Yes, so you are under 25 years and want to buy a bottle of wine… or maybe something stronger from your local liquor store.

- You are requested for ID to prove you are old enough
- You produce ID
- ID that includes your name, date of birth, nationality, and your favourite colour and sexual orientation…. okay so I’m joking, just a little bit, here…

The problem is that the liquor store only needs to know if you are old enough to buy alcohol, nothing more…. why are we sharing so much of our personal information unnecessarily?

You are a record in a database, an object in a directory (if you are lucky), an ID card, a line of text and numbers in a spreadsheet or a Word file. You are all of these and nothing… literally, when thinking about what you are digitally.

Then let us link this into your digital communications, or what I prefer to refer to as your ‘digital interactions’…. oppps there is no linkage…umm this means you are 1s and 0s in cyberspace, with nothing connecting you -your digital identity, with your digital interactions… seems rather sad.

At least that was what the Court of Justice of the European Union in Luxemborg declared yesterday concerning the Data Retention Directive. But what does this really mean for you in practice?

    Firstly, this is about the collection of your traffic patterns, not the contents, from here a traffic analysis can be done to ascertain your online habits from telephone and ISP providers, and this includes location data, i.e. where you are, as well as related data necessary to identify the subscriber or user.

    Secondly, this directive was wanted to ensure that the data collected could be used for the prevention, investigation, detection and prosecution of serious crime, such as, in particular, organised crime and terrorism.

However, the directive was flawed because:

    1. The data was collected on ALL of us, not just limited to crime prevention;
    2. Anyone could access data collected on you. No court warrant was needed, like for example what is needed to search your home premises;
    3. There was nothing forcing the deletion of data collected after the maximum retention period of 24 months;
    4. There was nothing stopping the data collected from ending up outside of the EU.

So what next? I believe, just like a ‘bad penny’ this directive will pop-up again later with a new set of clothes, this time with less holes ;-)

More reading:
SvD – EU:s datalagringsdirektiv ogiltigt (2014-04-08)
ft.com – European Court of Justice rules EU data collection laws illegal (2014-04-08)
PCWorld – Germany Taken to Court for Failing to Implement Data Retention (2012-05-31)
PCWorld – German Lawmakers Say Data Retention Directive May Be Illegal (2011-04-27)

I love ticking boxes, makes me feel as though I’ve achieved something. It’s like a check list, each tick-box is a step closer to completing my list of ‘things to do’. It’s kind of satisfying. It is even more so when I get paid a good hourly fee for ticking boxes ;-)

Okay, so I’m joking a little. Preparing an organisation for ISO27x certification is a little more complex than purely completing a checklist. Yet, however simple or complex it is, even when your organisation passes its audit, it does not prove it is secure. It does prove that you tried your best, i.e. demonstrated ‘due diligence’. Then if something does go terribly wrong, i.e. one of your user accounts is used to hack into the organisation and access information that if made public can ruin your business. Well you tried your best within the boundaries of your capabilities, so I guess that’s okay? Or is it? I guess not, if you go out of business, or end up spending the subsequent 12 months in a crisis mitigation mode!

The problem as I see it is multidimensional and not limited to this list:

    1. Reactive security – We are so focused on doing the security stuff that we understand, i.e. ticking boxes, that we don’t get to the core of the problem.
    2. Product-focused security – Even if we think it can be solved with a product, there are so many security product vendors out there touting the ‘magic bullet’, nobody knows who or what to believe anymore.
    3. Mis-alignment of security spend with LoB – Every security product implemented often does not address the fundamental business need. Evidence of this is when new security products/services come out of the IT budget, not from the Line of Business (LoB)
    4. BandAid security – Due to point (3), lack of LoB ownership for security spend means no sponsorship. This can result that even if security spend is approved, e.g. security mitigation effort needed to meet compliance requirements, the effort can be likened to a ‘BandAid’ approach to fixing what needs fixing.
    5. Non-contigious defense-in-depth security – Due to all of the above your security infrastructure is not contiguous. The ‘defense-in-depth’ approach to your security programme recommended by security experts maybe deep, but full of holes.
    6. Information that moves – Our digitised society has changed the parameters on how we should be doing security, however in our organisations we are still thinking as though information is static and can be contained. It cannot.

Fixing all of the above is pretty daunting, and it has become generally acknowledged today that no way can it be guaranteed that the confidentiality and integrity of information assets owned by your organisation are fully protected. So what’s my view on this?

Well it is fun clicking boxes and I’ve made a lot of money during my career in this activity ;-) But I guess you’ve figured that I feel that it is not quite as satisfying as I made out at the beginning of this post. To try and simplify things I see roughly 2 tracks in my head. The first is business security, and is the linkage from business needs to scoping. The second is how to do this from a technology perspective, and this I’ve grouped as: people-centric, device-centric, and information-centric.This is to reflect the fluid nature of information today, that cannot be contained by building a fortress around it.

BUSINESS Security

    B1. LoB – What is the need?
    Firstly security needs and spend must come direct from the LoB. They know best their business, and know what needs protecting more than I do as the security expert and your IT department. The most important question to be asked is:
    1) “What can ruin your business?”,
    2) and, “What do you need to be compliant with?”.
    Clearly security spend is commiserate with what you want to achieve. For example if a vendor wants to sell you a DLP product across your whole company, think twice, and ask this question what is it needed for (1: to protect from ruin) or (2: to be compliant)?
    B2. Keep it small
    Take one business process at a time and fix it using the following 3 principles.

