Bret Piatt

A common security technique is to classify attackers by IP addresses or reverse DNS lookup and blacklist the bad ones.  This technique has been falling in popularity with the increased usage of DHCP and NAT for Internet access and cloud computing will be its death knell.

Cloud computing allows attackers to rapidly switch IP addresses for as low as $0.015 per switch or per hour of using the address.  Right now only a few clouds exist so it isn’t quite the wild west yet but over the next 2-5 years we’ll see the thousands of dedicated hosting providers all switching to offer cloud services.

So what this means to the IT security world is you have some time to think about this and get it right using the few clouds out there now.  “Getting it right” may require more than just individual enterprises coming up with a way to solve it for them.  We really need to get together as an Internet community and discuss this in the broader scope of entity identification.  I use the term “entity” because we need a way to identify systems and individual users.

We're going to digital ID, the train is leaving the station

Identity and access management has always been viewed as an enterprise or site specific issue — this needs to change.  The recent Twitter hack is an example of how out of control identity and access management has become.  Understanding and documenting all of the application interactions around identity management in an enterprise is something few if any have a firm grasp on.  We’ve finally reached the point that implementing an Internet wide “digital identity” with a centralized identity and access management architecture similar to the domain registration/SSL certificate heirarchy.

OAuth and OpenID are a good place to start the discussion as they have the proper frameworks but they lack a centrally managed authority or list of authorities to manage identification and authentication.  Major “trust” providers on the Internet need to get together and solve this: VeriSign, Google, Microsoft, Ebay/Paypal, Banks, and major Internet Service Providers (AT&T, Verizon, Comcast, Cox, Time Warner, etc.).

Major Web 2.0 players have large directories of people but they don’t have a real trust relationship — just because you have a Myspace/Facebook/Twitter account doesn’t mean I should trust the e-mail you send me but if Chase Bank says you have a bank account with them and you’re sending me an e-mail I’m much more likely to trust it.  With the appropriate identity management if you’re sending spam I can flag that and Chase will tie it to your “digital identity” which is tied to your “real identiy” provided when you created that bank account.  It will be much more difficult to create new identities than it is today and we’ll see a significant decrease in “wild wild west” type behavior on the Internet.

The secondary benefit is consumers will also start to take security more seriously as they won’t want to waste time getting the “spammer” flag removed from their digital identity because their system was hacked (similar to disputing things on your credit report if the system works out properly).  They’ll also prioritize security in their buying decisions forcing system vendors to take it more seriously.

A tertiary benefit will be a reduction in misleading activities that lead to horrible events like the Myspace teen suicide because people won’t create fake identities to hide behind.  Some may say this is part of the “fun” of the Internet as it allows them to escape from their day to day lives.  That type of fun isn’t good for both parties involved — typically part of the fun is misleading other people such as the recent case of the lady that pretended to be a 15 year old kid with cancer.  “Fake identity” activities like this should be restricted to a place like Second Life where everyone knows people are pretending.

As private industry and a world society I hope we can take care of this ourselves before it gets so out of control Congress tries to figure out how to do it and we end up with some horrible mess of a “National ID and Digital Identity Act” that looks at it only from the perspective of the USA and makes it very difficult for non-US citizens to do anything online (as most of the major Internet properties are US based) creating a whole new barrier for 3rd world citizens to overcome.