Wednesday, August 08, 2012

Hacker pwns Apple and Amazon

WIRED journalist Mat Honan suffered the hack heard round the world last week. My friend, Identropy's Nishant Kaushik wrote up an excellent summary of what occurred, why it occurred and what steps 3rd parties (like Apple & Amazon) have taken to prevent a recurrence as well as ways you can combat such an occurrence.

As I said, it's an excellent piece, with only one or two minor flaws but flaws that need to be discussed and, hopefully, corrected.

As part of the remediation, Nishant says:

"Nonetheless, every business dealing with identity management of customers in any way needs to review their model, and if they can’t externalize identity by allowing customers to Bring Your Own Identity, then they need to review their processes and put much better controls in place than those demonstrated by Apple and Amazon in this case."


But the complete failure of 3rd parties (such as Amazon & Apple) to even attempt reasonable security should lead to more mistrust of 3rd party identites (which is what BYOI is all about), not more trust. The Identity Providers (IdPs) failed to do their job.

In fact, this entire episode would appear to justify all those enterprises which refused to get on the Relying Party bandwagon for OpenID and its ilk.

Now some of this disagreement comes thru a confusion of terms. Nishant views each of the entities that gave up information about Honan as a primary partner in his identity and is arguing that each should have allowed him to "bring" an identity from a 3rd party IdP which would do a better job of protecting the identity information.

But I look at it as those companies being 3rd party IdPs (with themselves as RPs) because Honan had little or no cotrol over the data they handed out. Had Honan controlled his own information, it's hoped he would have done a better job than those enterprises in protecting his valuable data. And that's what companies of all sizes in all industries have been saying (or, at least, their CISOs have been saying): No thanks, 3rd party, I'll protect my own assets if you please.

The second point I wanted to make wasn't really about something Nishant said, but a point Jonathan Sander made (and Kaushik referred to) in a blog post. But I'll get to that seperately.

Labels: , , , ,


Comments: Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved

Home

[Powered by Blogger]

-->