Automate Everything? Another Cloud Identity Summit Review
At the Cloud Identity Summit (CIS) 2013 Andre Durand led off the morning keynotes, followed by Gunnar Peterson and Patrick Harding with strong presentations of their own. Patrick’s presentation “Modern Identity: Automated, Discoverable, Scalable” brought Andre’s conceptual framework (reviewed in my previous post) down to a practical plane for implementers of identity systems whereas Gunnar’s presentation chimed some cautionary notes. Thus, I’ll review them in reverse order.
Where Andre called out the need for an “identity stack,” Patrick gave it the shape and form reproduced in the figure below.
Source: Ping Identity
But when Patrick argued that we “automate everything” that rang alarm bells. I’ve learned that too much automation in any IT system makes it a point of risk aggregation that can be attacked, or go catastrophically wrong.
To be precise by “everything” Patrick refers to things like login process, identity domain discovery, client registration and trust establishment. But even so, there are important caveats, such as the fact that automated trust of a mechanism at one level of assurance doesn’t fly at higher levels. That is, you may be able to automate access to all your social networking data with “zero login” (once recognized by your device) but probably not for your medical or financial data.
Gunnar Peterson’s earlier keynote seemed to support my view. On one hand, Gunnar’s title and discussion of “Identity as a Currency” was a good fit with Andre’s conceptual vision (“Identity – the Enabler of Next“). Gunnar’s recommendation that security APIs need to be usable by 17 year old developers is clearly in tune with Patrick’s notion to “automate everything” but Gunnar also noted that “identity as a currency” and “enabler” has a dark side wherein rich world Facebook logins are worth $3 to legions of advertisers and perhaps at least that much on the identity theft markets of the cybercrime underground.
Gunnar also had a warning for the audience: “Derivatives and collateralized debt obligations (CDOs) were the dry tinder for the financial fires of the Crash of 2008.” He recounted that CDOs were created to enable JP Morgan to lend billions to Exxon after the Valdez oil spill. Even though Exxon was a blue chip company, covering the fines was too much risk for JPM to take all by itself, so the bank came up with a seemingly perfect solution: JPM created the CDO as a new type of product to slice up the big loan and sell off chunks of it on the retail market.
But later, in the mid-2000s, that same CDO mechanism – so reasonable for investment grade loans – was bastardized by the mortgage industry to slice, dice and underwrite subprime loans and so-called liar loans. Thus, the underlying CDO mechanism was the same but the system around it morphed into financial weapons of mass destruction, initial success and ultimate catastrophe.
This was a good caution from Gunnar, who also published a transcription of his presentation. Do we have to be similarly careful to make sure we don’t end up with a catastrophic success “automating everything” in the identity and privacy space? Automation can be good – if you make it “smart automation” – but strong human oversight and override informed by risk management and monitoring tools are required to do that. Too much automation leads to risk aggregation in the mechanism. These concerns are related to the questions these posts: REST Uneasy: Do we need to worry about OAuth? and OAuth 2.0 Assurance Issues. The good news is that I’ve made some progress in turning these concerns into some actionable recommendations, which I’ll have for you soon.