The Year in Identity

Enterprise identity saw good progress in 2012, but was it good enough?

As we approach the end of the year, many people take the opportunity (some would call it a cop-out) to review the significant trends or happenings in the last 12 months in their area of interest. I’m no exception. In my defense, however, a lot really has happened in identity—both positive and negative—in 2012.

On the positive side, progress has been made in  cloud identity as this market continues to mature. For example, a number of identity-related specifications and standards are seeing an increase in adoption. This is a critical area for cloud identity because if you’re a cloud service provider (such as a Software as a Service—SaaS—vendor) and there’s no standard for how to manage your identity needs, you have to make it up as you go. Given the explosion of cloud-based services, it’s a recipe for disaster. System for Cross-domain Identity Management (SCIM), an emerging standard designed to simplify and standardize user provisioning for cloud-based applications, has moved from specification to IETF standard. (The name behind the acronym has changed a few times along the way, too: It began as “Simple Cloud Identity Management.”)

Another big step forward for web-based authentication and authorization is the rapid adoption of OAuth 2.0. This token-based security method is quickly becoming the de facto standard for authenticating mobile applications to cloud-based services (e.g., Google) through the service’s OAuth 2.0 APIs. It’s a very good thing, and much simpler than having your mobile app redirect you to the device’s mobile browser to authenticate with the service. If you’ve ever used a Twitter app on your phone or tablet, you’ve used OAuth 2.0.

OAuth 2.0 is powerful, but it’s also complicated. As a result, there are a number of ways that vendors can use OAuth 2.0 for authentication—but standardization, again, is what’s needed.  OpenID Connect is a simple identity protocol that rides on top of the more complex OAuth 2.0 specification, making it easy to provide identity management using OAuth 2.0. This protocol has grown in popularity in 2012 and is a leading reason for OAuth 2.0’s success. (If you aren’t confused enough yet, check this out: Facebook designed its own authentication protocol called Facebook Connect. Why, you might ask? Because Facebook wants the ability to provide a much greater amount of social media information to its partners than OAuth/OpenID Connect provides. Which is why I avoid using my Facebook credentials for single sign-on—SSO—whenever possible.)

At the macroscopic level, Identity as a Service (IDaaS) has really entered the mainstream. Once a fringe idea, the concept of outsourcing your connections and SSO to cloud service providers instead of maintaining it yourself (e.g., Active Directory Federation Services—AD FS) has grown in popularity as the number of SaaS providers an enterprise uses has grown. IDaaS is a simple, fast, and generally cost-effective way to maintain what Gartner dubs an identity bridge between the enterprise and the cloud. The IDaaS market has become increasingly crowded as both well-established players (such as Microsoft,, and Ping Identity) and newcomers (such as Intel) have introduced products. As if to underscore the validity of this market, the Gartner analyst responsible for this segment (Mark Diodati) joined one of the players (Ping Identity).

The  Cloud Identity Summit was bursting at the seams, indicating an ever-increasing interest in cloud identity and how to use it.  Craig Burton got everyone’s attention at the summit by declaring that Security Assertion Markup Language (SAML)—the predominant protocol used today for claims-based authentication—is dead. It still works, and it's not going anywhere; it’s just slowly being rendered obsolete by newer protocols, such as the ones I’ve mentioned above, that have more capability.

The National Strategy for Trusted Identities in Cyberspace (NSTIC)—pronounced n-stick—federal government initiative also moved forward in establishing its administrative structure and initial pilot programs, albeit more slowly than companies accustomed to working on “web time” would prefer. NSTIC is a government-sponsored but privately led initiative to establish an identity ecosystem or marketplace of trusted identity and service providers with a higher degree of security than is available today. Many important players in private industry have generally embraced NSTIC, whereas others maintain a “wait and see” attitude.

Just like last year, the dramatic increase in the number of mobile devices continues. In September,  Apple CEO Tim Cook announced that the company had sold 400 million iOS devices, and that the average person has more than 100 apps on his or her device. (Someone’s loading the deck, because no one I know has that many!) Most of these apps have a cloud-based back end, which requires authentication of the mobile device's user. The one-to-many relationship between mobile devices and their apps—and each day's increase of thousands, even tens of thousands, of new devices flooding the market—points out the central role of identity in everything we do. Five years ago, most of us didn't have to authenticate to play music in our house.

On the consumer front, users are becoming more and more familiar with federated sign-on using Facebook, Google, Microsoft, and identity providers to simplify logging on to their web services. Two-factor authentication (password plus mobile phone code) is becoming a little more common, thanks to the ubiquity of mobile phones and the support of big players such as Facebook and Google.

Of course, the year wouldn't be complete without some epic identity-management failures. First, 100,000 IEEE user IDs and passwords were left in plaintext on an FTP server for a month before they were discovered by a teaching assistant. (How much longer would they have been hanging out there if he hadn't said anything?) Second, 453,491 email addresses and passwords in plaintext were stolen from Yahoo! VoicesAn analysis by a Scandinavian security researcher found that the top five passwords were 123456, password, welcome (at least the users were polite to the hackers), and ninja (really?). Third, and probably the biggest identity steal of the year (I say "probably" because these have become so tediously common that I tend to lose track), was LinkedIn's loss and subsequent publication of 6.5 million password hashes. Finally, in the facepalm-worthiest incident of all, a French citizen unintentionally breached the security of the French Central Bank over the phone by entering that most popular password, 123456, when prompted for a code by an automated system. (No, this isn't an article by The Onion.)

Aside from the ongoing litany of exposed identity stores, the need for secure, scalable identity management is outstripping the pace at which standards are being ratified and adopted. When you look at all the nodes on the network—businesses and their employees, mobile devices, service providers, general consumers—and all the ways these nodes can connect with each other, as well as how few connections have actually been made so far, it's clear that identity management as a profession needs to get ahead of the supernova of security that's speeding our way.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.