Policing user identities

One of the most difficult things we do as human beings is define ourselves as individuals. This is hard enough to do in the real world; consider the vast amounts of money people spend on cars, hairstyles, and other body modifications to create a persona. In cyberspace, it's even tougher -- as The New Yorker pointed out in a famous cartoon six or seven years ago, "On the Internet, nobody knows you're a dog."

For businesses the problem is twice as difficult because executives not only are trying to sort out their customers but are defining their company, all while trying to maintain a sense of privacy to shield personal user information and sensitive corporate data from prying eyes. At the same time, employees are struggling to keep track of themselves.

Furthermore, the proliferation of distributed systems is responsible for many of the problems businesses and customers face while trying to manage digital identities and associated personal data. A new set of security tools to help businesses and individuals meet the need for digital identity management is arguably the third generation of authentication and authorization software, the first two being device-and LAN-oriented solutions. Because organizations and security vendors alike are just starting to implement digital identity management systems, the tools will require time to mature.

Although every operating system and many applications come with their own system for controlling security access, it is not enough. Managers began years ago to use tools such as directory services to consolidate security information, but the explosion of Web-delivered services has outpaced much of this effort.

Hardware and software vendors are finally starting to address the digital identity management problem. Unfortunately, too many of them are jumping on a bandwagon that's already halfway down the block. But even the best hardware and software will stumble when confronted with unexpected situations.

Of course, business executives get in trouble by assuming certain things about customers that aren't always valid. For example, many Web sites identify users by e-mail addresses. This is fine and good as long as the customer has a single e-mail address. In reality, many users have multiple addresses, including duplicate addresses on the same system.

In addition, company mergers and acquisitions, and even internal system changes, will throw off the e-mail trail, because those events often lead to changes in a company's addressing scheme or its domain name. Determining which addresses are in use and which ones are dead -- or traps for junk e-mail -- becomes imperative whether a company is trying to offer a verified base of subscribers or is simply cleaning up its database. Sometimes companies have other junk data to deal with, such as incorrect personal information. If e-mail addresses are relatively easy to verify, other data is less so.

Beyond e-mail, customers often supply personal data as part of creating a digital persona on an e-commerce site, whether for marketing purposes or simply to complete the transaction and receive the goods or services. What organizations can and should do with this information is becoming an increasingly complex question.

Consumers are becoming aware and concerned about how their data can be used and misused; European countries in particular impose much stricter rules on how personal information can and can't be handled. The situation in the United States is much more fluid; in the absence of meaningful federal legislation, some states such as California are discussing their own laws and regulations. We expect that in five to 10 years, the States will catch up with European standards, although businesses will kick and scream every inch of the way.

Control vs. visibility

It's clear that customer privacy concerns are well-founded because every few months there's another chat room incident of credit card information or other sensitive data that is leaked. It's equally clear that e-mail addresses simply won't be enough to identify people on the Internet of the future.

Two companies known more for their operating systems are rising to the challenges of digital identity management, and not a minute too soon. Microsoft Corp. Passport and Novell Inc. iChain represent two approaches to the question of how to handle sensitive company and personal data while making it easier to use the Web securely.

To no surprise, the biggest difference we have seen and read about between the two -- the marketing -- plays to each company's strengths. Passport displays a more consumer, mass-market focus; the service's home page at www.passport.com touts the ease of online shopping and child-protection and family-friendly features. On the other hand, iChain is shaping up to be a business-oriented product for securing one's extranet. On the market for over a year, both products have proved their mettle.

Both companies are providing a new type of Internet directory service, which may represent the directory of the future. Each relies on a secured store for user IDs and passwords from each site. One difference is that businesses using iChain control their own repositories, which are accessed through NDS (Novell Directory Services) eDirectory, whereas Passport stashes user data on Microsoft's servers.

This last feature caused a stir when an early version of the Passport user agreement was found to state that Microsoft, not the consumer, would own the data stored by Passport (see "Microsoft alters Passport terms of use," www.infoworld.com/printlinks). Microsoft backed down quickly, but questions of data ownership will surface again.

Although Novell's offering appears more technically elegant and gives deploying businesses more control over authorization and authentication, Microsoft's monopoly of the desktop market gives Passport a hefty lead, if only because businesses and consumers are notorious for taking the path of least resistance. Hotmail and MSN users and subscribers to Microsoft's DeveloperNet program are already using Passport.

Tools for digital identity management will require time to fully develop. Of course, how the inevitable weaknesses are found will matter greatly. An IT executive whose company relies on iChain, Passport, or a similar tool won't appreciate being embarrassed by cyberburglars but also won't worry about "theoretical" vulnerabilities.

Nevertheless, we wouldn't be surprised if consumers and businesses wait a few more years before putting their digital identities in someone else's hands. Until issues such as data ownership and privacy are resolved, it's hard to know whom to trust and how much you can trust them. In the meantime we expect businesses to muddle along as they have so far, doing no more to protect consumer privacy than the law requires, and keeping customers in the dark until it's too late.

P.J. Connolly (pj_connolly@infoworld.com) covers groupware, messaging, networking, operating systems and security for the Test Center.


Digital identity management

Executive Summary: Organizations are no longer just trying to authenticate against a department or even the enterprise, but the entire world. Next-generation services such as Microsoft Passport and Novell iChain will lead the way for authenticating external customers, partners, and users.

Test Center Perspective: Microsoft's consumer-oriented product may give it an edge over other solutions, although the company should do a better job of securing its own servers to gain consumer trust. The market is still young enough for competing products to prevail, although they face an uphill, but not impossible, battle.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about MicrosoftMSNNDSNovellPersona

Show Comments