Blue Ocean

One of key challenges in federated authentication network is the establishment of trust between an identity provider (IDP or OP) and relying party websites (RP). In the real world, contractual agreements provide a simple out-of-band mechanism to effectively bind two parties into a trust relationship. When it comes to federated identity networks, peer to peer contracts between many identity providers and a myriad of relying party websites do not provide for a scalable process. Therefore, open federated networks need a trust assurance framework to bootstrap trust between the three parties (the user, the OP and the RP).

The basic idea is that if an OP can be certified to comply with a set of industry best practices, the RP should be able to enter into open identity exchange where both the websites and the consumers are reasonably protected. Of course, a pragmatic trust assurance framework should be flexible enough to support different levels of assurance based on the transaction risk and value. For low assurance Web federation where large brands such as email providers and major social networks dominate as OPs, certification may seem overkill, unless of course, the federation is built on open principles stating that any OP meeting the standard should be able to participate. For high assurance identity, such as payment networks, financial networks or eHealth record exchanges, certification is primordial. In fact, in such environments, both the OP(s) and the RPs need to be certified.

The NIST guideline for electronic authentication is often referenced in the community as a good model for any identity trust framework. The NIST guideline defines four levels of insurance for e-authentication. Each level is deemed appropriate
Depending on transactional risks. Tiered levels of identity assurance are essential to any pragmatic trust framework. Set the bar too high and deployment becomes impractical. Set the bar too low, and the bad guys will have a ball. Justifiably, the NIST guideline provides a solid starting point. Nevertheless, one needs to observe that the framework may be too narrowly focused on user credentialing and credentials strength to provide a complete answer. Open Identity systems cannot ignore the reality of today's Web vulnerabilities, threats and exploits that feed identity theft around the globes such as man in the browser exploits, session hijacking or Web vulnerability driven exploits like mass SQL injections. A trust standard also needs to go beyond security and address the major consumer concerns and political challenges of privacy. When it comes to trusting identities, security, privacy and anonymity are intricately intertwined. Trust in a federated identity Web mandates a holistic approach that looks not only at user authentication but also takes into account the current state of desktop exploits, Web site compromises and most importantly establishes clear and enforceable privacy protection guidelines.

Trusting the OP/RP Websites: web security & business authentication

For low and medium assurance identity transactions, it seems to be that both the OP and RP website security would need to be asserted. There I think, one can learn from Internet security standard such as PCI. Even though the standard is far from being perfect (a euphemism, perhaps), it provides a shared base of security requirements for all websites to engage into ecommerce and securely handle credit card information. If one believes that consumers will require for their personal identity the same level of security as for their credit card, the parallel can be useful. The OP website should then be scanned for network security vulnerabilities; Ports should be closed. Network services should not run outdated or un-patched software; the OP should not be vulnerable to common Web exploits such SQL injections, cross-site scripting (XSS), or Cross-Site Forgery requests (CSRF). For web application vulnerabilities, the OWASP standard that identifies the top 10 Web vulnerabilities provides a useful reference. In addition to security assessment, a set of security best practices should be required. For example, the OpenID profile retained by the federal pilot already specifies that SSL should be part of the deployment profile. Verifying the authenticity and legitimacy of the organization behind the OP is as important as verifying the security of its website. There, a proven model that the industry could re-use is the EV business authentication standard. EV certification already defines a strong process for vetting organizations and it is already widely used across the industry.

Trusting the user: beyond identity verification and credentials

As mentioned, NIST will provide the foundation for user trust assurance (both for runtime and initial authentication of end users). Equally important, however, is to consider that Internet threats have significantly evolved since the NIST framework was initially published. In particular, we need to recognize that one of the main threat vector for identity theft is now malware. An identity trust framework can no longer ignore the potential of a man-in-the browser attacks (Trojans, key-loggers, worms, etc). Knowing whether the end user has any end-point protection (and maybe encouraging websites to introduce out-of-band messages into high assurance identity transactions when such protection is lacking) could be of consideration.

Trusting the transaction: from activity to security streams

Believing that the OP can provide strong identity assurance by simply checking credentials and abandoning the user at the RP front door is a dangerous over-simplification. Because modern exploits often let the user authenticate to commit fraud further down the session, it is important to enable OPs to leverage the knowledge of the end-user and her transaction patterns to identify high-risk conditions. Since we cannot assume the existence of adequate desktop protection (Internet security that exclusively relies on the presence of a client on the user desktop is no more than an academic exercise), high assurance federation models need to enable the use of fraud engines techniques across RPs (most logically, run at the OP although it could be a separate). The ability to create an effective user risk profile across transactions is what has made the credit card networks work. High assurance identity networks are going to need an equivalent (think VISA of identity). An interesting idea could to leverage the concept of activity stream as a real-time fraud detection primitive. A security stream back to the OP (under complete user consent and strict privacy protection) would allow RPs to feed transactional information back to the OP, allowing it to build a complete risk profile of the user across her Internet activities (fraud detection is often based on clustering techniques that measure abnormal deviation from normal behavior). Even without a risk-engine running at the OP, a security activity stream could have tremendous security value if used as a simple identity alert system to notify the user of all ongoing transactions. In high risk cases, the activity stream could trigger an out-of-band consent for the transaction (think of Visa calling you to confirm and authorize a suspicious transaction); it is interesting to think that the social concept of activity stream that is today missing from OpenID (not from Facebook Connect) could actually be used to drive better identity theft protection. With such transactional feedback loop, a security minded OP would be able return a transaction score and possibly a liability guarantee based on the user risk and behavioral profile built over time. Incidentally, interesting new OP business models could emerge (VISA-like: "I will take a cut of the transaction", Credit-Bureau-like: "I will charge you for the score", Insurance-like: "I will take the liability risk").

Ensuring trust across these three dimensions (the organization, the website and the user) is non-trivial. Yet, it is critical to enable consumers worldwide to engage into shared identity interactions with peace of mind across the Internet. Very much like PCI vendors emerged from the existence of a commercial PCI standard, one would hope that Identity trust assurance services could emerge as well since security companies need economic drivers to build great services. One of the key challenges of the standard will be to strike a balance between where to set the security bar to permit a high level of automation for accreditation. Such balance is always hard to strike, but it is also what makes the challenge worthwhile.

Posted by Nico Popp at 9:50 PM | Permalink | Comments (0)

Two weeks ago, I had the privilege to join the OpenID foundation and Information Card boards for a meeting with CIO, Vivek Kundra and his staff at the Whitehouse. The goal was to discuss the forthcoming OpenID pilot and better understand the government commitment to enabling distributed identity on the Web. Undeniably, this was a very interesting and spirited discussion.

A key take home for me was the recognition of identity as the lynchpin to new citizen-centric services, governmental IT cost reduction, and stronger cyber security. For key Obama initiatives such as citizen participation or electronic health records, identity management was described as foundational. Equally impressive was the sense of a holistic and consensual approach towards the broad deployment of trusted digital services across federal, state and local Web sites.

In particular, there is a clear view that the deployment of low level assurance identities is only a critical first step, not an end in itself. With the initial OpenID pilot, the administration is seeking to teach Internet users how to conveniently and confidently re-use their identities across multiple sites. Federation is a new behavior and as such, it requires training. Federal and State web sites will provide an important training ground of relying parties. The government endorsement of OpenID is likely to prove significant. After all, if OpenID is good and secure enough for the government, it should be good and secure enough for most Web sites. Beside, once consumers are comfortable using distributed identities, it becomes possible to alter the login experience by introducing stronger security and identity assurance. This is the ultimate end game since high assurance identity services are pre-conditions to new strategic initiatives.

Consider health care reforms for example. To counter balance the $900B expense that the new Obama plan calls for, electronic health records must come to reality. However, eHealth requires access control across a large and complex ecosystem. Users must be able to register, login and access private data across physicians, hospital, pharmacies, labs, insurance, and employers Web sites. Privacy and security concerns are high on the list. Without high assurance, clear liability models and robust shared identity services, eHealth is a non-starter.

The crawl, walk run approach to identity services that our federal government is taking may prove insightful. By restricting initial interaction to pseudonymous and low assurance level identities, federal web sites instantly provides the industry with a simple test bed to iron out the trust and privacy frameworks necessary to the deployment of large federated identity networks. User experience, privacy policy and security approach that can work for millions of consumers will have to be standardized. The liability elephant that has been haunting the identity discussion rooms will have to be tamed. No doubt that the OpenID foundation, the Information Card foundation and many other have their work cut out for the next few months.

So, keep an eye on the pilot. If all the planets keep aligning, and federated identity can prove to significantly increase user registration, an important chapter in the book of distributed identity systems may be just about to open in front of us.

