Sunday, August 12, 2012

The Emperor has no clothes - De-Identification and User Provisioning

I am disturbed at discussions lately in both the De-Identification and User Provisioning space. Yes, there is a common thread between them. It is not a technical thread, but a social thread. Identity is HARD. Proving identity is hard, and keeping identity secret is hard. Yes, this math works out. I think we have a case where people really really want to believe that De-Identification and User Provisioning are easy, or could be made easy. Well, I am not willing to say that your clothes are pretty. Identity is a hard business, and has been well before Information Technology or the Internet.

I will start with the biggest story, about “Mat”. So big it is on CNN and elsewhere. This is a very interesting story to dig deep into. Actually it doesn’t even take that much digging to get deep. This because Mat has done such a good job of explaining it himself. Please look at the stories for the details. The summary is that attackers who just wanted his Twitter account leveraged multiple social-engineering vulnerabilities in organizations that should know better. I am even willing to assert that these organizations do know better. They are forced to be as liberal with their policies because – Their customers don’t like being challenged. Meaning they could have stronger policies, procedures, and even technology. It isn’t a cost thing either, it is a case of convenience. AND as long as the customer thinks that what they are providing is good enough, then these organizations must believe that this is good enough.

Closer to healthcare is the work going on in the Direct Project, specifically the group trying to create identities for use with the Direct Project protocol (Secure e-mail using S/MIME). The group is really doing good work, but they are constantly pushed to make it even easier. There comes a point when user provisioning becomes so easy that a dog can get an identity. I am not saying that DirectTrust is at this point. I actually think they are working hard to keep from that failure. I however think that any efforts to do user provisioning without in-person-proofing is not going to work, especially for access to healthcare information. And, this is just the user provisioning. As the Mat case shows these identities are only as good as the re-set system. Or in Certificates, the revocation system and renewal. These have not been the focus yet, but need to be. This stuff is hard, and anything less will be thwarted.

Moving over to De-Identification. Here is a topic that is trying to hide identity, and we see just how hard that is too. The latest news actually indicates that de-identification should actually be seen as stronger than it is given credit for. When done right, this is indeed true. When you put effort into your de-identification method you can have on that is truly well done. I have covered this in De-Identification is highly contextual, and I am involved in ISO standards on Pseudonymization and De-Identification, as well as IHE handbook we are writing to guide profile writers. There is efforts to get the USA government (ONC) to define a new De-Identification specification, an effort to get government endorsement of shortcuts. But this gets to my point, that people want it to be easy when it is actually hard. It is hard and that is good, shortcuts will result only in failures.

There is a very interesting piece that ties these topics together without intending to. In Kim Cameron’s blog he talks about a really cool use of social graph to do user provisioning. I assert that this is not what we want to do with this information, at least not for moderate or high security like we need in Healthcare. But his point is that there is so much social information on the internet, we must leverage it when doing user provisioning. Unfortunately as the Mat case indicates, this can cut both ways. The attackers can invent social graph and thus invent new identities or radically change an identity.

The root problem is that proving that an individual is who they say they are is HARD. Even if you are that individual. It is hard to prove that you are indeed who you say you are. Identity is not something that nature gives us, identity is something we humans have added. Identity is NOT NATURAL. This doesn’t mean that identity is a bad thing, but it does mean that we must constantly be testing identity assertions. When we are in social situations we are always observing the people we know, constantly testing that they seem to be that person we know. We are also observing those we have been introduced to, learning how to re-verify (authenticate) them perchance in the future. We don’t just use one introduction, we also ask our friends if they also know this person. Multiple assertions are often used, not necessarily strong assertions or fully trusted.

We need to take the approach that Identity is hard, and deal with that fact. We should NOT try to simplify the user provisioning steps, or to make easy password reset, or to make de-identification simple. These are hard things and they NEED to be hard. I have hope for the NIST Steering Group for Identity Ecosystem (NSTIC). It is good to see a few Healthcare representatives on this group. I don’t know them, but would welcome a dialog.