Security and Identity: Balancing Privacy, Flexibility, and Ease of Use

Page 3 of 5

Identity Issues
Regardless of the device being used, in order to gain access to proprietary information, consumers need to identify themselves in some way. Effective security systems require some method of identifying those who have various types of legitimate access to information, controlling their ability to access that information and having systems in place to manage and audit the effectiveness of these security efforts. In short: Are the right people seeing the right things at the right time-and not seeing the wrong things at any time?

To ensure this appropriate access, though, content owners should take a "less is more" approach, suggests Benjamin Wright. Wright is an attorney who teaches digital law at the SANS Institute in Bethesda, Md. He is the author of The Law of Electronic Commerce (Aspen Publishers, 2010). "I have been wrestling with, writing about and advising clients about digital identity, authentication, ownership and security for many years," says Wright, who adds that he is "skeptical of universal, widely-applicable solutions because they invariably rely upon some entity-a verifying authority-being in existence and performing responsibly for a long period of time." Maintenance of such an entity, he says, is not easy.

"When thinking about the owners of property that want to limit who has access to it, something that I don't believe organizations appreciate enough, is how dangerous identifying information is today," says Wright. In other words, they don't appreciate the risks they incur when they begin to collect identifying information about the people accessing their systems.

"We have an explosion of new laws requiring organizations to protect the privacy of information and to take action when there has been some breach of security with respect to identifying information," he says. In practice, he says, which means that identifying information is inherently risky, and the risks are growing. "The more that you have [people's] names, addresses, credit card numbers, social security numbers, [driver's] license numbers and IP addresses and other identifying information, the more you are simply increasing your risk because you have to secure that information." In addition, he notes, the expectations for securing that information vary around the world. So organizations that do business in a global environment and find themselves with the IP address of "Pierre from France" need to make sure that they've registered with the appropriate authorities and taken the appropriate security controls-based on protocol and requirements in France.

Therefore, Wright says, "Watch out! Identifying information has a cost and that cost is rising. You need to build that into your overall model when you're assessing how you will protect your property." Importantly, he notes, it is not always necessary to gather identifying information to protect intellectual property. "That's not the only method."

However, he adds, universal identifying schemes are not the answer either. "There are people who have been arguing for this universal method for identifying you on the Internet since the 1990s," he says. "It didn't work 15 years ago when people tried to propose it and I'm kind of skeptical of it today."

Another key element of identification is preventing people from assuming the identity of another person. "A web application that's not secure can be infiltrated by an intruder," says Alapati. In some cases, he says, intruders "can actually track what you're doing and take your ID and log in as you and you're not aware of the person doing it." Really tightening down on these opportunities for identity theft is where security practices are moving, he says.

That can be especially troubling with single sign-on systems that provide access to multiple applications. But further security can be added by including authentication at different points in the user experience, or at "session levels," says Smith David.

The different factors involved in authentication are something you know, something you have, or something you are, says Prosch. The something you know might be things such as your mother's maiden name, the city where you were born, the name of your childhood pet, etc. Something you have might be a one-time-use password. Something you are gets into the area of biometrics. "It has become very cheap to add readers to laptops," she notes, but she adds that problems with false negatives continue.

Technology exists to provide the levels of security necessary to protect data in whatever manner a content owner would like to protect it. Interestingly, this may be the easy piece. What becomes more complex
is making decisions about the various types of access to allow and keeping content usage open and flexible while also secure and respectful of users' privacy expectations.

Page 3 of 5