Posted by Nico Popp at 11:19 AM | Permalink | Comments (0)

Today, Federal CIO Vivek Kundra is announcing the first pilot for its Open identity initiative. The pilot will support both OpenID and Information Card technologies. Initially, it will be conducted by the Center for Information Technology (CIT), National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS) and other agencies. Over time, over 500 governmental web sites may become Open ID relying parties, potentially, creating one of the largest federated identity network.

Bien sur, VeriSign and the PIP will participate to the pilot as Open ID authentication services. This means that your VeriSign PIP ID will be accepted across participating federal Web sites. Saying that we are proud of being a part of this important announcement would be an understatement. The open identity initiative is a crucial step in President Obama's mandate for open citizen participation on key society issues such as health care, ecology and energy.

The goal is as bold as it is audacious. By embracing open and distributed identity systems, the US government is taking a resolute step towards turning the Web into an organizing engine for participative civic action. Identity is foundational. Making it easy for users to register and participate in government Web sites is smart. Removing obstacle to participation by allowing citizens to manage their digital identity through independent service providers of their choice is inspired. Yes, the tone is definitely right. Civic participation should be based on principles as open as is the Internet that enables it.

User centric identities for a citizen centric Internet? It certainly feels very right to me.

Read our Press Release.

Posted by Nico Popp at 5:05 PM | Permalink | Comments (1)

In the coming years, many websites will contemplate adding strong authentication to accounts login. So far, early adopters for strong authentication have mostly been financial institutions. Since 2005, banks and brokerage firms have had had little choice than following the FFIEC guidance. This 2005 regulated mandated a move to stronger credentials than just name and passwords. Today, SAAS providers and large consumer Web sites are increasingly suffering brand exposure and public scrutiny following high visibility attacks (here and there). With increasing reliance on the cloud to host mission critical applications and sensitive data for enterprises and consumers, I would expect many large online services to begin offering stronger login options to their user base.

Interestingly, the FFIEC deployment of multi-factor solutions such as chase.com or bankofamerica.com give us some insight into the type of technology that are likely to be adopted by non financial service providers. Multi factor authentication essentially relies on a cookie as the second factor (the cookie is "what you have"). Coupled with a backend anomaly engine, the client side cookie is used as a "persistent" device identifier. Cookies as device IDs are alluring because they work across all browsers; they do not require any new client install on the user desktop; cookies are transparent to the end user, and most importantly, they do not cost anything. Since cookies could become prevalent as a "second factor" for web login, it is important to be aware of the security limitations and risk that they represent.

The first issue with cookies is their lack of persistence. Statistics show that users very often reset their cookie. This leads to the challenge of "cookie re-issuance" or cookie reset. This problem is roughly equivalent to password reset which, as many recognize, is the Achilles' heel of login. The alternative is not pretty. Either you make the reset process stringent and secure and it becomes a hassle to the end-user; or you make the process relatively easy, and it leads to very simple attacks. In short, the lack of persistence of cookie as device ID will trigger many cookie re-issuance events. Since high frequency life-cycle events cannot be made too complex without frustrating customers, the high frequency of cookie reset will inexorably lead to simple procedures. In turn, these simple procedures will inevitably open the door to a broad range of attacks.

The second class of problem with cookies is that they can easily be stolen using remote attacks such as cross-site scripting (XSS). XSS is a vulnerability that lets the attacker overcome the same origin policy enforced by all modern browsers. The policy circumvents scripts loaded from one domain to access content from another domain. XSS vulnerabilities effectively allow an attacker to execute scripts in the context of the vulnerable domain, hence overcoming the same origin safeguard in the browser. All the attacker needs to do is to exploit this vulnerability by crafting a request parameter value along the lines of . Since this gives the attacker unlimited access to any cookies of the website, DOM content, etc., this is considered one of the most serious vulnerabilities out there. The key about this type of cookie attack is that it can be launched remotely. In other words, an attacker can get to a user cookie without the user machine being compromised by malware. Add malware on the user machine, and cookies as a device ID become a recipe for disaster. In that case, cookies and machines fingerprints can be harvested and sent to the bad guys without the user ever noticing anything.

