Nothing makes an identity professional think about his work more than crossing into another country. I had the opportunity to consider this truism six times over the holiday break, taking advantage of geography by using Canada as a shortcut between different family locations.
I grew up in Michigan, and my wife grew up in New York. The quickest route between these two locations is through the southern tip of Ontario. Between flying into Toronto to avoid the holiday mess at Chicago O’Hare and driving between the Michigan and New York destinations, I became fairly familiar with each country's border procedures. While I sat in line at the US border, German Shepherds sniffing around the car, I thought it would be interesting to compare a couple of examples of how authentication works in the physical world with their digital counterparts, and how an emerging class of applications mimics and perhaps improves on what's being done in the physical world.
The Physical Realm
First, let’s pick apart what’s happening in physical authentication from an identity professional’s point of view. In day-to-day authentication, a retail clerk asks to see your driver’s license—for example, to see if you’re old enough to buy alcohol. (This hasn’t happened to me in way too long, by the way.) The clerk looks at the license with varying degrees of scrutiny to see if the license appears to be genuine, the photo matches you, the description matches you, and the signature on the license matches your signature in front of them. Most people, however, simply look at the photo and confirm a pattern match with the person standing in front of them.
What is a driver’s license, anyway? It’s a token. This driver’s license “token” has attributes such as a photo, height, weight, and date of birth. It has an expiration date. It’s issued by an authority—the state—that certifies the validity of the values of these attribute. That certifying authority requires a variety of supporting documents, as the US driver’s license is accepted as a means of establishing identity. Its scope as identity credentials, however, is limited to the United States because proof of US citizenship isn't required to get a driver’s license. This is very similar in structure to a Kerberos ticket used in Active Directory (AD) authentication and authorization, or a Security Assertion Markup Language (SAML) token used in claims-based authentication for internet single sign-on (SSO). Both contain a set of attributes with values, and both are issued by a certifying authority.
A passport is also a token, with similar attributes. The primary difference is that a passport’s scope is international because it establishes nationality as well as basic identity characteristics. The certifying authority is the US government, and the document requirements to be issued a passport are more stringent than those of a driver’s license. Unlike a driver’s license, it also has the ability to carry updates by other certifying authorities (the visa section where passport control puts its stamp) after the passport has been issued.
What happens when you drive up to a border crossing into the United States? The obvious checks are confirming that your passport is valid and matches your description, and checking the car’s license for ownership and any outstanding warrants. I’m not a homeland security expert, but it’s safe to say that these checks are a small part of the checks that are done. For example, I recently learned of a fellow who was pulled aside by Customs coming into the United States because border security had detected the residue of a radiological agent! (The man had undergone a physical that involved radiology.) The most important action the border agent performs, however, is to ask you questions and watch your behavior as you answer them. After all, not too many people drive up to the border with something as obvious as a stolen car; behavioral questioning can help expose inconsistencies and falsehoods that simple passport authentication doesn’t expose. As in the physical world, authentication in the digital realm can involve only a simple password or it can use complex multiple factors such as one-time passwords, biometric scanners, time limitations, and location restrictions.
A border crossing involves both authentication and authorization. Authentication determines whether you're really who you say you are. Authorization determines what resources you’re allowed to access and at what level. Once your identity is verified at the border, there's a chance you could find yourself on a watch list that denies your entrance into the country; authorization in this physical case is pretty much binary; you’re either allowed in or you aren’t. If you’re authorized, there’s no restriction to shop only at certain stores in certain states. Apart from the obvious constitutional and legal reasons, this is because national passport authentication systems aren't integrated with commercial systems.
The Digital Realm
In the physical world, many tasks come with some basic contextual authorization. Two examples are age checks for buying alcohol and for purchasing R- or NC-17-rated movies. Most of the time, a clerk authenticates you by simply looking at your driver’s license to be reasonably sure you're who you say you are. In the digital world, the photo check doesn’t happen—one reason that fraud is easier to perform there.
Unlike the casual driver’s license check, almost all credit card transactions today are checked in real time for authorization against the credit card’s issuer. Thanks to mobile wireless point-of-sale devices, I’ve had my credit card checked everywhere from art shows in open fields to small businesses in rural Bali. When every transaction depends on authorization, however, the entire authorization infrastructure must be robust and fault-tolerant because there are real consequences for the user trying to access resources at the far end of the process. For example, I’ve twice had my MasterCard account closed without notification while in remote locations due to a “merchant security compromise”—someone hacked a retail company where I’d shopped, and the retailer kept my credit card information without my permission. This is a real problem if you travel internationally and don’t carry a lot of local currency. These credit card authorization systems are somewhat context-sensitive, too, thanks to anti-fraud technology; if most of your credit card purchases are in the United States, and you purchase something in England, don’t be surprised if you get a robocall from your credit card issuer requesting that you verify the purchase.
These systems are a simple example of a category of software that takes this practice to a sophisticated level. It's called security information event monitoring (SIEM). SIEM software has two major functions, and the SIEM acronym contains both. The first function, security information management (SIM), is to collect information from event logs across potentially hundreds or thousands of systems into a database and provide intelligence and reporting about these systems. This is usually done for compliance or regulatory reasons.
The second function is, to me, the more interesting use. Security event management (SEM) goes beyond simply collecting and reporting on log information; this type of software actively monitors event logs in real time, intelligently analyzes their output, and takes action based on the rules the SEM administrator establishes—for example, to flag or lock out the perceived threat to the system. Have you ever logged on to Facebook or Gmail from a different location than you usually do? Have you noticed that you're prompted for a security question? This is because SIEM software in these services have detected that your session is located at a different IP address than your previous ones. (If you check the bottom of your Gmail page, you'll actually see your last logon time and previous IP address.) In my experience, if I log on from a significantly different geographic location—say, logging on in Canada when I'm usually in Texas—the next time I log on at my usual IP address range, Gmail displays a warning that there's been an unusual logon for my account and asks me to OK it. Financial companies are in the lead for adopting SIEM software, first for SIM purposes but now for SEM and fraud detection.
A SIEM system has the ability to collect and correlate potentially millions of records from a wide range of network devices—from network switches to endpoint protection devices to line-of-business (LOB) systems. They can detect insider threats such as large amounts of printing after hours, large amounts of email or large attachments to personal email addresses, or unusual system audit log clearing. They can also detect malicious intrusions from external hackers. If so configured, the SIEM package can lock out the user’s account. Though these systems aren’t cheap to purchase or to implement, they can pay for themselves in minutes if they detect, warn, and perhaps thwart malicious insider action, fraud, or external attacks. If you’re interested in learning more about SIEM products, Gartner published a "Magic Quadrant for Security Information and Event Management" report (www.gartner.com/technology/media-products/reprints/nitrosecurity/article1/article1.html) that describes the various SIEM vendors and their relative strengths and weaknesses. SIEM software is similar to a border agent’s behavioral questioning; by correlating various bits of information gathered from many sources, the agent uses his or her training to flag individuals for further investigation.
Lessons Learned
We've developed our IT authorization and authentication systems based on methods we use in the real world. The online world can perform faster and more efficiently than humans, but only recently has it begun to develop the security intelligence that the human element has long provided us. At the same time, human security systems have come to depend increasingly on IT security systems to augment their methods. And we need all these methods to combat increasingly sophisticated attempts to invade our systems.
Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.
