Kill, fix, advance: Identity stakes out an evolution
Killing passwords, fixing authentication, and developing trusted identity services are three prominent challenges dominating the identity landscape today, according to a panel of experts speaking Thursday at the RSA Conference.
The panelists, participating in the "Emerging Conflicts in the Identity Space" session, urged enterprises to get proactive and tell vendors just what they need, to define online interactions as identity interactions, to demand standards, and to rethink traditional IAM perimeters.
The first matter of business was to reiterate that the password has outlived its usefulness.
"People know password re-use is a problem, so we actually have to get rid of passwords because there are too many attack vectors," Michael Barrett, PayPal's chief security information officer, told the packed session.
"A big shift we see is people realizing there is a password problem," said Eric Sachs, group product manager for identity at Google, who once again encouraged websites to get out of the password issuing business.
The thinking is that authentication needs to mature to a point where attributes from one or more providers are combined to create an identity that fits the user's context, connecting to a bank account as opposed to signing into a music service.
"Today, we lump identity into one bucket, but authentication is not an individual event; it goes across transactions," said Chuck Mortimore, vice president for product management at Salesforce.com. "There are scenarios where you want to bring attributes into a transaction, not a whole ID. You can 'add' to the primary authenticator."
Barrett said authentication is a "gradient and has properties". And he said authentication could use some risk-based controls. But he cautioned that "killing passwords will take time".
The panel also pondered questions around which entities might scale to provide millions of identities, how those identities integrate across domains, who accepts liability, and what is a reasonable timeframe for it all to change.
"We have a decade of work to do here," said Sachs.
Panelists agreed that the "finish" line could be that far away, but the audience was clearly itching for evolution measured in a year or two.
"The industry is a single-cell organism today with pair-wise and bi-lateral federation," said Andre Durand, CEO of Ping Identity. "The [new] multi-cell organism will require a lot of coordination in the ecosystem. Coordination of trusted third parties to broker connections at scale."
Durand said that the past 10 years were about building the basics — mostly protocols — to define use cases. "We are approaching an interesting phase, where those basics are going to be put together in different ways very rapidly. I think we are approaching an explosive moment."
To Durand's point, Mortimore challenged an audience member's notion of a technology problem. "Enterprises are working together today on top of SAML, but the conversation needs to mature," said Mortimore.
SAML is the Security Assertion Markup Language, which was standardized in 2001.
He suggested looking at examples such as the National Strategy for Trusted Identities in Cyberspace (NSTIC), and he said legal and trust framework discussions need to advance.
"People are not quite willing to take liability for doing a bad job. That needs to shift," said Durand.
He also noted that traditional network perimeters need to fall.
"Everything is crossing boundaries and identity has to follow across those boundaries," said Durand. "Third-party identifiers need to be trusted by the organization."
Mortimore said identity needs to take over as the perimeter falls, "but our corporate identities are behind our perimeters and not ready for the cloud".
But he sees the transition to services starting to happen. "The shift comes first to web and cloud apps," he said. Durand added that portable identities, valid outside the issuers' network, are needed to fuel outsourcing.
Barrett gave a historical context to the discussion and admitted the explosion in consumer identity was not originally on the radar.
"[13 years ago with the Liberty Alliance] we realized identity was a hard problem, but what we missed was the value of consumers really managing and driving their own alliances," said Barrett. "SAML 2.0 is still in use within enterprises and between them for a bunch of good reasons. Those use cases are solved, but consumer ID is much more difficult."
Barrett, who headed the Liberty Alliance in the day, urged session attendees to explore a new authentication standard effort he is involved in, called the FIDO Alliance.
Disclosure: I work for the same company as Andre Durand, CEO of Ping Identity.