I've recently seen a couple of discussions about IDAM in the larger context of trust. E.g. Martin Harrod's Vancouver ISSA presentation Designing TRUST into Identity and Access Management Solutions

It's got me thinking again about the relationship between trust, security, and identity.

I think the key challenge for non-IT/CompSci people looking at computational trust modeling is that, because we are interacting in virtualized environments, we need to explicitly construct the necessary abstractions to support our expectations about these interactions.

Human trust is a complex and context sensitive interplay of risk, value, experience, expectation, uncertainty, social relationships, and individual human qualities. Humans operating in a physical world use a variety of interpersonal skills and social arrangements to create and evaluate trust in others. We have an intuitive notion of what is meant by the word trust and live in a rich social web that sustains our ability to trust other people and organizations. This trust enables us to interact in a range of situations. The role of trust in human/social systems is to guide and support decisions where the outcomes depend on the good behaviour of others and where results cannot be completely controlled. This means, for our virtualized environments, we must create artificial mechanisms that emulate some aspects of normal human-psycho-social and physical interaction. Thus is born a whole range of mechanisms found in information security and information systems.

Academics and industry are slowly cobbling together different versions of future digital ecosystems. Many proposed abstractions and supporting IT mechanisms don't exists yet and/or are areas of active research. Currently deployed systems often lack essential characteristics. For example, think of the fundamental weaknesses of SMTP-based email.

One aspect of human interaction that researchers have been grappling with for a few years is trust; what is it, what role does it play in our interactions, and how do we build digital/virtual mechanisms to support trust in virtualized environments. A google scholar search of "trust model" shows lots of research. You'll find my paper if you search for "Generic Reliability Trust Model".

Some notion of Identity is a prerequisite for more general models of trust and security. Most people don't understand abstractions like digital identity, much less trust, which explains why most non-IT people (and some IT people I've talked to!) don't understand what the browser lock symbol means, and why browsers have added support for Extended Validation SSL certificates. Virtualized environments also create the opportunity for mechanisms not normally seen in the real world. One example of this is non-identity-based authorization schemes which use capability certificates which underlie identity federation.

So why is identity management important to trust and security?

Identity is a root concept of security, and information security is a prerequisite for higher-order trust modeling (and reasoning).

If you don't care who does what, who sees or changes what, or if your services are even available, then you don't care about security, and thus don't care about identity. If on the other hand, you do care about who you're interacting with, or want any control over who can access or modify your property, or want to ensure your property is available when it is required, then you do care about security, and must be able to identify who you're interacting with. This is because at the root of the ability to control is the ability to discriminate, to know that it is Bob asking to read document X, not Sally attempting to modify document Y.

If you want to model trust in a virtualized environment, you need secure information about the entities you're interacting with. If you can't correlate past activities to individuals, you can't build reputation. If you can't identify an individual and restrict membership to a community, you can't have any expectations about future interaction. If you can't secure the identity and your assets, then you can't create and transfer value. No security means no identity, history, future, or shared value, which means no trust. Without trust, all exchanges are valueless or take place only through the use of high-cost/high-control mechanisms such as hostages and escrow. Break any of these assumptions and you have problems. E.g. what happens on eBay when an ID with a good reputation changes hands.

Thus, if you need security, you also need identity. If you want to manage security, then you will also have to manage identity.

Various forms of identification are required. As this is a virtualized environment, all interaction is between abstract entities -- virtual end-points or nodes. Identification includes the binding of an identity to some abstract end-point entity. What is the network address required to route messages to a given end-point? How do we know that the entity controlling the end-point of a connection is Sally, and not Bob pretending to be Sally?

The security of identity information is so important that it gets its own set of labels: (TBD: need to think some more about these)

* Identity Integrity = authentication, attribution, attestation, and non-repudiation which implies uniqueness and verification that the entity-identity-binding is (still) valid, that Bob's account had not been hijacked

* Identity Confidentiality = privacy, which implies personally identify attributes, that I can ensure that Sally's password is known only to Sally

* Identity Availability = availability of identifiers and authentication mechanisms, existence of directories

We have to be careful about any assumptions of the authenticity of an identity, just like the assumptions about the truth of any assertions used by a security model. This is a core perspective in info-sec practice: to identify and evaluate the web of assumptions made by any system. For example, in PKI you assume the CA has done the required verification (certificate practice statements) and that the underlying private keys have not been misappropriated by anyone (e.g. an insider). Are the risks associated with that assumption low enough to support your security requirements?

TBD: more about the interplay between trust, identity, and security.