Microsoft Expert Lays Down 7 Laws of ID Management

By John Pallatto  |  Posted 2005-05-10 Print this article Print

The computer industry needs to create a consistent "metasystem" for identity verification, says a Microsoft network access architect.

SAN FRANCISCO—The public is suspicious of most computerized identity verification systems because they are based on a jumble of policies and technologies that in many cases leave them vulnerable to identity theft, according to Kim Cameron, identity and access architect with Microsoft Corp. Cameron, speaking at the Digital ID World Conference here, said the computer industry shouldnt be surprised that the public has a fundamental distrust of computer passwords and log-on procedures because they provide so many opportunities to expose personal information and assets. Part of the problem is that companies ask people over and over again to provide personal information to gain access to essential services, he said.
People are increasing displaying identity "beacons" when they turn on their cell phones, personal digital assistants or PCs, Cameron said.
Recently, national, state and local governments have proposed using RFID (radio-frequency identification) systems as identity verification systems. Such beacons provide opportunity for tracking individuals activities and possibly stealing identities, and people have a right to know when they present such beacons and to decide whether they want to assume the risk, Cameron said. The public has been conditioned to indiscriminately disclose "credentials and personal identifying information into any form that appears on their screen," Cameron said. "And then we make fun of them for being subject to phishing." Click here to read how "two-factor" identity authentication could help stem the rising tide of identity theft. Thats because identity management policies have been a "kludge and a patchwork" that presents "no consistent way for anyone to do anything and to learn what is right and what is wrong," Cameron said. As a result, phishing and pharming identity-theft scams are increasing at a 1,000 percent compound annual growth rate, he claimed. What the industry needs is an identity management "metasystem" that provides common and consistent methods for online identity management, he said. But to establish effective metasystems, the computer industry and corporate IT departments must adhere to seven fundamental laws of identity management when developing network and application access systems, Cameron said. The Seven Laws of Identity
  • 1. The user must control and give consent to disclosure.
  • 2. There should be minimal disclosure for limited use of personal information.
  • 3. Digital identity systems must limit information disclosure to parties having a necessary and justifiable need to know.
  • 4. Identity metasystems should be designed to work effectively with both public and private entities or relationships.
  • 5. Identity metasystems should support multiple identity technologies from multiple providers.
  • 6. Provide clear human-system communications.
  • 7. Provide a consistent experience. Next Page: Identity laws to live by.

    John Pallatto John Pallatto is's Managing Editor News/West Coast. He directs eWEEK's news coverage in Silicon Valley and throughout the West Coast region. He has more than 35 years of experience as a professional journalist, which began as a report with the Hartford Courant daily newspaper in Connecticut. He was also a member of the founding staff of PC Week in March 1984. Pallatto was PC Week's West Coast bureau chief, a senior editor at Ziff Davis' Internet Computing magazine and the West Coast bureau chief at Internet World magazine.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel