Thoughts around Voting

This post may be a bit more scattered than some of my other posts. Thoughts around the issue are still materializing, so we'll use this platform to help work them out. :-)

The wife and I just returned from taking our kids on a summer vacation to the beach. Because we're midwesterners, the beach, a real beach, is a serious 10+ hour drive. During the road trip, we discussed the current turmoil happening in Iran. For those not following the news, Iran decided to hold public elections for a new president on June 12th. The (then) current President, Mahmoud Ahmadinejad, was declared the winner by the clerical leadership of Iran, causing questions on the validity of the election results. There have been public protests, riots, and killings, media censorship, pretty much the worst possible outcome for an election.

This got me thinking to election fraud that Iranians are claiming have happened, and how someone may go about trying to avoid it. An event such as an election depends on one thing and one thing only: trust. That trust breaks down because of another fundamental concept around election that people hold dear: secrecy. Some people are uncomfortable with publicly-sharing who they vote for. So, thinking about trust and secrecy, how might the principles of Information Security/Identity Management have helped to control Iran's elections?

It's hard to just focus on trust or secrecy; the two are really interrelated. Specifically, trusting the election process is on the level, that there is no corruption, is nearly impossible with secrecy. Even in the U.S., the 2000 election of George W. Bush over Al Gore was rife with scandalous talk about election-rigging and ballot-stuffing. Transparency would solidify trust. Let me explain.

Let's say we wanted to set up a re-election in Iran. We're going for a do-over to help stop the protests and uncover the true nature of the people of Iran. Here are the things we could focus on to ensure an appropriate vote:

• every eligible citizen is uniquely identified.
• every eligible citizen has a specific attribute applied to their unique identity: Ahmadinejad, Moussavi (the challenger), or Abstain.
• The votes are cast publicly.
  
• The attributes are assigned publicly
  

Let's look at each one at a time. The U.S. Government uses social security numbers to uniquely identify eligible voters. Does Iran use a similar identity system? Sure, usage of SSN and voter eligibility brings its' own unique challenges, such as ensuring deceased voters aren't having votes counted, but by and large, uniquely accounting for every eligible citizen voter is a strong starting point.

Having your vote associated with your name is a somewhat riskier proposition, especially where there might be potentially harmful repercussions around voting against the leader in power. Information Security might be able to help; using the SSN as a base, key exchange technology could protect the identity of the voter, yet still permit them to publicly-track their vote for Ahmadinejad or Moussavi. So, if my SSN is 123-45-6789, and I voted for Moussavi, my SSN gets hashed to a unique ID (say 677-5AJ27-119#29), and I am given that value, and I am the only holder of said value. My unique ID can be placed on an "election board" for my district, and we can see that 677-5AJ27-119#29 voted for Moussavi. This would ensure anonymity and transparency at the same time. If my vote were incorrectly counted, I could contact an election official to have it corrected. You might run into some individuals flip-flopping, but by and large this is as transparent as you can get while still retaining privacy.

Technology-aside, another thought we had about this while driving was, most fledgeling democracies seem to end up running into the same difficulties that Iran is running into; mainly, they have an election, the winner of the election has doubt cast upon them due to lack of trust in the government, and they are throwin into civil war. Again, trust is at the root of the issue. What if a third-party were given the power to steward/operate the election? What if the United Nations ran the election, or created a separate, independent arm to run the election? Would that help to solidify the trust in the election results if it were run by a politically-unbiased party? Could there ever be political unbias in something as political as an election for the head of a country?

Identity Management and Airport Security

I just returned from speaking at the Financial Information Security Decisions conference (held by Techtarget.com - check it out) in New York with colleague Kelly Manthey from Solstice Consulting; the conference was great, and our presentation seemed to be well-received.

As we were waiting at the airport for our horribly-delayed flight out of Newark, our conversation turned to airport security. Now, there are a few very good blogs out there, written by very smart people, discussing airport security, so I won't get into the Transportation Security Administration here. However, Kelly and I ran into an interesting subset that I thought might make for good discussion here.

Kelly was expressing how she found it somewhat frustrating how all airports apply security to protect the aircraft and its' passengers, but they all implement it in a very different manner. The screening process at Chicago's O'Hare airport, for example, is slightly different than at Newark. At O'Hare, you can use TSA-approved bags for your laptop so you don't have to take it out and display it while going through screening. O'Hare even has signs posted that explain how it's acceptable for you to use one of these laptop bags. The TSA even posts their policy on their website.

