DIGITAL IDENTITY – AUTHENTICATION, ACCESS CONTROL & RIGHTS MANAGEMENT

Authentication

Imagine yourself walking down a busy San Francisco street. A stranger approaches you and asks for your full name.  Most likely, you’ll hesitate before giving your name to a stranger — at least your full name. But seeing your hesitation, the stranger shows you a badge with “San Francisco Police Department” inscribed on it, along with his picture and identification number. 

Do you then trust this person and answer his questions?  Maybe. Maybe not. After all, the badge could be forged. Perhaps you may call the police department and verify that the stranger is the person he says he is.

The reverse is also true. Say you give your full name to the plain-clothed police officer. If it’s a serious matter, the officer will want to see your own identification to verify that you are who you say you are. Most likely, he’ll ask for your driver’s license and call police headquarters to verify your information.

In both cases, Two-Factor Authentication is in progress. What you say (your full name) must match what you have (your identification). And in both of these cases, you could take it a step further by calling a trusted source (the police department) for authentication.

Authentication is basically the process of determining whether someone or something is, in fact, who or what it is says it is.

Imagine, again, the above happening on the Internet via an Instant Messenger (IM), Chat Room, Blog, E-Mail or some other kind of web applications.  How much trust do you think both parties involved would have in each other?  And how can both parties verify each other’s identity.

Now, how about online business transactions?  How do I know Bank of America’s web site is really Bank of America’s web site?  And how does Bank of America’s web know I am who I say I am?

The answer to this last question is some type of identification and password. With that, I can do anything, including transfer money to another account, and Bank of America’s web site wouldn’t know the difference.

Now you see why we are subject to so many information leaks, identity thefts and security breaches. All the bad guys need are your identification and password.

We all know identification is easy to guess for the most part. And passwords are not that hard to come by either — you know what I mean if you’re one of those computer users who have 20 or more passwords to keep track of.

We use authentication all day long, even when we’re away from our computers. We actually use Two-Factor Authentication every time when we use our ATM card to withdraw or deposit cash.

To qualify as Two-Factor Authentication, the authentication must have:

1)      What you know (PIN number), and

2)      What you have (ATM card)

But even then, it still isn’t very hard to steal or forge both if someone really wanted to. 

So, to make it even harder for the bad guys to steal or forge your identity, expect to see certain types of biometrics authentication come out in the very near future, making your information next to impossible to steal or imitate.

To qualify as Biometrics Two-Factor Authentication, the authentication must have:

1)      What you know (PIN number), and

2)      What you have (ATM card), and

3)      Who you are (Your finger print(s) or another type of biometrics authentication).

Until we have more widespread Biometrics Two-Factor Authentication, we cannot hope to reduce the amount of daily security breaches. And until we have some kind of Federated Biometrics Two-Factor Authentication, we cannot even hope that the Internet will become a viable and secure media for the Global Trading Marketplace.

Access Control

So let’s say you prove you are who you are you by passing the Biometrics Two-Factor Authentication set-up outside your bank vault.  You still need to access your safety box located inside of the bank vault.  By giving you access to the bank vault but not the safety box, you’re not really receiving full access to the contents inside of your safety box. You will only be granted access to the contents of the safety box if you have the key to unlock it.

The same is true with the Internet. You log onto a Music Portal, but while you can see the list of song titles available through the portal, you can only access them if you’ve bought or subscribed to the portal.  

Access Control controls what you have access to with any given number of resources based on your credentials, which are authenticated.

Rights Management

Now, back to your Music Portal. The fact that you bought or leased the songs doesn’t really give you the rights to duplicate them, especially with the purpose of making a profit.

Besides songs and movies, Rights Management is critical for the protection of any kind of intellectual property in today’s digital world. Our average electronic documents require the same, if not more, Rights Management control.

The world is going digital at a rapid pace.  Just think about all the things you have in your computer today that used to be tangible, i.e. paper documents, pictures, songs, movies, magazines, books, bank statements, voicemails — yes, my company voicemails are routed to my laptop, all sorts of engineering designs, secret formulas, software source codes, business transaction records, flight plans. It just goes on and on.

Digital property lives in Internet servers, and all computers require protection beyond the traditional Access Control.

I still remember, in my early days of consulting, when one of my clients, a well-known Silicon Valley company, asked me to come up with a way for his engineers to view top secret designs without allowing them to save on a floppy or network disk — or print it out for that matter.  This was before e-mail and the Internet were popular; otherwise, they would have to worry about someone attaching the designs to an e-mail.

14 years ago, the best I was able to come up with was a diskless workstation that restricts users from saving to a network disk or printing.

The downside was that all of the engineers had to take turns sharing a few of those diskless workstations. Just imagine how happy they were with my solution, despite the fact that the company was ecstatic.

For Rights Management to work with the Internet age’s requirements, it has to be able to meet the demands of all.  All means everything and anything digital we use to create and store property and resources.

Not only must we be capable of allowing someone to view a document without printing, but we must also be capable of restricting viewing hours and dates. Remember that television show, Mission Impossible? Remember how the digital media was self-destroyed after being read? That’s what we must be capable of.

If the idea of leasing digital movies or songs is going work, we will need to find a way to expire the digital property or program it to self-destroy. Imagine a library web site, where you could download a self-destroying e-book. Publishers would never have to worry about you keeping the books. And the library would never have to worry about you returning it. Of course, the downside would be that the library would lose any late-fee revenue.

Conclusion

We already have the technologies to make everything described in this white paper work.  But as of yet, nobody has put it all together. And for the most part, none of these technologies can work with each other in any sort of meaningful and usable way.

Authentication still depends on your Operating Systems and your vendors’ Operating Systems. There is no standard for Access, and again, for the most part, Access Control depends on your Operating System. There are at least half a dozen or so competing Rights Management implementations out there today, and again, not all work together.

High Level Digital Identity & Property Management Matrix