The increasing reliance on a silent device ID that does not impact the user experience is a logical approach to strengthening authentication on the Web. It is only the absence of alternative to cookies that is leading web engineers to leveraging them for authentication. Cookies were not invented for such purpose. As my sweet-tooth daughter would eloquently put it: the world need better cookies. Eventually, we do need stronger, more persistent devices ID that can be deployed across fixed and mobile devices, competing operating systems and browser platforms. These strong device IDs can be shared secrets, asymmetric key pairs or device certificates. The technology clearly exists but we lack a common deployment framework for device IDs (open client, common user experience, shared ID security stack, hardware protection too) .That is typically where the industry does it best work. Everyone needs it. Everyone will benefit from it. No one can do it alone.

The common need for open standard, open stack and open policies to deal with strong, persistent and privacy-conscious device IDs will inevitably lead to a joint effort. As cookies start crumbling across websites, security experts will get together and the urgency for collaboration will come to bear. In the meantime, when access security really matters, I will keep using my one time password token. If only, I could remember where I left it.

Posted by Nico Popp at 8:12 AM | Permalink | Comments (0)

Although the managed security services (MSS) is a relatively well understood and mature market, a few innovating startups are beginning to challenge the current structure of perimeter security. The interesting question at hand is whether the rapid emergence of cloud computing and the de-centralization it engenders challenge the whole notion of perimeter security, forcing our industry to re-invent today's approach to managed security services.

Today's managed security service providers (MSSPs) essentially offer perimeter security management outsourcing. Customers still have to buy and deploy in-premise security equipment such as firewalls, IPD, IDS and the rest. The tedious day to day management and continuous policy process is delegated to the cloud, but the security boxes remain. From that standpoint, todays managed security services fall short from moving the infrastructure cost and complexity of perimeter security to the cloud.

This brings the question of what happens to perimeter security when enterprise mission critical data and applications start migrating off the IT network to the cloud? How does an enterprise create, enforce and maintain security, access and auditing policies in a world where sales data reside at SalesForce.com, and departmental applications are running on Google App engine, Microsoft Azure or Amazon EC2? In short, what does perimeter security mean when the perimeter extends beyond the familiar boundaries of today's corporate network?

One approach is for SalesForce, Microsoft, and Google to create a home-grown perimeter security management service, on top of their respective cloud infrastructure. Of course, the PAAS (Platform as a Service) vendors will have to enable their cloud perimeter to be flexible enough to adjust to policy requirements as diverse as their customer base. Of course, since applications will migrate across machines depending on load, these polices need to be able to follow the data and applications across data-centers, servers and virtual machine slices dynamically. In many ways, this means that perimeter security has to be virtualized in the same ways as the virtualized data and applications that they are attempting to protect. The problem with this model is to force PAAS providers to go beyond their initial core competency. To go from Web services infrastructure providers driven by large economy of scales, to full IT infrastructure security & compliance provider. That is a lot of complexity and competency to absorb, even for a Google or a Microsoft.

Another model would be for the PAAS to think as a true platform provider and enable specialized security vendors to start building such services on top of their platform. In that model, MSSPs would start building virtualized, multi-tenant perimeter infrastructure on top of their favorite PAAS, and then, sell perimeter security as a service within these environments to their customer base. Obviously, this would require a different platform than the current MSS infrastructures. Moreover, MSS providers would have to adapt to each specific PAAS, forcing them to make strategic choices and restrict them to a few partners, who may not fit what their customers want in the first place.

The last alternative would be the emergence of standalone network security services in their own cloud (separate from the PAAS). The new security cloud would acts as a virtual perimeter by funneling, inspecting, filtering and policing all traffic. Think of the perimeter as dissolving and being replaced by a defense network that consistently protects all corporate network assets independently of where these assets live: within an enterprise, within a SAAS, within a PAAS. For the same reason that Web application software tends to be very different than security software (industry consolidation aside), it would enable cloud providers to focus on what they do best: a cloud to build and deploy custom apps, a cloud to secure them. For the customer, it would enable one single set of policies to be defined, implemented and enforced in a single place independently of the where network application and data actually reside (inside or outside the enterprise).

This is somewhat similar to the concept of "clean pipe" that many MSSPs have been contemplating for several years. The difference is that the move to the cloud and SAAS becomes the compelling driving force that shifts today's legacy deployment model of network perimeter security towards a true in-cloud model. The exact timing of such transition remains unclear, but if one believes that cloud computing is an unstoppable trend, perimeter security may be due for significant transformation in the years to come.

Posted by Nico Popp at 9:29 AM | Permalink | Comments (1)