Yet at Newark, Kelly was asked to pull her laptop out of this TSA-approved bag and display it, "to ensure it wasn't tampered with."

When we thought of it in the context of an IT problem, rather than a physical security problem, our viewpoints shifted slightly. Perhaps it's a problem of not having architectural standards. Perhaps the scanning equipment is different at each airport. The TSA doesn't regulate that all airports use the same scanning/xray equipment, right?

That had us thinking...and this is where the identity management part of this comes in. Think of an airport as a corporation, and the airplane as the highly-sensitive...database, I suppose. You need to be able to move people in and out of this highly-sensitive database, but there is a risk that a small percentage of this audience has malicious intent.

How do you determine which sources (in this case, people) are to be trusted and which are not? There are two answers: authentication, and authorization.

Travelers are authenticated through their driver's license or passports. However, all those documents do is tell you that person knows how to drive or can follow a process for international travel. It doesn't give you any of their history so you can determine intent or credibility. This is where some principles of identity management directly clash with privacy: IdM says to have one source of truth, and privacy says people should be able to choose what you know about them. If we applied an Identity Management concept to this scenario, the drivers' license you present to the check-in steward at the airport would contain a record of your employment, credit, incarceration history, aliases, previous addresses, clubs, organizations and affiliations, financials, and health records. That's pretty scary, yes?However, wouldn't it be helpful to have all of that information in one place to begin to determine the intent of an airline passenger, wouldn't it?

Ok, so maybe that's a bit too infringing to simply ensure airline safety. I can agree with that. I'm not quite ready to abandon the IdM mindset for this problem though. There is another concept that can be applied here: certification.

Depending on your industry, regulatory laws are starting to request companies perform regular audits of employee access. Asking a manager to review and authorize the access their team has is called "certification"; specifically, the manager "certifies" that the team has appropriate access.

How does that apply to people? When the U.S. Government is working on a top-secret project, they have to be very selective with who they trust to work on it. They have established a process to help determine that trust - security clearance. I won't go into the details in this post, but there's some digging into your history that occurs, some character references might be used, and you are given a clearance level.

The airport works in a very similar manner; pilots and co-pilots have certain clearance levels to permit them access to places that baggage-handling and custodial staff don't. Why not certify passengers?

You can bet that frequent flyers would be interested in skipping the often-multiple-hour wait at security checkpoints, and I'm certain the TSA would appreciate the smaller amount of (uncertified) passengers they would have to screen.

Now, there are certainly some issues to address, such as cost. Could the cost savings of not having to continue to ramp-up scanning equipment, hire/maintain TSA employees, customer satisfaction, and managing people outweigh the certification process cost? One would think if we could certify people to handle our national secrets, we could certify people to ride on a plane.

Google profiles

It looks like my first true post is coming sooner than expected.

In attempting to solidify an online presence (so people can look me up when they say "who the hell is that?!" when looking through the speakers' profiles for the Financial Information Security Decisions conference), I did the unthinkable: I googled myself.

Everyone should try it. Go ahead. Put your name into google and see what comes up. Evidently, I'm a sheriff in Minnesota, an Orthodontist in St. Louis, and a techie. Someone's been witholding those additional paychecks.

Anyway, while running this self-search, Google placed a link across the top of the search results: "Are you Brian Schlueter? Register, with Google Profiles!" Google Profiles?

Google has released a new feature as part of their iGoogle suite - profiles. The tagline: "control how you appear in Google by creating a personal profile."

I use a gmail account. As such, I do play around with some of the features that Google integrates with their suite of apps - I'm a Google docs user, I'm registered with iGoogle (though I don't really use it all that often), and I even use Google Latitutde, because it's neat and it goes against the grain of tinfoil hats and bomb shelters that most security professionals seem to find comfort in.

Back to self-googling. I was logged into iGoogle at the time of the self-google search, so when I clicked the link for Google Profile, it automatically pulled in information from my gmail account - my name, blogs I might follow in Blogger, my Picasa account, and YouTube videos I may have uploaded.

