New identity management options for SMBs

by Deb Shinder | Mar 26, 2007 7:00:00 AM

Tags: Social Security, Operational accounting, ItÂ, small and medium business, Deb Shinder, password, identity, identity management, SMB Strategies Newsletter

Takeaway: Identity management is emerging as one of the biggest challenges for users and companies, but new technologies such as Information Cards make it easier for SMB users to create and present multiple digital identities without having to memorize a large number of passwords.

Digital identities are the way people prove who they are in the electronic world, just as they use various documents to prove their identities in the "offline" world. We all have multiple ways of identifying ourselves: government-issued documents such as driver's licenses and passports are perhaps the most universally accepted way to prove identity, but most of us carry a whole wallet full of cards of various types for special purposes. We use credit and debit cards to make purchases, ATM cards to withdraw cash from banks, employee ID cards to get into our workplaces, insurance cards to identify ourselves to hospital admitting offices, membership cards to take advantage of the benefits of various clubs and organizations, "preferred customer" cards to get discounts at the grocery store, and so forth.

Much has been made of the concept of a single form of identification that could be used for all these purposes, but there are serious privacy and security concerns with that. Do we really want to expose a card (or implanted chip) that contains all of our personal identification, financial, and medical information to every waiter or bureaucrat who requires our identification?

Likewise, we have multiple identities that we present to different electronic entities. Some of these identities, which we provide to online retailers, might include our credit card numbers--but not our social security numbers. Others, that we use to look up our property tax statements, might include our home addresses--but not our phone numbers, and so forth. With identity theft a real and growing problem, we want to disseminate our information only on a "need to know" basis.

The password problem

The most common way to present our identities online is through a user account that is accessed via a user name and password. The easiest way to implement this is to mirror the same user name and password for all our accounts--but that presents a big security risk. If an unauthorized person manages to discover those credentials--either by technological "cracking" methods or through social engineering tactics--he or she will then be able to access all of our accounts.

So we create a different password for each account, or at least for each group of accounts. We might have one password to use to log onto non-sensitive web sites, such as news sites where you have to log on to read articles. Having the same password for these sites doesn’t present a big risk, because the site doesn’t have your credit card numbers, social security number, or other sensitive information. The most a bad guy can do with your user name and password is log on and read news stories.

We would, of course, want to have different and more secure passwords for sites such as our online banks, credit card companies and government sites that require entry of our social security numbers, driver’s license numbers and other sensitive information. In these cases, we’ll want a different password for each site so that if one is compromised, the hacker won’t automatically have access to the rest.

Then we run into an information overload problem: we have too many account names and passwords to remember. And if we can’t remember them all, we’re likely to write them down - making them more vulnerable to discovery.

The need for identity management

It’s obvious that we need a way to manage all these different identities that our users need during their online sessions. And myriad of identity management software products exist to help address these problems. In the past, most have fallen into one of two categories:

• Inexpensive consumer level "password management" programs designed for home users. These are focused on a single user/machine and not intended to be used on a business network.
• Very expensive enterprise or federation level products that are beyond the budget of many small and midsize businesses and which introduce a level of complexity that the typical SMB’s IT staff may not be prepared to handle.

Now companies such as Microsoft, IBM, and Novell are working with web developers and application developers to provide a standardized "metasystem" that will let different identity systems work together and provide a user-friendly way of creating and using digital identities. This technology is called Information Cards.

How Information Cards work

Microsoft’s implementation of information cards is called Windows CardSpace and it’s based on .NET Framework 3.0. The CardSpace client software is called an identity selector. It is included in Windows Vista and is available as an add-on for XP SP2 and Server 2003 SP1. CardSpace is accessed through the Windows Control Panel.

It allows you to create "cards" that contain specific information you want to present to web sites or online services. You can have many different cards for different sites/services, each containing only the information you want that site or service to have. Then to log onto a site or service that supports information cards, you select and present a card instead of having to type in a user name and password. Cards can also be protected or "locked" with Personal Identification Numbers (PINs) to make them more secure.

This is obviously more convenient for the user; it’s like the difference between presenting your credit card at a store or restaurant and having to rattle off the credit card number, expiration date, verification code and so forth.

CardSpace supports two types of cards: personal cards that are created by the user and "managed" cards that are issued by businesses, employers, government agencies, or other entities whose services you log onto. Personal cards contain the same information you would typically type into a web form, but it’s encrypted and stored on your local machine so that you don’t have to type it in each time. Managed cards are created by the provider and most of the information is stored on the provider’s site, although the card name, date of issuance and expiration and history of sites where the card has been used are stored on your computer. The card information is stored either on the user’s computer or on the managed card provider’s site and is not sent to or accessed by Microsoft.

Sites that accept cards can specify what information must be in the card, and the CardSpace user interface indicates which of your cards meet the criteria. When you use CardSpace, you can review the information in a card before you send it to a site or service, and you can view information about the site’s identity that has been identified by a certification authority.

How Information Cards can benefit SMBs

Information cards make it easier for SMB users to manage logon and other information for accessing web sites and services that they need to use in the course of doing their jobs. It helps protect against phishing attacks by providing information about sites that has been verified by a trusted third party (CA) and helps ameliorate the problems inherent in multiple user accounts and passwords (such as users using the same passwords for all sites or writing down the passwords because they can’t remember them all). Users can back up their cards or transfer them to another computer.

Information cards are not proprietary and can be used with any browser on any operating system. CardSpace is not an identity provider; it works with different identity providers but gives users a common and simple interface for creating and presenting digital identities. For more detailed technical information about how CardSpace works, see http://msdn2.microsoft.com/en-us/library/aa480189.aspx.