visit the site DamnYouAutocorrect.com (warning: it’s often not safe for work). It’s also a great illustration of why you shouldn’t just force users through the same exact login procedure when they use mobile apps versus full-fledged browser windows: hitting all the right tiny keys is hard work, and often the software behind the scenes is helpfully trying to “correct” everything you type.
Responsive design is all the rage in consumer web app design, and for good reason: users can put down one device, pick up another, and change the screen orientation in mere moments, and app developers can’t afford to miss a trick in optimizing the user experience. Similarly, in researching current authentication methods and trends, we’ve come to believe more strongly than ever in adapting your user authentication methods to your population, the interaction channel they’re using, your business goal, your risk, and your ability to pick up on contextual clues about the user’s legitimacy or lack thereof. Call it responsive design for authentication.
When we published our recent Customer Authentication Assessment Framework research (the report comes with a spreadsheet tool), we deliberately focused on onboarding, login, step-up authentication, and account recovery for – yes – customers, most particularly consumers. Why? Because the framework takes into account usability characteristics just as much as security characteristics, and security pros delivering solutions to Marketing had better have good answers when they propose adding friction to the login experience.
Social sign-in has become a powerful force for marketers and consumers, validating the notion of federated identity in consumer-facing contexts. (Ironic that consumerization of IT is successfully tackling even the single sign-on problem that has bedeviled IT, showing how identity for the top line of the business can overcome resistance in ways that business-to-employee scenarios typically can't.)
But not all consumer-facing federated SSO is social. When I was with PayPal, our team worked on the underpinnings of what eventually turned into Log In with PayPal, which is strictly about federated identity flows for commercial purposes. And today Amazon has come out with Login with Amazon, a powerful statement of Amazon-as-identity-provider. They've been testing this with their own web properties Zappos and Woot; now they're enabling third-party merchants and other sites to use Amazon for authentication of people who already have active Amazon accounts, along with learning a few selected user attributes: name, email, and optionally the zip code of the default shipping addresses. No huge social graphs here, just data that partner eCommerce sites need to function (and make money).
I had the chance once again to do a podcast with Mike Gualtieri as part of his wonderful Forrester TechnoPolitics series, talking about the usability affordances of passwords that make them natural targets for consensual impersonation. As Mike memorably puts it, is this behavior frisky, or risky? Just like in our last podcast together, I found myself confessing deep dark authentication secrets. Take a listen and let me know your thoughts.
Andras Cser probed a sore spot in IAM last week with his post, “XACML Is Dead.” It’s a necessary conversation (though I did see a glint in his eye at the Forrester BT Forum after he pressed Publish!). Our Q3 2012 Identity Standards TechRadar showed that XACML has already crested the peak of its moderate success trajectory, heading for decline. We haven’t seen its business value-add or ecosystem grow since then, despite the publication of XACML 3.0 and a few other bright spots, such as Axiomatics’ recent funding round.
It’s not that we don’t need an interoperable solution for finer-grained access control. But the world’s demands for loosely coupled identity and access systems have gotten...well, more demanding. The solution needs to be friendly to open web API security and management. It needs to be friendly to mobile developers. And it most certainly needs to be prepared to tackle the hard parts of integrating authorization with truly heterogeneous cloud services and applications, where business partners aren’t just enterprise clones, but may be tiny and resource-strapped. This admittedly gets into business rather than technical challenges, but every ounce of technical friction makes success in the business realm less likely.
A couple of months back, I advocated killing your password policies and applying some other techniques instead to make existing use of passwords more effective (including my hobby horse: take the user-experience sting out of rotating ordinary static passwords by pushing them out to users on an alternate channel, à la activation codes and other OTPs). But adding factors is still a great idea, and the barriers to doing so are falling fast.
It has finally become hip not just to predict the demise of passwords, but to call for their elimination. The recent Wired article makes an eloquent case about the vulnerabilities that even "strong" passwords are subject to, such as social engineering and outright theft. And strength is, of course, relative and subject to degradation: The latest computer hardware can make short work of cracking more-complex secrets.
It's true: Static shared secrets are sitting ducks. But passwords are too useful to go away entirely, both because it's handy to be able to synchronize authenticator data between cooperating systems (and people), and because people find using passwords to be less invasive, fiddly, or personally identifying than a lot of other options. So I don't buy the whole "the era of passwords is over" thing. They will be at least one important element of authentication strategies for the foreseeable future -- it's a rare multi-factor authentication strategy that doesn't include a password or PIN somewhere along the line as one of the "things you know."
So, if that's our reality, let's think outside the box in using them. In talking with Mike Gualtieri recently as part of his TechnoPolitics podcast series, I mentioned a few ideas. I had thought of these as pet password peeves, but on the cusp of 2013, why not be positive and think of them as resolutions?
The rapid adoption of mobile devices and cloud services together with a multitude of new partnerships and customer-facing applications has extended the identity boundary of today’s enterprise. For the extended enterprise, identity and access management (IAM) is more than just provisioning employees with and enforcing the appropriate access to corporate resources. It’s about the ability to oversee access by a variety of populations, from employees to partners to consumers, and protect a variety of sensitive resources (including data) that may reside on or off the organization’s premises – all while helping to protect the organization from increasingly sophisticated cybercriminals and resourceful fraudsters.
Unfortunately, legacy approaches to IAM are failing us because they can’t manage access from consumer endpoints, they don’t support rapid adoption of cloud services, they can’t provide security data exchange across user populations, and offer no help against emerging threats.
We at Forrester have been promulgating a Zero Trust Model of information security. It eliminates the idea of distinct trusted internal networks versus untrusted external networks, and requires security pros to verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. Zero Trust applies effectively to identity as well. It requires security and identity pros to: 1) center on sensitive applications and data; 2) unify treatment of access channels, populations, and hosting models; and 3) prepare for interactions at Internet scale. Moving toward Zero Trust identity not only helps you improve business agility and achieve compliance – it even helps you enhance customer experience and deliver on your org’s API monetization strategy.
Doing access management with the help of cloud-based services is a pretty comfortable proposition by now. For more than a decade, we've been doing federated single sign-on to and from apps that are themselves in external domains. Looking at the recent Forrester Wave™ on enterprise cloud identity and access management, all three vendors we identified as leaders specialize in various kinds of cloud-app SSO and access control -- the cloud identity 1.0 ur-scenario. (Join us tomorrow, September 20, for a client webinar to review this Wave!)
What about identity management in the cloud? It's been harder to find. Two other vendors we looked at in the Wave provide cloud interfaces to familiar on-premises provisioning solutions such as the IBM and Oracle suites. And all the vendors rely on hooking into an organization's on-premises directory as the single source of truth.
Okay, then, what about putting that single source of truth into a store with a cloud-native interface, as my colleague Andras discussed on our Security & Risk blogs recently? That’s even more rare -- but the writing is on the wall. Microsoft went bold with its Windows Azure Active Directory moves, providing non-LDAP RESTful interfaces. Cool. (I’d like it to support SCIM as well, though, since you ask.)