This is a splendid example of extremely solid identity management practices. Google has purchased these companies and integrated their products all under one set of credentials - namely, my email address. Being able to associate my Gmail account used for Blogger registration, and then showing that in my account profile has a very polished, together, and easy-to-use feeling to it. Large companies should take note - Google has recognized that having one account to manage is cheaper for them. It's only one password to remember. It's only stored once. Preferences can apply across all sites. It's slick, and a focus on end-user experience that doesn't often show at an Enterprise level.

Now, though, it can. Sun (and thereby, Oracle) recently announced it was adding support for Google Apps Premier (linked by fellow Blogger Google Operating System) , which is the professional, business-focused version of Googles' popular apps suite. This includes API's that permit you to use your organization's existing credential store (ActiveDirectory, SunONE LDAP, etc) in conjunction with Gmail, Google Docs, Google Talk, Google Calendar, and the Google Page Creator. That's a nice small business solution.

How come the suite of Google products can all use the same set of credentials, AND integrate into your small business or Enterprise? How can Google take my Gmail account, tie it to my Blogger.com and Youtube accounts, and wrap it all together to have me represented in a single identity?

Strong architecture. In this case, in the form of The Google Apps API. We'll make a deep-dive into the Google API in a future post.

Welcome to Multiple Identities!

Here we are; the first blog post. I've thought about starting a blog for a while now. Recently, I committed to writing a book about two topics I really enjoy: Identity Management and Security Architecture. After finally saying "ok, it's time to do this!" and building the outline of the book, I thought it would make sense to start to flesh out all these thoughts rolling around upstairs by testing them out in a Blog.

So, let's talk about this blog. The focus will be on information security, specializing in the two topics mentioned above - Identity Management and Security Architecture. For credibility (hah!), it might help to know a little about me and my experience (or lack thereof). Therefore, this first blog post will be all about me. :-)

I've been in Information Technology for a little over a decade; I started as a PC tech at a small construction company while going to school at a local community college, and ended up landing a well-paying full-time job in desktop support in Chicago, IL working at a large law firm. After a few short months on the phones, I was promoted to the hardware support group, fixing laser printers and taking apart laptops to replace LCDs and whatnot.

This experience carried me away from my home city and downstate to a very large insurance company, working with a team that supported their people in the field that did estimates on car accidents and ensured the hardware/software they used was reliable and played nicely with each other. I did that for a few years, specializing in wireless WAN communications (those folks needed to be able to communicate back 'home' from the middle-of-nowhere) before it became cool and commonplace like it is today. After a while, I was up for a change. The application security team was a growing field in a growing area at that company and had plenty of smart, young talent to corrupt, so off I went.

What a difference. I quickly found myself. Information Security ignited passion in me that I didn't realize was there. I consumed it. Quickly, I became SANS G-SEC certified and started working on large efforts that were re-designing home-grown software and changing platforms (from VB/COM to Java/J2EE) to be more flexible and integrate more cleanly. Eventually I was asked and accepted a spot on a future-facing team that was looking at bringing in some of the first web services into the organization. This team was building a new framework, developing software iteratively, and I was on the team to help secure it. Awesome!

It was my tenure over these few years in Application Security that I learned the most about web services, XML, WS-Security, ID Federation. I was introduced to Role Engineering and the concept of RBAC. I learned about Kerberos, security tokens, and security as a service. I was hooked.

Around this time, my wife and I decided to try to move back home, so I accepted a position at another large insurance company on their Identity Strategy team. The team has their fingers in alot of pies, but ultimately it's responsible for ensuring the products at the company all integrate nice and neatly with the home-grown Identity Management (IDM) solution. I've been able to touch various parts of the organization, and get involved with all sorts of interesting projects and spoken to all sorts of interesting people in my quest to ensure new products integrate with the company's application framework.

Not too long ago, a partner with Solstice Consulting, Kelly Manthey, gave me my first public speaking opportunity at the Illinois Institute of Technology's NetSecure '09, which I enjoyed a great deal. Recently, Kelly has asked to collaborate on a presentation for TechTarget's Financial Information Security Decisions '09 conference in New York City, which is even more exciting! We're going to talk about how Identity Management can save your company money! So, in addition to helping organize thoughts for the book, this blog will serve to organize thoughts about our presentation.

That's me in just under 700 words. Don't worry; the next few posts will be much more exciting.

Enjoy your day!