CIO

Your Identity: 'Costanza Style'

When it comes to identity, consider me your own, personal "Inner Jerry."

Your identity is like George Costanza's wallet. Really. Think about it. Do you remember the classic Seinfeld episode? The one where George wouldn't give up his ever-expanding wallet filled with store credit cards, Irish money, a coupon for an Orlando Exxon gas station and several Sweet and Low packets. This, in spite of the obvious physical pain it caused and the security threat all of that imposed.

Costanza actually sat with a limp (if one can do that) when talking to Jerry and Elaine at the diner because his wallet was so fat. He remedied the situation, as only George could, by folding a fistful of restaurant napkins to support his other "cheek."

In the next scene when he saw an advertisement on a telephone pole, he tore from the posting a wafer-thin piece of paper and injected it into the wallet. Seconds later, the entire thing exploded, spewing its contents into the middle of the street with Costanza going ballistic.

Priceless.

The parallels between George's wallet and your identity are glaring. Both just: -are too complex and bulky (too many username and password combinations to remember) -are unsafe if they fall into malicious hands; and -might explode one day soon, causing you all kinds of grief, risk, fear, money and embarrassment.

That's the bad news.

The good news is that identity problems are solvable. Today. In fact, this problem has already been solved, which I'll get to in a minute. The key you need to remember now is: don't be like George. When it comes to identity, consider me your own, personal "Inner Jerry."

Yada, yada, yada.

Back in October, just before Halloween in fact, I wrote about the things that keep identity management professionals awake at night in an article called The Top 13 Identity Management Fears. That piece articulated the challenges organizations face in the scary new world of identity management, diagnosing and benchmarking just how bad all-things-identity had become.

Now, I'm prescribing a fix for the problem. Oh, and the prognosis for a cure is excellent, provided that in this brave new identity world (a world I'm calling "The Next Identity Model"), a few key steps are followed.

First, we'll start with defining the identity problem. Then, we'll look at parallels to how entire industries have already solved historically similar kinds of challenges. Next, I'll help you understand where this whole cottage-industry-in-waiting is headed from both a consumer and business perspective. And, finally, I'll paint a vision of what "The Next Identity Model" will look like so that a Costanza-like problem doesn't blow up in your face.

Identifying the problem

At the current rate of password expansion, you'll need hundreds of username and password combinations in the coming years. Remember, most websites today require you to use alpha-numeric combinations of 4, 8 or 12 characters, which, many times, are unique combinations that you don't use elsewhere.

A major analyst firm, IDC, added this: "Many dynamics are converging to create a challenging environment for secure identity and access management," said Irida Xheneti, Security Services Analyst with IDC. "These include the evolving technology landscape with new applications and systems emerging every day; a growing mobile workforce where portable electronics have become the back door to an organization; and the enterprise landscape where partners and suppliers demand access to corporate information. All of these factors have made securing user identities and enterprises a very complex and expensive task."

Before you know it, each month it seems like you've added another dozen or so username/ password combos. It's all just too much for any mortal to handle. And, life already has enough complications. The simple truth is that there are better things to do: soccer games to attend, ice cream to eat, work to finish, the latest cliffhanger of Lost to watch.

So, like the rest of us overworked, time-starved and memory-constipated folk, you take the easy way out. An understandable choice, to be sure, but who are we kidding. It just doesn't work well in the real world.

But, I can guarantee that all your little personal "password tricks" that you thought nobody else employed are just dripping with danger -- unnecessarily. These include: -If it works for one, it'll work for 'em all. Making every combo the same is not safe, yet many people employ this tactic. The problem? If a bad guy gets your New York Times username and password combo, then he also gets your banking combo. See the problem? -The "easy one to remember" method. Okay, the word "password" is not a good password. Do I really need to explain this one? -The "sticky note" approach. This involves writing all of your combos down on one pad of paper or, worse yet, sticky notes dangling all around your computer screen. Now, what happens if you lose the paper or notes, they're stolen or somebody walks by your cube and photographs, copies or otherwise compromises them? Not good.

In spite of the obvious problems associated with each, these are still the most popular ways to handle identity and password challenges. A better method must exist, but what? A better system must be developed, but by whom?

Page Break

Historical precedent

Do you remember when store-based credit cards were all the rage? Every major store (and even smaller ones) had one. Many still do. Sears. Macy's. The local lumber store. The local drug store. Kmart. The Orlando Exxon station.

You name the store, they had a card. And, your dad had pretty much all of them in his very own Costanza-like wallet.

Of course, that meant stores had to manufacture and dispense their own cards, hire legions of accountants to manage the credit all while becoming pseudo-experts in the credit business in addition to their core competency of running their business.

Finally, somebody realized that a single, secure and universally accepted card could do the work of many, and BankAmericard (now called Visa) was born. Soon, it was followed by MasterCharge (now called MasterCard), American Express and others; enabling a single, secure identity to vouch for all transactions.

However, this one-card-fits-all approach had to overcome five key obstacles; the same ones facing those trying to solve today's identity problems: 1) trust and security; 2) independence; 3) ease-of-implementation; 4) liability and 5) global access.

Let's look at how the credit companies solved each obstacle and lay out a plan regarding what identity needs to do:

Issue: What credit did. What identity needs to do.

-Trust and security Established a secure, trusted system that ensured people could purchase and business was paid. Establish a secure, trusted system that ensures that identities can access and systems allow that access securely, confidently.

Independence Created an entity independent of the bias of the vendor. This enabled disputes to be resolved transparently and equitably and processes that equally served everyone. Create an entity independent of the bias of the system owner, i.e., Amazon, Yahoo, Walmart.com. This will enable disputes to be resolved transparently and equitably and processes that equally serve everyone.

Ease of implementation Made it painless for vendors and consumers to use their service. Make it painless for service providers and consumers to use the identity brokerage service. This will be a standards-based implementation that serves all equally.

Reduced liability Insulated stores from the liabilities of managing credit, and enabled them to concentrate on what they did best; the making and selling of goods, and eliminating the credit and administrative burden. Insulate the service provider from the vagaries of identity management, policy and liability. Enable business to concentrate on the business, not the technology.

Global access Made it possible to use their cards regardless of geography, taking care of all translation, monetary exchange rates and other previous impediments to global commerce. Allow services to consume location-independent identities, taking care of all local, state and international laws related to identities.

The financial industry virtually eliminated the credit identity problem overnight with a simple 2' x 3' piece of plastic mixed with a boatload of trust and the willingness to solve a previously unsolved problem. Prior to BankAmericard, there just weren't many good, efficient, universally accepted and secure options for handling large amounts of transactions other than with cash.

Historical precedent, historical solution

Interestingly enough, Covisint, my company, already solves the identity problem for healthcare, manufacturing and other industries in much the same way that credit card companies eliminated the identity headache for the world's retailers.

In healthcare, Covisint now links physicians from entire states onto its platform, enabling the secure sharing of information and access to applications: All highly dependent upon a secure, federated identity model.

In manufacturing, Covisint became the electronic, global funnel through which orders were processed, parts were shipped, inventories were tracked and transactions were processed between major companies and their suppliers.

Regardless of industry, the common identity denominator to Covisint's success is that anywhere where large amounts of sensitive data needed to be securely shared, the Covisint collaboration platform fit nicely. The key to it all working was the identity and federation piece. Without that type of security figured out, the entire system would crash like a house of cards. Federation-in-the-cloud was the answer then, and it will be the answer to identities in the future.

Federation is defined as the ability to make identity portable. With identities, federation enables the concept of an "identity broker': A third-party, trusted and secure source that is independent of both parties transacting business.

Page Break

The Next Identity Model

This new way of managing identities is what I call "The Next Identity Model," and it turns the current and archaic identity model on its head by divorcing one's identity from the data.

Confused? Don't be. Soon, In the Next Identity Model, consumers and businesses alike will align with an identity broker to ensure the validity of each other in a transaction.

Think of it this way: your identity, often one of many username and password combinations today, is tied to each site you visit, each transaction you make. The Next Identity Model dictates that your identity will live outside of any site, any transaction, and become a thing of value, an actual asset, unto itself.

Think also of what happened in the banking industry. In the past, people had to physically walk into their specific bank to obtain cash. Today, with ATMs, all one need do is, with a simple four-digit number and a piece of plastic, prove their identity from virtually any point on the globe. Armed with this proof, the bank follows the bank customer, instead of the other way around. Unlike with the early years of credit, the ATM user is not required to carry scores of different money machine cards. The identity of the ATM holder, the bank customer, is divorced form the bank that originally issued the ATM card.

The Next Identity Model works much the same way. It is the only sensible answer to slaying the identity dragon and preventing Costanza-like problems within your own identity wallet. In this brave, new world, your identity will follow you and not be inherently linked to whatever specific transaction you're performing at the moment.

The benefits of this will be plentiful. It will be simple, flexible and easy-to-use, and you will control your identity; not all of the companies with which you do business. Of course, you likely will be subjected to small, monthly fee and businesses will be charged a small percentage of the transaction, for example, but isn't that much better than the current and onerous system?

Change is coming. Listen to "Your Inner Jerry." When it's all said and done, identity really will be a "problem about nothing." The Next Identity Model promises to be an "Identity Festivus for the rest of us."

Yada, yada, yada.

David Miller is Chief Security Officer for Covisint, where he is responsible for internal and external system architecture security issues for e-business exchange. In addition, Miller directs the identity management offering at Covisint, which currently secures access for automotive, healthcare and government customers.