Tuesday, September 30, 2008

The Managed Identity Services brick wall

I've been wondering if each data loss incident is a brick in this wall I'm referring to, so I thought I should take a closer look.

I read about a survey today (I'm all for surveys at the moment) that found at least 80% of the British public don't trust companies to hold their personal details securely. Apparently, 89% also think that repeated incidents should be a criminal offence.

Here are a few tidbits:
  • Most think there should be no second chances for data loss offenders.
  • Most don't think they'll want to give up any information to a company that has had a data loss incident.
  • Half think the single worst offender is the UK Government.
  • Most people don't do a thing to protect their information with some not even knowing how to ensure the security of their online transactions.
I didn't list all the findings, but basically people don't see it as being their problem. They believe it should be up to companies to ensure security.

This survey is UK centric, so I dare say the same numbers don't apply across the rest of the world (thanks to the UK Government's well publicised, regular data loss incidents in recent times). But I don't think the perceptions will be too different elsewhere, although the figures may be a little be less drastic.

I'm not trying to focus on consumer perception as such. What I'm trying to link up is the fact that decision makers within organisations are also consumers, which means these perceptions matter in the enterprise solution marketplace.

This is one of the things I'm trying to get a better handle on through the Managed Identity Services Survey. What's the big stumbling block stopping people from outsourcing anything where it involves enterprise identity details? Do people automatically equate "identity" with "personal data"? It's a rhetorical question because I think we do. As I've said before in the past, it's mostly psychological but that means everything and makes outsourcing Identity Management a "hard sell".

I should probably cover my bases and mention that there's typically also the concern that external people are able to have access to your enterprise identity information if you outsource any identity-related services, but this is really a moot point. Who's to say your insiders are any more trustworthy than the employees of the service provider (yes I know we could argue this point back and forth and get nowhere - the point is that internal people should not be trusted either, because that's usually how data leaks)? Matt Flynn's also pointed out in the past that whenever you have external consultants working on your internal systems, they too have access to all your precious identity information. In other words, this is a stupid point to be debating. Internal or external, someone is going to look at it and you should assume they are a security risk (even if they don't mean to be)...which is where data security measures come in, but that's a topic for another day.

Now that we've conveniently parked that debate, we can address the other typical concern: the storing of identity information on infrastructure that is not controlled and/or owned by the organisation. Is there actually a good reason to be so concerned about letting enterprise identity details be stored outside of the organisation? Consider the following...

I'm going to pick on the poster-child for Software as a Service (SaaS), SalesForce. I do this because they are the extreme case in that everything is completely hosted and managed by SalesForce. An organisation that uses SalesForce does not own any of the infrastructure. In fact, it's completely exposed to the Internet. How much more of an exposed example can you get? Organisations simply log in and use the software. Also, more often than not when you speak to someone about using SalesForce, the concern over sensitive company details being held in an environment not owned by the organisation and being potentially accessed by external people doesn't come into play. If you ask them, they typically say something along the lines of: "oh but that's all just CRM information".

Think about that statement for a moment. Now, can anyone seriously tell me there's not a S*&%-load of personal data in there? SalesForce is primarily used as a CRM platform, which means that it's full of contact details! Things like: name, job title, employer, business address, phone numbers and email addresses at a minimum. I'm not even including all the other bits and pieces companies might store against each record. For example, the notes may include things like "this guy is an idiot but he signs the contract so be extra nice".

Let's move on to the type of information companies REALLY NEED to be holding in their enterprise identity stores: Unique identifier (usually an email address or employee number), authentication credentials (e.g. encrypted or hashed passwords - if you have passwords in clear text someone should be fired), group (or role) memberships, applications that employees have access to and the corresponding privileges (or entitlements) for each application. You don't even REALLY need someone's name, although most of the time it's stored for display purposes. We could extend this set to include things like manager, department, applicable workflows and so on. A lot of this is dependent on the identity service in question and the business logic involved, which is why on occasion you might see things like salary floating around (although this is not exactly a good thing - you really should be using a third party service that spits out an assertion that "their salary is above $40,000" instead of "salary=$49,890").

I may be over-simplifying here, but this post is long enough as it is so I don't want to put you all right to sleep (or maybe you already are). My point is that at the very basic level, identity stores don't need to contain personal information. They only need to contain information relevant for determining the correct authorisation levels an individual needs to do their job (to be governed by compliance policies which on their own do not store personal details either - at least none that can be tied to an individual). And as far as authentication is concerned, if you're not comfortable having things like credentials stored externally, you could always use Federation (and I don't mean the Star Trek kind).

In short, if you model your identity and access control models correctly, you can do it without personal details. And even if some personal details do creep into the identity stores for legitimate business reasons, it's unlikely to hold more information than one would find in a CRM contact record. What does this boil down to? Your identity stores shouldn't contain more personal data than SalesForce!

Here's where I think the core of the perception problem is:
  1. The Media - They link EVERYTHING about personal data to the word "identity", usually throwing the word "identity theft" around as a catch all because they don't understand enough about the subject matter. Those of us in the field know it's a stupid term because you can't steal a person's identity. You just commit fraud by stealing personal data. Of course, even those who know better can't help but be sucked into the whole thing when all we hear about (other than the credit crisis) is data loss and identity theft. When will they understand identity DOES NOT equal personal data?
  2. Lazy consultants - They look at the HR system and just suck EVERYTHING out of there because it's easier. They make the false assumption that data is safe within an organisation's walls and that some of the information might be required later on so they're saving everyone lots of work by making it available up front. Well, they're not because there's now an additional egress point for data to leak from, which means more work (and cost) is required to secure that information. Because of lazy consultants, you've now got systems all over the place that HAVE personal data. So anytime a person looks at an "identity system", they see personal details all over the place and automatically assume that's the way it has to be.
  3. People are self centred, even when they don't mean to be - Employee details aren't typically stored within CRM systems. In other words, the decision maker doesn't care because their own details aren't sitting on SalesForce's infrastructure. When it comes to an identity store however, they immediately think: "hang on a minute, that's my identity information sitting there! There's not a chance in hell I'm letting my details sit within a service provider's environment or let an employee of an outsourcing provider look at them!"
To summarise:
  • Consumer perception and fear of data loss directly contribute to organisational fears about outsourcing identity management.
  • Identity stores do not need to contain personal data (unless authorisation rules dictate - even so, there are other ways like leveraging assertion services).
  • Identity != Personal Data
Of course, if you aren't even allowed to use outsourced services or software because corporate policies forbid the storage of data on infrastructure not directly owned and under the control of the organisation, then you have a whole other problem. You should probably take the time to question the underlying reasons for this policy however. For example, was it written over 5 years ago and based on fear? Was this fear valid or based on paranoia? Should it be changed? If so, can it be changed or does your organisation submit to the "if it ain't broke don't fix it" mantra?

Are there other factors are play here? Are there "different coloured bricks" in this wall that you're concerned about?

Let me know by completing the survey! Or if that's too difficult, then just leave a comment.

No comments: