Seven Flaws of Identity


I'm at Burton Group's Catalyst conference today. I'll be blogging some things here and some over at Between the Lines. I just put Jamie Lewis' keynote up there. I've also got some pictures online.

Mike Neuenschwander, an associate research director at Burton Group introduced what he called the "seven flaws of identity," a take on Kim Cameron's Seven Laws of Identity. Here they are:

  1. Failure of the weakest link mustn't lead to catastrophe. For example, smart card deployments are sufficient protection against social engineering and inside attacks. Encrypting the channel doesn't stop dumpster diving.
  2. Don't put the role before the start. Role engineering is important, but it doesn't drive the project.
  3. Not every identity nail requires the technology hammer. Technology may be fine, but without governance, it will fail.
  4. Use of a system invites abuse of the system. Test the architecture with attack vectors.
  5. Identifying things doesn't make the more secure. Identification can improve security, but security isn't an inevitable outcome. Over-identification has repercussions.
  6. Identity isn't about the individual. It's about the relationship. IdM encompasses the services community's need for organization.
  7. There are a lot more than seven flaws.