The evolution of Privilege Entitlement & Access Control Systems toward a single user profile for multiple services across multiple devices

“Our passwords are failing us.” said Michael Barrett, PayPal’s Chief Security Officer.  He’s not alone.  According to the Verizon 2013 Data Breach Investigation Report, roughly 76% of all data breaches were enabled by weak credentialing and user authentication.  Thus, we might safely say that most, if not all of our traditional security measures do little to close credentialing vulnerabilities.  If that’s safe to assume, then we need to discuss replacing them with something that does work.

Mobile device
Mobile Authentication to the Cloud

In fact, according to a May 2013 whitepaper, US Mobile Payments Landscape-Two Years Later, which was produced jointly by the Boston and Atlanta Federal Reserve Banks, mobile payment services are advancing faster than expected, but without much regard to standards and security.  The Paper notes “unresolved security and privacy issues.”  It further suggested that “as the (mobile payments) ecosystem matures, it will challenge new entrants in their ability to achieve scale and sustainability”.  It further concluded “the need for interoperability, industry guidance and standards to ensure a secure and cost-efficient ecosystem.”

Yet, the story is bigger than that.  You’ll hear us repeat phrases like “Secure Credentialing” or “Privilege Entitlement and Access Control“.   That’s because it’s actually the correct way to think about things like Mobile Payments.  After all, what are “Mobile Payments”?  Aren’t they your ability to pay, crammed into your phone?  What are we cramming into that phone?  A credit card or debit card?  What’s that?  A credit card is nothing but a piece of plastic, with a number written on it, which represents your PRIVILEGE to use a pre-approved bank line-of-credit.  Now just consider how many credentialed privileges we enjoy on a daily basis.  Driving a car (driver’s license), boarding a train or plane (ticket/boarding pass), entering a building (security badge), international travel and immigration (Passport/Visa), accessing Government services/Entitlements (Social Security Card/Medicare Card), network access and logon (Password/PIN), using a cell phone (SIM card), employment (Corporate ID), education (school ID), and healthcare (health card), Web-services (SSL/PKI certificate)….we enjoy these privileges daily without even thinking about them and they are all represented by a credential of some sort.  Of course, these privileges are extremely valuable, which is why people try to steal them or damage them.  Thus, the credentialing system is nothing but an access control system designed to protect access to those valuable privileges.  With seemingly countless data-points and frequent news reports of data breaches, it’s hard to argue, with a straight face anyway, that what we have been using to protect our valuable online assets, services and privileges actually works.  Biometrics seem inevitable.

Of course, the privileges are represented by a numeric value, aren’t they?  A card number?  A user ID number?  (We are all “just a number” to them, aren’t we?).  Those ID numbers are being digitized, but still represent the same entitled privileges.  They can and are being stored in computer files within our PCs, laptops, tablets and smart mobile devices.  And so, as we step back to account for this movement, we can see the evolutionary migration of all our credentials into our smart devices, which are increasingly mobile.  In fact, we see major technology providers attempting to stand up “digital wallets”, exactly for the purpose of administrating those digitized privilege credentials.  For sure, one day soon, all our credentials will reside in our smart mobile devices.  Those devices will communicate and guard those privilege credentials.  Consequently, each mobile device and credential must interoperate with the multitude of disparate services and providers accessed by the credentials housed in the device.

What are your thoughts?