This is the 14th blog in a series about security and how security is about how you think.
In the last blog, I talked about the seven goals of security. Each of the next seven blogs will take one of those goals and dive deeper to explore how we “think security” with each of them. This blog is about the first goal: identity and authentication.
This is one of the more obvious goals of security because we identify and authenticate others and we are identified and authenticated every day of our lives. When we buy items, we are identified and authenticated. When we talk to each other, we identify and authenticate others.
Where this issue impacts security is that we want to identify and authenticate others to the level that we want them to, yet not be identified and authenticated when we don’t want to be. In most security scenarios, we want to identify every “action” (an event that has happened) back to an “actor” (the representative person or service) that is performing that operation. We may want to care about every identity of every person who does something or we may also want to allow anonymous access – it’s up to the nature of the service that we provide or want to connect to that will make this decision. The service may also want more than one method of authentication per identity so that there is a higher level of assurance that the person/actor is who they say that they are.
Let’s show some scenarios to illustrate this thinking:
Now one person can have multiple “identities” (and still not be crazy). Think of it this way – you may have a work email address, a home email address, and maybe another address (like a school or club address). Each one is an “identity.”
But how do we validate and trust identity? It may be direct trust (I know that’s my neighbor Pete because I see him every day), or I may trust an external identity (for example, with a driver’s license, I’m trusting that the driver’s license is valid and actually from the state of Pennsylvania). In the case of my Unisys badge, it’s implicitly trusted because I received it from the company (actor) who which I’m presenting it to.
These processes of identification and authentication become more complicated when we deal with computer systems. Who we trust is tougher to declare. The system that we use may already implicitly trust entities because it makes the computer system easier to use (for example, look at Internet Explorer’s Trusted Root Certification Authorities list – it will scare you). How do we NOT trust someone? We also have to define which identities that we will honor very specifically because more and more, these are external identities (Facebook logins, Twitter handles, and external email addresses) rather than very local identities (usernames and passwords, badges) that are managed very easily.
With computer systems, identities are easier to forge because we can try identities easier (brute force attacks) usually without having to hide ourselves. That’s why logging of identification and authentication attacks is crucial to determining if there is a problem or not.
Identity and authentication are one of the primary goals of security, because identifying who or what is performing or attempting to perform an operation is an important part of the other goals of security. Having a record of the identity and the authentication is also extremely important into forensic analysis of what has happened.
It’s not rocket science – we do identification and authentication every day – but it’s how you think about it that makes it a key mechanism of the security mindset. It’s about how you think about identity, authentication, and eventually trust that makes the world secure.