I was about to write an email to someone I respect deeply about how my thinking on information security had changed since we last met in the summer of 2013. Then I wondered if I’d actually written a blog post on this? I searched and found nothing, so surprised that it is not here. It is pretty straight-forward, on the verge of “obvious my dear Watson” 😉
Clearly security is broken, however hard we work, our security programs interlaced with security technologies are not effective. Our security programs are not watertight.
So here we go:
1. Security is only as strong as the weakest link – an obvious deduction even for the non-security geeks amongst us 😉
2. The weakest link in the chain is the Human Factor of Information Security, something David Lacey wrote a whole book on in 2009.
3. If the identity thing, you know the technology aspect of ‘the human aspect of information security’ had been architected correctly from the start, we wouldn’t be in the shit that we are today when it comes to a water-tight security programmes!
The rapid increase in identity fraud in Sweden is gaining some media attention (http://www.svd.se/opinion/brannpunkt/krafttag-kravs-mot-id-kapning_3767990.svd). However they are missing the point. The solution is not to purely simplify the ‘clean-up process, but to change the law. And changing the law is not purely about criminalizing the crime but to enforce an individual’s basic fundamental right to information privacy. You should have the right to remove your personal information from websites making money from it! For example I have tried removing my date of birth from www.birthdays.se (see previous posts) and request was refused. The problem I have with my date of birth being public is that:
1) it is my personal information, and;
2) it is the first 6 digits of my Swedish personal id (YYMMDD-xxxx).
The root of the problem is that although the Personal Data Law (PuL) is here to protect our personal information, in this context the PuL is impotent. The Swedish codification of the European Union Directive on Data Protection just does not work. The source of the problem is that the Personal Data Act (PuL) does not apply if its application is in contrary to the Fundamental Law on Freedom of Expression (1991).
So what this means is that the Fundamental Law on Freedom of Expression is being abused by companies making money from our identities. And I think that It is about time that this abuse is stopped!
It’s all about CONTROL….
You CONTROL your identity
Organisations CONTROL their identity
Countries CONTROL their identity
This is the future of ‘identity management’ or ‘IDM’ or ‘IAM’. Scalability comes from bottom-up, not top-down. You CONTROL what is yours, your identity. Nothing else will work in this highly connected, growing and verbose world that we are all a part of today. That is if we, the identity owners are at all interested in owning and controlling what is fundamentally ours, our identity and our digital footprint.
Reblog from post in 2009. Very relevant to the Tracey series.
I am on a crusade.
I am fed-up of finding my personal information being spread all over Sweden by government authorities. There are laws concerning the protection of personal privacy that are not being enforced. I plan to fix this. I have written a letter to the Datainspektion, and started posting on this thread (Tracey). In parallel is a series called “My name is Tracey” on YouTube, Part #1 uploaded today. If you want to help, Like and Share to your hearts content wherever you happen to pick this up. I have a plan on how to succeed, and you are a part of the plan…
When the identity and associated roles -that trigger and consume- the digital interaction are not an integral part of the process. This means that participating parties cannot be legally held accountable for their actions. Principle consequence is a lack of absolute traceability in your organisation, and if there is some legal requirements, a need for manual paper processes to run in parallel with the digitised processes.
There are additional consequences:
- a lack of traceability gives limited transparency which means you don’t have control over the information in your organisation.
- When legality comes into play, there is the extra cost of running the digitised process parallel with a manual process.
- From a compliance perspective, although you can assign responsibility to roles, you cannot tie accountability with the responsibility because the -so called- identities and appointed roles are not really a part of the digital interaction.
- From a security angle, the risks to the integrity and confidentiality of your information is increased as the identity, or lack of a strong digital identity weakens the complete digital interaction/cycle.
Although many identity products tout to solve this problem, they do not. The reason why is that they are based on the use of a digital identity, and as I mentioned in the first post in this series, digital identities as used in main today are not identities at all! They weaken with exposure, not reflecting the real world whereby our physical identity strengthens with exposure. They are not people-centric but database/directory centric. This presents significant risks to the integrity and confidentiality of all digital interactions.
So in returning to the original question. The answer is when the digital interaction is pulling identities from a database or directory, not from the identity holder. What is needed is to weave a digital identity that is centric to the individual, one that is strengthened by reference authorities into the digital interaction. This is a true digital interaction anything less is not a digital interaction at all.
So does identity equal reputation? After all this is the claim made by some identity practitioners such as Dick Hardt (Hardt, 2006). The simple answer is no. Does it matter? And the answer is yes, it matters a lot.
Today in our digitised society your digital identity is quite simply an entry in a database, an object in duplicate, triplicate and much more, copied over numerous disparate directories scattered across the globe. Conversely your reputation is worth significant value to you but to others nothing, unless they use your reputation to add value to their own. To all intents and purposes your identity is worth a piece of gold to those motivated to collect, use and abuse identities. For your reputation, everything you publish online has most likely been copied and replicated to another server or indexed and cached by some search engine. For this reason your reputation has a persistence value that it did not have before.
Your digital identity and anything that links to you, including the digital residue you leave in your wake, is a gold mine for gold diggers. However your digital reputation is not worth stealing. Yet it is worth nurturing. In essence your online reputation can attain a value that may not reflect accurately the person sitting behind. It is by using your reputation that you can online create a type of personal branding. Once you have separated your reputation from your identity it becomes quite straightforward to take it and manage it. Your reputation could possibly, be divided into three phases: (1) what you did before, (2) what you are doing now and in your lifetime, and finally (3) what happens after you die. It takes skill to manage your digital reputation effectively.
Your identity needs to be protected and your reputation needs nurturing. What’s more is that your identity can make money for “gold diggers”, whereas your reputation is of no value except for what you make of it; and then its subjective value is of worth only to yourself.
But how can you protect your digital identity and nurture your digital reputation, if you do not own them, or even control them? I will be posting more on this in following weeks 😉
Haven’t you thought it as strange that your digital identity becomes weaker the more it is exposed? In fact is it an identity at all? After all it is only a record in a database, or an object comprised of attributes in an X.500 tree, or something written on a plastic ‘id card’. It is all of these, and replicated, maybe hundreds of instances, accurately and inaccurately all over the world.
In fact where is your digital identity? Is it real? If it is real then why do you have no control over it?
Why does your digital identity not reflect exactly how your physical identity works in the real physical world? When you are born you are referenced, i.e. probably starting with your parents declaring that you are their son/daughter and what your name is (your identity), relations and friends do the same… your identity strengthens. You start kindergarten and school, perhaps you have been assigned a national id number…. you are referenced, every reference to you strengthens your identity. The louder you shout, the more famous you become, the stronger your identity grows. In fact the President, Prime Minister, King, Queen, etc., probably have the strongest identities.
It is difficult to commit identity fraud on strong identities. So I return to my first question, why does it not work the same in the digital world?
More than 2 million passwords have been stolen from popular web services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc. All the popular press are reporting on this (here is something in English and Swedish).
Now what is interesting is the analysis on the stolen passwords by Trustwave. Trustwave did a similar study over 6 years ago on passwords exposed from MySpace, and this shows that nothing has changed, if anything password complexity is even weaker now than what it was in 2006. It seems that users are choosing simplicity over complexity.
So what’s so surprising? It is quite naive to assume that we will use complex passwords, especially across our social networking accounts. This is why we are increasingly accepting single sign-on using Facebook, LinkedIn, etc., to authenticate to other web services. The last Gartner conference on identity talked about needing to re-work how we do identity, i.e. make it ‘people-centric’, now where have I heard that one before 😉