Cloud, Web 2.0 and Identity Management

Cloud Computing is an attractive way to use software in support of the government’s mission. As a topic in IT circles, it certainly gets a lot of ink and with the promise of lowering the cost of ownership of commodity based services such as e-mail it is definitely top of mind with the new administration. The only topic in traditional computing that might get as much ink these days is the hacker/cyber security threat, which targets everyone who uses a computer (Mac, PC, Linux, whatever), or smartphone. Hackers can even affect people who don’t use a computer, such as my poor mother, who had her credit card information stolen when a retailer she frequents was hacked. There is also the challenge of identity management that many overlook when investigating Web 2.0 and cloud solutions.

There’s no doubt that consumer services like Facebook and cloud platforms like Amazon/Google/Microsoft Azure are opening exciting new ways for government agencies to get data out to the public. However, as exciting as the evolution of the cloud and web 2.0 has been, the public is still stuck with having to use the ancient method of username and password to secure their personal data in all the various sites where they keep information.

As the number of sites that people use has grown, I would bet that the vast majority of people out there are using the same or similar usernames/passwords for many of the sites they access not to mention the ability for somebody to easily impersonate another’s identity using a familiar user name. On their own, most people don’t set a strong password, and if they use the same one on many sites, they run the risk of having their identity stolen. And that is exactly what has happened to so many people.

Apply this to Web 2.0 and the cloud and you really begin to ask the question do I really know who I am following when I’m reading my tweets?

In professional settings today many public and private organizations use identity access services that require manual submission of attributes like name, e-mail address and phone number to verify pin access to sites after initial authentication by leaving voice mails on a user’s phone. Although effective it is difficult to scale these types of solutions due to the manual nature of granting the initial access to a user account.

There are many people in government who have thought about how to move past the requirement to use username/passwords to secure data DOD has been doing that for several years with their PKI infrastructure. The civil agencies have been working to support HSPD 12, although many of them are not there yet. A government cloud promises open collaboration in and between agencies but also introduces new identity management challenges. Consider for example the challenging task of securely federating government employee identities in a government cloud.

Citizen facing applications face even more challenging identity management issues. As the Federal government works to get government data more broadly distributed on the sites people use, like Facebook, Twitter, or on a new cloud computing application, the government should think hard about how to do that in a way that does not force the public to rely on the very thin line of defense that is a username/password. .

The IT industry has not only been innovating in the web 2.0 or cloud computing space over the past few years. In fact, one of the most consequential developments over the past several years has been the establishment of industry standards like SAML 2.0, WS-* and Info Cards, which provide an open, interoperable and very user friendly way to allow people to log on securely to web sites or applications without the use of usernames or passwords. The general term for this is “claims-based authentication”, and the government, at all levels (local, state, federal) has a role to play in enabling this more secure way to access data, especially with what can be very sensitive data (think about your tax return or say your social security information).

In fact, given the Obama administration’s focus on electronic health records (which is a very good idea), the issue of allowing secure access to this digitized information is only going to become more important in the future. While all this is happening, the bad guys out there, intent on stealing personal data for nefarious ends and are only getting smarter and more successful at stealing usernames and passwords from an unsuspecting public.

Most people, from all walks of life and across the political spectrum, would say that one of the fundamental missions of government is to keep the people safe. While government generally does a good job of keeping people safe in the physical world (police, militaries, etc…), it hasn’t really played a role in keeping people safe in cyberspace, except for punishments for the bad guys after the fact. However, with the advent of things like open identity standards such as claims-based authentication, SAML 2.0 and Info Cards, the government can actually mirror the role they have in establishing a person’s identity in the real world (e.g. issuing you a driver’s license) with the equivalent in the digital world (issuing you an InfoCard to go along with your driver’s license).

This doesn’t mean that the InfoCard you get from the local DMV would then be the only ID you would need to gain access to secure data, but along with other data from other sources (say your employer affiliation, biometric info, etc), you could create an aggregate set of “claims” with attributes about you from a set of authoritative sources (the DMV, your bank, your employer, the passport office) that you would use to log on to a wide variety of public or government websites. If you think about it, this is really just the same thing as the government issuing you a piece of plastic with your picture so you get the right to drive a big piece of metal on the roads the government builds for you.

You need that one piece of plastic to drive, but if you want to get into your office, you need another piece of plastic (your employee ID).

Sometimes, you need more than one ID to get in, for example the Pentagon. If the Obama administration championed the use of the open InfoCard standard, it would go a long way towards keeping the public safe on the Internet.

Why is it important?

As the Web 2.0 and the Cloud play an increasingly vital role in day-to-day citizen and government activities, concerns about online identity theft, fraud and privacy continue to escalate both within the boundaries of the government and thru the governments collaboration with citizens.

As the Government begins to investigate how the Cloud can help them meet their demanding transparency and accountability responsibilities it equally important that the data they share and collect is securely managed and accessed.

Many industry observers today worry that traditional authentication methods based on account names and passwords have grown inadequate for cloud and online activities. The need for advanced online identity protection has prompted the industry and government to rethink the way digital identity is managed online.

Leave a Comment