Perhaps it was the idea of an identity card hitting the headlines again, or maybe all the noise around e-health.
Whatever the reason, this is no short-term phenomenon: we have reached something of a critical point, as many organisations have no choice but to pull this out of the too-hard basket and take a serious stab at getting it right. More sophisticated online fraud and the omnipresent issue of terrorism are part of the story.
A less dramatic, but more fundamental driver is take-up of online services: greater dependencies have created more exposures.
Those dependencies and exposures are about to be multiplied tenfold by a sharp rise in online connections between businesses, and by new e-government projects in customs, health, immigration and elsewhere.
It is easy to get lost in this subject.
Bring up authentication or identity with 10 people and you will most likely find they all have different perspectives and talk about entirely different systems.
A useful tip is not to get too bound up in the notion of identity.
Everything boils down to one broad, fundamental challenge: that of proving claims, or credentials if you prefer that word, in an online world.
Claims can be about anything: frequently flyer membership, available credit, representing a business, health-insurance status, and so on.
Proving personal identity is just one type of claim, and many claims can be made anonymously.
I think it is useful to consider the challenge in terms of layers.
That gives us some hope of working out where each of hundreds of initiatives fits within the bigger picture.
To my mind, the basic layers include:
- Hardware/software object authentication.
So called trusted computing initiatives designed to assure the integrity and security of operating systems and applications, such as Microsoft's Next-Generation Secure Computing Base, fall into this category. Digital rights management technologies used in music and document distribution also fit in here.
- Authentication/identity management within organisations.
The single sign-on projects used in many Australian enterprises, AMP and the Australian Taxation Office being two recently publicised examples, would go here.
- Authentication/identity management between organisations, and between organisations and customers.
Two-factor customer authentication schemes, for things such as internet banking, fit here, as would the PKI (public key infrastructures) certificates issued to Aussie exporters when reporting to the Customs service.
New web services standards such as WS-Security, WS-Trust, and WS-SecurityPolicy are a critical development in authenticating software transactions between organisations.
- Shared systems.
The goal of these is to improve convenience for customers and to bring down user costs by cutting out duplication.
A terrific Australian example in this category is the Internet Industry Association's two-factor authentication trial, which is building a shared customer authentication layer on behalf of a community of interested businesses (e-tailers are an initial focus).
I understand the big banks have had informal discussions about standardising schemes to simplify life for customers, but this is unlikely to happen soon.
The global Liberty-Alliance and Identrus projects are examples, as is any future National ID Card, reminding us that the more ambitious shared systems can be exceptionally difficult to achieve in practice.
- Federated systems.
This is where the intellectual and philosophical debate is at right now.
The idea is to exploit overlaps between many different systems in industry and/or government, and to apply only the credentials appropriate to various contexts, such as: health record access versus business activity statements for the GST.
Many discussions involve the use of intermediaries or identity brokers. Once again, the goal is to maximise convenience for people, and minimise duplication of effort for industry.
Federating, as opposed to consolidating, systems is also aimed at reducing the risk of identity theft.
Federated systems are a noble cause, but making a bunch of systems interoperate like this is a formidable task.
Beyond federated systems, a lot of people are searching for some sort of panacea or global architecture for online authentication, but they won't find it, as the opportunity to start with a clean slate is long gone.
Realistically, we can only ever hope to clump things together more and more, in an opportunistic fashion, in the years ahead.
Of course, that's only my way of looking at things.
Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein! your thoughts and observations, especially where they differ from mine. I am sure there are tons of interesting perspectives I have missed!
Autor: Bruce McCabe
Quelle: Australian IT, 30.08.2005
