First off, I am of the opinion that many of Infosec's ills begin and end with the failure to see relationships and instead pass off binary notions of secure/insecure with silver bullet "solutions".
Phil Windley's interview with Bob Blakley on identity relationships describes some very important subtle differences in identity. The distinctions Bob describes are very valuable to unlock some ways we can differentiate identity, threat models, protections, and use cases. Hattip to Adam for pointing this out, here are my notes.
* Identity as a standalone artifact is unsatisfactory. Identity creates relationships. Hannaford, TJX, Heartland stored more data than they needed. When it was breached it created a set of business relationships for those companies. There is no free lunch.
* When we are talking about identity, we are talking about people not data or programs but people (note - one trick I have used several times in the past is when a programmer is taking a shortcut on a security design and says "X will be good enough" I then ask if we can test X using his SSN or bank number. This often produces a design change. If that doesn't work ask if you can use their Mom's SSN or bank number, you get the idea)
* Bob describes three types of identity relationships - 1) custodial for high value - like a banks' large customers, 2) contextual - for a specific use 3) transactional relationships - where you need a minimal data set to accomplish a specific often point in time task
As you can see with the above list of relationships when you confuse the storage, usage and security profile of these three types - i.e. aggregate as if you are custodial and then protect like its low value you get a bad business outcome. The job of security and identity architects then is to calibrate cost and effort versus the value created. This an extremely useful way to think about identity information because it leads to distinct actions and outcomes
To summarize, identity like security begins with knowing your assets. You can use Bob's categories as a way to think about and value your identities, then your job is to find countermeasures that are commensurate with your value and risk apetite. The classic anti pattern is mismatching weak controls as if you are only using a low value transactional identity but instead you are aggregating tons of high value custodial identity data in a CRM.
Comments