TECHNICAL Security

    T1.People-centric security
    How we do identity control today is the weakest link in the security chain. See my previous posts on this. I call it identity control not identity management, because it is about control and traceability. For your organisation, and for the identity holders. Your organisation and your employees are continually a part of digital interactions, and all of those that you share together, belong to your organisation!
    T2. Device-centric security
    Take a look at what the Trusted Computing Group is doing with the chip. I normally refer it to putting “security at the ‘chip’ level”. This is not technically accurate, but it confers a meaning around that the security is at the microprocessor level of the device rather than at the Application layer. If you liken it to a house, it means that you have walled in all your windows (Application layer), and the only way in is through the door (ground-level) with high-level security controls linked intimately to your digital identity -that of course follows the people-centric approach to identity control ;-)
    T3. Information-centric security
    This is all about protecting and adding traceability to your information, wherever it is stored. Examples include your mobile workforce and their mobile devices. Then where is your critical information when at rest, in a public or shared cloud? Well this information should be encrypted using a key-fragment approach. This means, 1) your cloud provider cannot see the contents of your information in the cloud, 2) you hold the key, and 3) a fragment must be collected from a key-fragment central store, that could be owned by yourself, so you have traceability on who is accessing what information in the cloud through key-access patterns.

Now that I’ve finished with my little ‘brain-dump’ on you guys, I guess I should get back to ticking boxes ;-)

When the identity and associated roles -that trigger and consume- the digital interaction are not an integral part of the process. This means that participating parties cannot be legally held accountable for their actions. Principle consequence is a lack of absolute traceability in your organisation, and if there is some legal requirements, a need for manual paper processes to run in parallel with the digitised processes.

There are additional consequences:

  • a lack of traceability gives limited transparency which means you don’t have control over the information in your organisation.
  • When legality comes into play, there is the extra cost of running the digitised process parallel with a manual process.
  • From a compliance perspective, although you can assign responsibility to roles, you cannot tie accountability with the responsibility because the -so called- identities and appointed roles are not really a part of the digital interaction.
  • From a security angle, the risks to the integrity and confidentiality of your information is increased as the identity, or lack of a strong digital identity weakens the complete digital interaction/cycle.

Although many identity products tout to solve this problem, they do not. The reason why is that they are based on the use of a digital identity, and as I mentioned in the first post in this series, digital identities as used in main today are not identities at all! They weaken with exposure, not reflecting the real world whereby our physical identity strengthens with exposure. They are not people-centric but database/directory centric. This presents significant risks to the integrity and confidentiality of all digital interactions.

So in returning to the original question. The answer is when the digital interaction is pulling identities from a database or directory, not from the identity holder. What is needed is to weave a digital identity that is centric to the individual, one that is strengthened by reference authorities into the digital interaction. This is a true digital interaction anything less is not a digital interaction at all.

So does identity equal reputation? After all this is the claim made by some identity practitioners such as Dick Hardt (Hardt, 2006). The simple answer is no. Does it matter? And the answer is yes, it matters a lot.

Today in our digitised society your digital identity is quite simply an entry in a database, an object in duplicate, triplicate and much more, copied over numerous disparate directories scattered across the globe. Conversely your reputation is worth significant value to you but to others nothing, unless they use your reputation to add value to their own. To all intents and purposes your identity is worth a piece of gold to those motivated to collect, use and abuse identities. For your reputation, everything you publish online has most likely been copied and replicated to another server or indexed and cached by some search engine. For this reason your reputation has a persistence value that it did not have before.

Your digital identity and anything that links to you, including the digital residue you leave in your wake, is a gold mine for gold diggers. However your digital reputation is not worth stealing. Yet it is worth nurturing. In essence your online reputation can attain a value that may not reflect accurately the person sitting behind. It is by using your reputation that you can online create a type of personal branding. Once you have separated your reputation from your identity it becomes quite straightforward to take it and manage it. Your reputation could possibly, be divided into three phases: (1) what you did before, (2) what you are doing now and in your lifetime, and finally (3) what happens after you die. It takes skill to manage your digital reputation effectively.

Your identity needs to be protected and your reputation needs nurturing. What’s more is that your identity can make money for “gold diggers”, whereas your reputation is of no value except for what you make of it; and then its subjective value is of worth only to yourself.

But how can you protect your digital identity and nurture your digital reputation, if you do not own them, or even control them? I will be posting more on this in following weeks ;-)

Haven’t you thought it as strange that your digital identity becomes weaker the more it is exposed? In fact is it an identity at all? After all it is only a record in a database, or an object comprised of attributes in an X.500 tree, or something written on a plastic ‘id card’. It is all of these, and replicated, maybe hundreds of instances, accurately and inaccurately all over the world.

In fact where is your digital identity? Is it real? If it is real then why do you have no control over it?

Why does your digital identity not reflect exactly how your physical identity works in the real physical world? When you are born you are referenced, i.e. probably starting with your parents declaring that you are their son/daughter and what your name is (your identity), relations and friends do the same… your identity strengthens. You start kindergarten and school, perhaps you have been assigned a national id number…. you are referenced, every reference to you strengthens your identity. The louder you shout, the more famous you become, the stronger your identity grows. In fact the President, Prime Minister, King, Queen, etc., probably have the strongest identities.

It is difficult to commit identity fraud on strong identities. So I return to my first question, why does it not work the same in the digital world?

Follow

Get every new post delivered to your Inbox.

Join 121 other followers