Jon Collins, Info Security Adviser

At the end
of last week, I found myself in the most pleasant position of being briefed by
Kim Cameron, Microsoft’s head honcho for identity management. Kim is generally recognised
as quite a catch for Microsoft – a bit like Ray Ozzie, he is a recognised
leader in his field and, perhaps most importantly, he doesn’t come with all
that Gates-an’-Ballmer-show baggage which almost invariably leads to a question
of motives before engaging. Kim comes across as “everybody’s favourite uncle” –
with his grey hair and bushy moustache, he exudes common sense and intelligence
in equal measure.

But enough
about the man. What Kim has advocated (he freely admits he is not alone in
this, but he has been instrumental in driving it forward) is to see identity as
an aggregation of “claims” – which, given this risk-averse world we live in,
require some kind of verification before they can be acted upon. I might claim
for example to be a biochemistry student aged over 18, or an existing policy
holder, assertions which can both be tested by requesting certain, previously
agreed information. The traditional concept of “non-repudiation” (in which public
key encryption can be used to verify a sender is who he or she says) can be
extended to incorporate claims, so once I have a validated claim, I can
continue to act on it.  

It’s a
simple enough concept, but its effect can be profound. A claim is essentially “information
that knows about itself”, in the words of my old boss Robin Bloor, which means
that the other end of the link doesn’t necessarily have to know who I am or any
particularly personal information (my date of birth or home address, say). A
student information system only needs to know that I am a biochemistry student,
for example, to grant me access to restricted research papers on the topic. When
we met, Kim explained how with a claims-based approach, ideas like
authentication and authorisation become more of a spectrum of possibilities,
rather than discrete components of a security architecture, as in
authenticating, you are also saying what you are authorised to access.

It’s all
great in principle. In practice, while it is being seen as “the preferred
approach” by a number of the organisations involved (from Microsoft to the
Liberty Alliance), both technology innovation and its general adoption has
still to catch up. Microsoft’s own implementation of claims-based identity
management, aka CardSpace, has
still to support two-factor authentication for example, a weakness when it
comes to minimising the risk of social engineering attacks and general stupidity-based
threats. All the same, there is no other real alternative being touted. If it’s
not yet one to implement, it’s certainly one to keep in mind.

Share

Comments

Leave a Reply