The Identity Crisis (1) - Membership vs Ownership

November 4, 2009
6

Identity management -- the process of establishing the identity of a remote user (or system), managing access to services by that user, and maintaining identity profiles concerning that user -- is a very active field of research and development. There are already quite a few systems in use. However, many of these systems suffer severe security, privacy and usability issues. This results in an "Identity Crisis", a theme I will explore more in the coming months.

There are also several fundamental problems with identity management systems, that apply to all current models of identity management, and not just the current implementation of such models. One such issue is that identity management systems are being used to enforce different kinds of access rights. These access rights have different risk profiles, and therefore assume different trust relationships between users, identity providers and service providers. Unfortunately, people are unaware of this difference in access rights. This results in unacceptable risks.

The essential distinction one needs to make is between membership and ownership of a resource.

Identity management systems were first applied in business (to centralise access rights management to business applications) and education (to grant students access to the wireless network, the digital library and the computing facilities, even when they where from the same university). In both cases, what the identity management systems really is being used for is to decide whether a certain user is a member of a group. In the first case it decides whether the user is a member of the group that has access to business application X. In the second case it decides whether the user is a student of a certain university or not. The resource being controlled is not owned by the user. And if someone abuses the resource, the user will not suffer damage. The risk of using the identity management system lies completely with the service provider.

More and more, identity management systems are being used to enforce ownership of a resource. The prime example are on line banking systems, and to a lesser extent email, chat, blog and social networking accounts. Illegal access to your bank account will hit you with a direct financial loss. Access to your email, chat and other systems may enable a criminal to 'steal' your identity, which may hurt you in many other ways. In this case, the risk of using the identity management systems lies completely with the user.

How does this affect the use of identity management systems? To enforce membership identity management assumes different trust relationships than to enforce ownership. In the first case, the service provider needs to trust the identity provider to reliably authenticate its members. In the second case, the user needs to trust the identity provider to reliable authenticate him. These trust relationships need to be enforced either by technological means, or through mutual agreements (SLA) with associated penalties. In either case, an identity management system to enforce membership is different from an identity management system to enforce ownership.

Further refinements can be made, actually.

In the case of granting students access to university resources, the damage associated with abuse (and therefore the risk of using identity management) is quite low. Except for extreme, denial-of-service, cases, the university does not suffer any direct actual loss of non-students have access to the resources. This is the same for any subscription based digital service, like on-line music, or a digital newspaper, etc. Because the marginal cost of the copy is essentially zero, there is no direct loss of non-members have access too. The losses incurred by such services are indirect, and are basically the result of less sales.

Granting access to business applications (and the associated data in particular) is much more risky. Not because of loss of revenue, but because most of the data is confidential. It could cause real or financial damage when it becomes public. Similarly, there is a difference between access to a bank account, and access to an email account. It is interesting to explore the economic literature to see whether other types of access can be discerned, and how they influence the trust assumptions (and perhaps business models) in identity management.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
The identity crisis (2) – What is identity? « Jaap-Henk Hoepman – on security, privacy and…
, 2009-12-03 22:21:12
(reply)

[…] Many systems for identity management suffer from severe security, privacy and usability issues. Previously I discussed how the difference between membership and ownership contributes to the resulting […]

The identity crisis (3) – Trust. « Jaap-Henk Hoepman – on security, privacy and…
, 2010-02-23 21:50:25
(reply)

[…] 2010 Systems for identity management suffer from severe security, privacy and usability issues. A few of them I have discussed previously. Today I will discuss trust. Trust assumptions in identity […]

The Identity Crisis (4) – Security « Jaap-Henk Hoepman – on security, privacy and…
, 2010-04-06 09:58:32
(reply)

[…] 2010 Systems for identity management suffer from severe security, privacy and usability issues. A few of them I have discussed previously. Security is the topic of today’s […]

De chipkaart: een belangrijke privacy beschermer « Jaap-Henk Hoepman – on security, privacy and…
, 2010-06-02 19:41:21
(reply)

[…] de hand liggende manier is om gebruik te maken van een identity management systeem. Maar dat voldoet niet helemaal, omdat zo’n systeem de privacy maar beperkt waarborgt, en niet altijd even veilig […]

How to make money with privacy friendly identity management. « Jaap-Henk Hoepman – on security, privacy and…
, 2013-02-21 12:50:27
(reply)

[…] to make a business decision is called a relying party. In very generic terms, a relying party protects access to a resource and provides access to this resource depending on the credentials a user can […]

In federated identity management, the issuer signing key poses a risk. // Jaap-Henk Hoepman
, 2015-08-05 11:11:55
(reply)

[…] with federated identity management before, and about the “identity crisis” in general: 1, 2, 3 and 4. In a talk Gregory Neven gave at our institute, he mentioned a risk of using a […]