Identity Laws to Live

By John Pallatto  |  Posted 2005-05-10

Microsoft Expert Lays Down 7 Laws of ID Management

SAN FRANCISCO—The public is suspicious of most computerized identity verification systems because they are based on a jumble of policies and technologies that in many cases leave them vulnerable to identity theft, according to Kim Cameron, identity and access architect with Microsoft Corp.

Cameron, speaking at the Digital ID World Conference here, said the computer industry shouldnt be surprised that the public has a fundamental distrust of computer passwords and log-on procedures because they provide so many opportunities to expose personal information and assets.

Part of the problem is that companies ask people over and over again to provide personal information to gain access to essential services, he said.

People are increasing displaying identity "beacons" when they turn on their cell phones, personal digital assistants or PCs, Cameron said.

Recently, national, state and local governments have proposed using RFID (radio-frequency identification) systems as identity verification systems.

Such beacons provide opportunity for tracking individuals activities and possibly stealing identities, and people have a right to know when they present such beacons and to decide whether they want to assume the risk, Cameron said.

The public has been conditioned to indiscriminately disclose "credentials and personal identifying information into any form that appears on their screen," Cameron said. "And then we make fun of them for being subject to phishing."

Click here to read how "two-factor" identity authentication could help stem the rising tide of identity theft.

Thats because identity management policies have been a "kludge and a patchwork" that presents "no consistent way for anyone to do anything and to learn what is right and what is wrong," Cameron said. As a result, phishing and pharming identity-theft scams are increasing at a 1,000 percent compound annual growth rate, he claimed.

What the industry needs is an identity management "metasystem" that provides common and consistent methods for online identity management, he said. But to establish effective metasystems, the computer industry and corporate IT departments must adhere to seven fundamental laws of identity management when developing network and application access systems, Cameron said.

The Seven Laws of Identity

  • 1. The user must control and give consent to disclosure.
  • 2. There should be minimal disclosure for limited use of personal information.
  • 3. Digital identity systems must limit information disclosure to parties having a necessary and justifiable need to know.
  • 4. Identity metasystems should be designed to work effectively with both public and private entities or relationships.
  • 5. Identity metasystems should support multiple identity technologies from multiple providers.
  • 6. Provide clear human-system communications.
  • 7. Provide a consistent experience.

    Next Page: Identity laws to live by.

    Identity Laws to Live


    At the top of the list is the requirement that the user control and give consent to the information disclosure. That means using a process that is convenient and simple enough to reassure users that they are in control of the identity management process and understand how much they need to disclose, Cameron said.

    Such processes are likely to succeed and endure because they earn the users trust, he said.

    The second law states that there should be minimal disclosure of personal information for very limited and targeted use of personal information, according to Cameron.

    Both users and information systems managers should consider breaches of identity information to be inevitable. As a result, the identity verification system that "discloses the least identifying information and best limits its use is the most stable long-term solution," he said.

    The reduced amount of information disclosed means there is less implied value, and therefore these systems present less of an attraction to identity thieves and a reduced risk of theft, he said.

    The third law states that identity systems must limit disclosure of personal information only to those that have a clearly justifiable need to know.

    The user must know whom the information is being shared with and must have a clear idea of how its going to be used. If personal information is going to be used for any purpose beyond identity verification, or to establish a business relationship with an individual, that must be disclosed to the user, he said.

    To read why corporate executives should pay attention to the effectiveness of their identity management systems, click here.

    Camerons seventh law says identity systems need to provide a consistent experience across multiple applications or line networks to make them easy and convenient. But they also have to be sensitive to users sense of integrity and privacy, he said.

    For example, a company might provide a standard log-in procedure for multiple corporate applications. But it will likely experience resistance from users if the same log-on provides access to their 401K retirement accounts, Cameron said, because users will feel that its more likely that their employer will gain access to their accounts and discover their investment choices, he said.

    "By following the laws of identity we can build an identity metasystem that can be very widely accepted and enduring," he said.

    Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

  • Rocket Fuel