Aggregating Risk


Jamie Lewis reacts to the recent security breach at George Mason University where intruders made off with information about 30,000 students, faculty, and staff, saying "[A]s identity systems aggregate information, they also aggregate risk."

Kim Cameron, on the same subject, says that we need to assume our identity stores will be compromised at some point and plan accordingly:

We need to base our approach to these scenarios on the idea that one day, the store will be penetrated.  We need then to reduce information in the store to the minimum required.  We need to distribute information so breaking into one system gives away as little as possible.  And more than anything, we need unidirectional identifiers such that only access to a metasystem allows assembly of cross-aspect information.

For example, there was no need for George Mason's ID system to contain social security numbers.  Nor, bizarrely, is there probably any reason for it to contain student identification numbers.  It could - I know this sounds primitive - just contain single-purpose identity card numbers.  A metadirectory - which itself contained no substantive information - could provide glue to other identification contexts for those who merit it - and on a case by case rather than carte blanche basis.  This allows many more controls and balances to be built into the system.  (All of this is Law 4)
From Kim Cameron's Identity Weblog
Referenced Thu Jan 13 2005 09:07:55 GMT-0700

Kim's got a great point here. We frequently, because it makes the programs easier to write, gather all the data together in one place. Identity systems should be architected to return only the necessary information and have to ability to gather than information on-demand from various places.