People should be in control of their identity rather than companies controlling access and determining logins.
Following the release of The Jericho Forum's 14 commandments for identity, which promote a comprehensive and complete view of identity entitlement and access management, board member Adrian Seccombe claimed that he ‘needs another username and password like a hole in the head' and said that his identity and password should be accepted.
Speaking at an industry roundtable this week, Seccombe said: “We are on the divide of a chasm between companies providing details on side and users on the other side. There are far too many problems that increase the level of complexity and I wish we had an answer in place, people say that they wish they had an identity and something they know that they can use, I think we will see a major shift.
“We have got to move to a model that works as we are now proliferating authenticators and which do you use? I want my device to know me, it can hear my voice and has a knowledge of me from my fingerprint, so it needs to make a decision that it is me.”
Stephen Howes, founder and CTO of GrIDsure, said that there is an interest in the usability and the human being as people have multitudes of passwords but often the user does not get to choose the password.
He said: “We have tried to solve this by making it more complex as people will stick with something if it is easy to a point, but they will find ways around it. End users do care, but they do not know the answer to the solution and see a data breach and say ‘life is like that'.”
The Jericho Forum identity commandments have been written to focus on the fundamental design issues surrounding identity management and the access to systems, services and data. According to Jericho, the commandments represent a set of open and interoperable principles that IT professionals can use to build a user-centric security framework within their organisations. They are as follows:
- All core identities must be protected to ensure their secrecy and integrity
- Identifiers must be able to be trusted
- The authoritative source of identity will be the unique identifier or credentials offered by the persona representing that entity
- An entity can have multiple separate persona (identities) and related unique identifiers
- Persona must, in specific use cases, be able to be seen as the same
- The attribute owner is responsible for the protection and appropriate disclosure of the attribute
- Connecting attributes to persona must be simple and verifiable
- The source of the attribute should be as close to the authoritative source as possible
- A resource owner must define entitlement
- Access decisions must be relevant, valid and bi-directional
- Users of an entity's attributes are accountable for protecting the attributes
- Principals can delegate authority to another to act on behalf of a persona
- Authorized principals may acquire access to (seize) another entity's persona
- A persona may represent, or be represented by, more than one entity
Independent cross-bench peer Merlin, Lord Erroll, said: “The creation of a large centralised database containing key identifiers and information is far too vulnerable. The private sector must avoid the Big Brother approach proposed in the now abandoned UK national ID card scheme.
“In the Jericho Forum identity commandments, ownership of essential personal data stays with the individual and cannot be compromised or exploited by any powerful player.”
Paul Simmonds, co-founder and board member of the Jericho Forum, said: “The inadequacies of traditional approaches which lump identity management and access management simply highlight the need for a completely fresh approach. Entitlement is the key to separating identity management and identity access and promoting a more effective risk-based approach.
“Ultimately, we live in a world, where commerce, collaboration and the Internet are all global; therefore identity for the 21st century must also be global. This new work focuses on the de-perimeterisation and globalisation of ‘identity', and we see it as even more important than the original Jericho Forum Commandments, on which it is founded.”
Guy Bunker, Jericho Forum board member, said: “Security needs to change to become more data centric and to become more granular, simple username/password for complete access is no longer secure enough. The identity commandments are important as they begin to define how users will interact with organisations in the future and start laying out the principals dealing with identity and entitlement as part of access control.”
Commenting, Tim Dunn, vice-president of security strategy Europe for CA Technologies, said that the commandments were sound and especially work as they refer to use cases, but it has to be widely read.
“The Jericho Forum work is a good guidance to consider as people are coming from a position of underlying identity and access management and there is huge urgency to understand cloud adoption. Also this is more of a business decision to set up a new model, trust relationships as a business discussion, so it is not just an IT discussion,” he said.
"There is a move in security from what you cannot do to what you can do and not locking down and security has changed that approach. You need a trust model on who you are, what you are doing and make it easy to get information and once you are at a level of confidence, you can say who you are and use access in the right way.
"There is a change with identity in how it works as you had to have a seperate relationship with the bank, employer and telco but you can create a portal. It is starting to be user-centric on a claim-based relationship. You get a unique identity provided by a third party that is based on the right to do that, but the identity will not be owned by the provider. Why do you have 19 identities? With eBay you build up a trusted account and with this you can build up a rich trust that is based on your 'performance' elsewhere."