Microsoft Expert Lays Down 7 Laws of ID Management

The computer industry needs to create a consistent "metasystem" for identity verification, says a Microsoft network access architect.

SAN FRANCISCO—The public is suspicious of most computerized identity verification systems because they are based on a jumble of policies and technologies that in many cases leave them vulnerable to identity theft, according to Kim Cameron, identity and access architect with Microsoft Corp.

Cameron, speaking at the Digital ID World Conference here, said the computer industry shouldnt be surprised that the public has a fundamental distrust of computer passwords and log-on procedures because they provide so many opportunities to expose personal information and assets.

Part of the problem is that companies ask people over and over again to provide personal information to gain access to essential services, he said.

People are increasing displaying identity "beacons" when they turn on their cell phones, personal digital assistants or PCs, Cameron said.

Recently, national, state and local governments have proposed using RFID (radio-frequency identification) systems as identity verification systems.

Such beacons provide opportunity for tracking individuals activities and possibly stealing identities, and people have a right to know when they present such beacons and to decide whether they want to assume the risk, Cameron said.

The public has been conditioned to indiscriminately disclose "credentials and personal identifying information into any form that appears on their screen," Cameron said. "And then we make fun of them for being subject to phishing."

/zimages/4/28571.gifClick here to read how "two-factor" identity authentication could help stem the rising tide of identity theft.

Thats because identity management policies have been a "kludge and a patchwork" that presents "no consistent way for anyone to do anything and to learn what is right and what is wrong," Cameron said. As a result, phishing and pharming identity-theft scams are increasing at a 1,000 percent compound annual growth rate, he claimed.

What the industry needs is an identity management "metasystem" that provides common and consistent methods for online identity management, he said. But to establish effective metasystems, the computer industry and corporate IT departments must adhere to seven fundamental laws of identity management when developing network and application access systems, Cameron said.

The Seven Laws of Identity

  • 1. The user must control and give consent to disclosure.
  • 2. There should be minimal disclosure for limited use of personal information.
  • 3. Digital identity systems must limit information disclosure to parties having a necessary and justifiable need to know.
  • 4. Identity metasystems should be designed to work effectively with both public and private entities or relationships.
  • 5. Identity metasystems should support multiple identity technologies from multiple providers.
  • 6. Provide clear human-system communications.
  • 7. Provide a consistent experience.

Next Page: Identity laws to live by.

John Pallatto

John Pallatto

John Pallatto has been editor in chief of QuinStreet Inc.'s eWEEK.com since October 2012. He has more than 40 years of experience as a professional journalist working at a daily newspaper and...