A Good, Unified Theory

Don't wait for identity management's grand schemes to get aligned before diving into the maw

Albert Einstein spent the last decades of his life working to discover the unified theory to pull together classical and quantum physics. In doing so, he wrestled with some of the concepts that vex security experts today: While it seems necessary that good security practices are uniform no matter the organization to which they apply, in practice there are things that work well for very small units but not for large, and vice versa.

Among the things that have to be worked out for all groups is the question of identity. Microsoft has developed CardSpace, a single identity and payment information store that's implemented in Vista. (See Microsoft Vision Raises Questions.) It's an interesting implementation that promises to securely store a whole bunch of private information, and then securely transmit that information to systems requiring it.

The same promises are at the heart of the Higgins Project. The differences in the two are that the Higgins Project is open source (while Microsoft isn't), and CardSpace is unique to the Windows platform while Higgins wants to be a cross-platform standard.

The Higgins Project team and Microsoft seem to be in the process of working things out so that Higgins data and CardSpace data can be shared between systems. (See Open-Source Projects Team on Identity Management.) If it works out, it will be a major step forward in unique, verifiable online identity management.

While you're waiting for the development teams to finish their versions of the Unified Theory, you might do some thinking of your own. For example, just as individual particles aren't static, but move in probabilistic fashion, users tend to move in their own orbits, vibrating here and there inside (and outside) the organization.

How well do you keep up with their movements? Permission creep is a real concern in today's network directory structure, but as we add more information to the data store, keeping it current -- and knowing when and how to securely purge user records (or portions of records) -- becomes absolutely critical.

Other related issues to ponder:

  • What triggers a change in the user record?
  • How is information verified?
  • At what intervals are all records examined to make sure nothing has slipped through the cracks?

In short, what is the process ensuring that all the information securely stored and transmitted is correct? Your organization will be much happier if you know the answer to that question before you begin implementing the Great Identity Management System.

Physicists have taught us that you don't have to wait for the Grand Theory of Everything to be published before you can do valuable work. While you're waiting for the earth to shake with the brilliance of the Products Yet to Come, make sure your security processes (you know, the ones that keep the planets spinning happily in their orbits) are ready for any technology that comes along.

— Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.

Recommended Reading: