Identity Assertion – A New Risk for Your Corporate User Information
Identity and identity management have become hot topics. In the web world, identities have emerged as the way we manage our online relationships when they move beyond generic information and into a more defined place. While many of us have dozens or even hundreds of identities, they are not created nor used equally. There seem to be three specific kinds of identities in the web world:
- Trust Identities – Trust identities are identities that exist exclusively between two parties and are specific to an exclusive relationship between those two parties. A good example of a Trust Identity is the identity used to initiate an interaction with your bank or a site like eBay. Most people have many trust identities and these are generally most of any individual’s identities.
- Representation Identities – A representation identity is a specific identity that you allow to represent you openly as a place people can come to connect to you. An email address, a phone number or an account on an application with an identity API would be good examples. Social applications like Facebook and LinkedIn are emerging as Representation Identities for many users. In contrast to Trust Identities, most users have a relatively small number of representation identities.
- Assertion Identities – An Assertion Identity is an identity you can use with a web site to assert your ownership of a recognized singularity that can be associated with you virtually. A good example of an assertion identity is email or a phone number. Both can be used to validate the assertion that you control that uniqueness. Most Representation Identities can and often are also used as Assertion Identities.
For most users, an Assertion Identity is used in the process of developing a Trust Identity to validate you in some way to the other trust party. The challenge is that the explosion in identities and associated passwords and security challenges has become for many users a nightmare. While there are password management applications, more and more active web identities like Facebook or LinkedIn are becoming the assertion identity of choice. The benefit is that the assertion identity password and security parameters can be used with a range of Trust Identify sites. This effectively eliminates the multiplicity of identity names and passwords by using the single assertion identity as the Trust Identity.
The problem that is emerging is that by using a social Assertion Identity like Facebook, the Assertion Identity provider is now a part of all the Trust Interactions with the third party. The potential issues of this were identified this week in an article on Fast Company that details how activity tracker and others can use the Facebook Identity Assertion to correlate your activity on that Trusted site to other activities and data. For example, when you go to the bank, that activity can be associated with other data about you such as email, income, address, etc.
For organizatioons this is becoming a significant challenge. If company users rely on a Facebook Assertion Identity for their use of a range of web or cloud-based applications, that usage may inadvertently compromise information in the identity process.
While the obvious answer is for companies to prohibit the use of Assertion Identities that enable tracking and other data extractions by third parties as part of their use. The problem is that this moves users back to the password world where all the issues of lots of passwords challenge usage and security. As we move more of the business IT infrastructure to the cloud, the problem is becoming more significant.
The solutions may be in using social-based Assertion Identities that commit to not enabling tracking (LinkedIn?) or just to use emails. But both come with challenges: the dependability of third parties to not monetize info based on Assertion Identities or the complexity of a large number of distinct user IDs and passwords. The potential explosion in communications and collaboration applications, without reasonable federation, exacerbates this issue and brings it into the BC and collaboration space. Across those solutions, the capability for guest access directly to an application or service that is not part of the enterprise increases the number of new identities that many users will have, driving users to use an Assertion Identity like Facebook.
For both the IT and security teams, this is an area that requires both analysis, policy and potentially even solutions. Understanding how your users are asserting identities as they access and use the plethora of cloud applications and services is crucial to understanding the potential for compromise through tracking or other technologies that are enabled by using open social Assertion Identities that are based on companies that monetize user information for revenue. The process of monetizing your user’s data may not align with either your corporate or security policies.