In defence of silos

Federated identity schemes – whereby a pin or password is no longer exclusive to one entity – are foundering for a good reason

By Stephen Wilson

October 14, 2009

Imagine this. Two grain growers are neighbours. One farms wheat and the other corn. Both have invested a lot of money in their silos and grain handling equipment, which continues to be a significant cost in their operations. The corn farmer is an innovator and comes up with a bright idea. He approaches his neighbour and gives her the following proposition. Since their infrastructure is such an overhead, why not, in the name of efficiency, bust open, join up and share their silos?

What farmer wouldn’t reject this idea out of hand? If a grain grower needs more capacity, they could in theory re-engineer the entire storage and handling system, strike up new support arrangements with their equipment providers, and seek insurance to cover radical new risks. But it would be simpler, cheaper and quicker to just build another silo!

“Break down the silos” is one of the catch cries of modern management practice, and it’s a special rallying call in the Federated Identity movement. Nobody denies that myriad passwords and security devices has become a huge headache, but attempts to solve that dilemma by sharing ‘identities’ all too often come unstuck. I suggest it’s because our intuitions about identity in the brave new digital world remain unreliable.

One shaky assumption in most federation models is that identities formed in one domain ought to be recognisable in as many other domains as possible. Yet it’s not like this in the real world. You cannot, for instance, use your frequent flyer card or your employee badge in an ATM.

A famous federation case study is the way we typically use a driver’s licence to open a video store account. However, what happens next goes unremarked by federated identity advocates: the store gives you a new identity, in the form of a membership card, or a secret password. If there is any ‘federation’ going on here, it’s actually very limited.

Most identity broking schemes – amongst them the Australian banking sector’s ill-fated Trust Centre – have struggled. It’s easy to blame a reluctance to cooperate, or nefarious plans to compete on security. However, the real problems are to do with underestimating the complexity of messing with customer relationships.

Breaking down ‘identities’
What we call an ‘identity’ in business is really a proxy for a complex relationship between customer and service provider. An account number, for example, stands for the fact that the customer has met a set of requirements and has signed up to terms and conditions governing how they do business with an institution. If that relationship is facilitated by electronic means like a plastic card or one time password (OTP), then there will be a detailed usage agreement, which typically forbids re-use with third parties. These agreements are framed very carefully according to the risk profile of the institution and the type of business it conducts.

Identity federation entails major changes to these sorts of agreements. In classic federation, it is proposed that existing OTPs, for instance, be used to transact with third parties having no previous relationship with the issuer. With just a moment’s reflection, we can see this is actually a very hard problem. Not only does it mean changing the usage agreement under which the OTP was issued; it means the issuer accepting that their OTPs be used in unanticipated transactions. How can anyone do a risk analysis of that?

The real reason that many well-intended federated identity schemes founder is simple. There is no legal precedent for analysing the risks when a customer with an existing relationship with service A tries to leverage that relationship with brand new service providers B, C and D.

I’ve consulted to numerous federated identity schemes. In most cases, the technologies and IT architectures are well understood, but it’s the new legal arrangements that become impossible. It’s not that federation contracts are necessarily complicated, but they’re entirely novel. Federation requires banks and the like to contemplate their ‘identities’ being used in new and only loosely specified transactions over which they have no control. Whenever I’ve seen this proposition put to an issuer’s lawyers, their response is ‘well, this has never been done before, so we’ll have to get back to you’. And that’s where the projects stop.

‘Silo’ is not a dirty word
It’s not for nothing that we call identity domains ‘silos’. Grain silos are architecturally elegant, strong and safe; they are critical infrastructure for farmers. You have to wonder when and why ‘silo’ became a dirty word in IT. Identity silos are actually carefully constructed risk management arrangements. They have much more to do with business relationships than ‘identities’ per se. If we only used better words to describe these issues, we might see them more clearly, for intuitively we know that unpacking and reforming relationships is never trivial.

If online identity has become unwieldy, then let’s fix the user interface technologies, rather than mess with the fundamental ways in which institutions and customers relate to one another.

Stephen Wilson is a leading international authority on identity management and information security. In early 2004, Stephen established Lockstep Consulting to provide independent security advice and to develop new smartcard solutions to identity theft.