Identity… as important as this is the methods by which we prove our identity has not changed much in the last 50 years. Enhancements to our digital identity relative to the rest of technology changes possibly even less so.
Identity in the physical world entails us providing evidence: Passport, birth certificate, drivers license, or at its most basic level our person…people can verify they are communicating with their intended party because they know what we look like and we are face to face.
Digital identity entails us providing what? A username and password? An email address? Did anyone verify I am who I say I am beyond that I successfully accessed the email account I specified to confirm I have access to that email address?
This is the issue with security today. Most days I listen to organizations talk about their “security” needs. They talk about encryption in transit, encryption at rest, encryption standards. They talk about how the cloud isn’t secure and their datacenter is. If recent events has taught us anything it is that it’s the soft spots that hackers and government spy agencies target.
Most of my security discussions with security teams are a distraction from the real problems. Sure, we need encryption when we transmit things and encryption at rest is generally a good thing, but these are all generally accepted standards and they satisfy for many a compliance checkbox. Compliance, ultimately that’s what security officers provide…real security as businesses have imagined it doesn’t exist and frankly we’re not doing much to help ourselves.
The problem isn’t encryption, it’s that when I exchange information with someone, even when using a secure file-sharing solution the only method by which I’m proving someone’s identity is whether they can access incoming email to the address specified. Encryption, DRM, all of those things rely on email addresses…access to an inbox, or perhaps just the usually unencrypted SMTP traffic.
We don’t know if destination endpoints have been compromised, we don’t know if the processes we’re using are malicious (or secretly stealing our data)…and most of all, we don’t know if the person at the email address we send to really is the person they state that they are.
Data security + no identity management = zero “security”