Information Age (IA): The idea of federated identity technology has been around since the late 1990s. Why do you think it is going to take off in 2005?
Howard Schmidt (HS): From an industry perspective, those of us in the [IT security] industry recognise that we are right on the tipping point, on the cusp of moving to the next level.
We’ve done a lot of work in protecting our infrastructures, protecting against denial-of-service attacks, protecting against the traditional threats. So basically we’re looking at what more we can do to help out, and I think that looking at different ways of doing federated identity for the global industry is something that we all see the future in.
The technology has got easier, the ability to federate the technology has become easier, and there is the ability and the desire to do it not only on the enterprise side but also on the consumer side. What we’ve seen is now hackers are not as successful in attacking the enterprise, so they are moving to the path of least resistance – the consumer space.
IA: What was the tipping point for you?
HS: The tipping point for me was when I was at Microsoft and we got hacked. We got hacked because of poor password management of a user’s account. That gave someone an entry point to the corporate network. At that point we implemented smartcards for remote access, and now company-wide at Microsoft you have to use two-factor authentication in order to log in. [Such ‘strong authentication’ involves the use of two or more forms of identity like a fingerprint in conjunction with a password.]
IA: How do you see the federated network spreading from big names like eBay or AOL into those mid-level enterprises that are not household names?
HS: The analogy I draw is with the spread of credit and cash cards. Previously, you had to use your card in your bank’s machines or perhaps it was accepted in a few other places. Now I don’t even need to buy euros when I travel – I know that somewhere there will be a machine that is part of the network. And that is how it will spread to smaller enterprises.
IA: But of course security is not just a technological problem. How do businesses need to change their processes to go from being a trustworthy enterprise to a trusted enterprise?
HS: I look back to the old model of software development. There used to be a time when software developers would create something and thrust it upon their customers. The attitude would be: “Here’s what we’re giving to you, now use it.” And the response was often: “But we didn’t want it.”
Now that model’s changed. Vendors are coming to us and asking what we want in the next generation of their products. I think that’s the same thing that’s changed in the successful models of ecommerce – don’t shove something on people; let them tell you what they want and go build it for them.
IA: You have pointed out in presentations that two thirds of CIOs are linking up security to business processes. What can the rest do to convince their colleagues to take the threat seriously?
HS: Like so many other things, it’s an evolutionary thing. Before there were CIOs, there was nothing out there, so people had to learn what the CIO did. And now there is another thing, the chief security officer and chief information security officer, such as myself, who speak a totally different language. But, half of the time, the CIOs don’t understand what the security people are talking about – which is why now we’re often in separate organisations. But it’s just part of the maturation process. A colleague in another company asked me once: “I work for a company that has got its head in the sand over cyber security. The CIO doesn’t want to hear about it and the lawyers don’t want to talk about it. What advice do you have for me?” I told him to find another job, because if you’re not paying attention to that sort of thing in the world today, there’s a strong likelihood that that company is not going to be around three or four years down the road. If you’re not paying attention to it you’re not satisfying your customers, and so they’ll go to someone else. If you’re not selling the security message to the customer or security’s not part of your processes, you’re not going to be able to compete in the world today.
IA: On one hand you have organisations trying to encourage the opening up and sharing of information, and on the other you have the damage to a company’s brand and reputation caused by the disclosure of a serious security error. How do purely online companies like eBay balance those pressures?
HS: I have yet to see a major event against any online retailer that didn’t get out into the media’s eye in some form or another. And even if you go back to 2000 when Microsoft got hacked, not only was that out in the public but I was very open and talking to the media about it. Because one of the issues is this: if someone breaks into your house are you the bad guy because you didn’t have the burglar alarm in place? No, the criminal is the bad guy. So when I went public and reported it to the FBI, the encouragement was to not let people get away with this. Hold them accountable for their actions; after all, you’re the victim. The fact I have an open web server does not give someone the right to attack me. So why should you not be willing to go to the police? People shouldn’t hold that against you.
IA: Phishing was the biggest security issue of 2004. Will federated identity and strong authentication solve it?
HS: This time next year we’ll be saying, “Remember last year we had that problem with – what was it called – phishing?” There are multiple reasons. There is a significant amount of investment in technologies such as smartcards and twofactor authentication; personal firewalls are now blocking phishing; and anti-spam software and antivirus software is filtering it out. With eBay specifically, we have the ‘account guard’ feature on our toolbar that signals either red or green, so if you do get a phishing email and you click on it and it’s not from eBay or PayPal it will turn red and tell you it is not real.
So one piece is technology – the second is competition. Even with our competitors, if we find a hacked website that [links to a phishing site], we’ll identify that and ring our competitors up. We leverage each other. Maybe in Malaysia my US company’s reputation might not be as good as, say, a locally known Australian Internet bank. In that case, if they call up the Malaysian company hosting the bogus site and say, “you need to take this down”, they’ll get a much better response. The third piece is education and awareness: the ISPs are doing it, the e-commerce folks are doing it too.
But as a result of increased use of twofactor authentication, a lot of the hacking will go away, fraud will go away because you no longer have issues around nonrepudiation, issues around identity theft will start to trickle down and phishing goes away because you have strong authentication.
These parts cover probably 95% of the problem but the last 5% requires law enforcement. You will always need that extra 5%.