When the director of the Central Intelligence Agency quits fifteen months into the job, that is news.

When that director is a retired Army general and former commander of US and International Forces in Afganistan, something is going on.

When the whole issue is due to email security and privacy … we are in unchartered waters.

The Quick Back Story

According to the Associated Press, general Petraeus had an affair with his biographer, Paula Broadwell, that began shortly after his retirement.  While showing incredibly poor judgement and opening himself up to blackmail, this act was not illegal.

Again, according to A.P., Petraeus wanted to avoid a paper trail, so he and Broadwell shared an email account.  They would create draft messages and share them with each other, then delete the message, eliminating the trail of evidence.

Then things get weird.

A Tampa, Florida socialite named Jill Kelly starts receiving anonymous, harassing, private emails and complains to the FBI.  The FBI takes the investigation seriously, and, after a series of events, Petraeus resigns.  The primary theory is that Broadwell logs into Patraeus’s other accounts – perhaps they have the same password, perhaps he leaves gmail logged in – and finds email to Kelly, creates an anonymous account, and begins the harassment campaign.  The FBI works this backwards and eventually Petraeus is forced to resign.

Whew.  With me so far?

General Petraeus’s successor in Afganistan is Marine Corps General John R. Allen, about to be appointed to the position of supreme allied commander Europe … except the FBI found a bunch of “flirtatious” emails from him to Kelly as well, and his appointment is on hold.  (The New York Times referred to it as “hundreds of emails“.)

Now let’s talk about IT policy.

Implications on 21st Century Technology

When known for some time that What Happens In Vegas is unlikely to stay there – thanks to the smart phone, everyone has a camera and an internet connection.

One thing this new wave of technology gives us is the ability to melt down incredibly quickly.  Anthony Weiner, for example, sent an explicit photo and some inappropriate emails, and his political career was over.

Yes, Weiner was doing … other things, the real things that killed his career.  Twitter and the iPhone didn’t do him in, but they made it incredibly easy to create evidence in seconds – where a polaroid and a hand-carried letter might not.

A second surprise around the Petraeus scandal is the expectation of privacy.  By creating an anonymous account, our email harasser expected anonymity   Once the FBI got involved, all pretense of that was gone.  If anything you do online is trackable to an IP address, you might do well to consider it public.

There is at least one more unexpected twist to the story, because the investigation went wherever it found evidence.  By contacting the FBI, and giving them access to her computer, Kelly allowed the FBI to get access to all her email – including the records of General Allen.

Conclusions

I have no easy answers; records you thought you deleted have a way of showing up in system caches.

Except, perhaps, that this situation might be a good chance to take a look at your company’s policies about internet use, separation of personal and work email, about information retention and lifecycle management, or as a good story to use to encourage people into right behavior.

Or, perhaps, just perhaps, the Petraeus Principle will come to be about how to deal with failure with integrity – by admitting mistakes and taking responsibility for our actions.

I’ve been running a blog series for 21st Century IT on about how new technology can change the very concept of employment, hiring, and ‘work.’

At the same time, a few things have been happening that give me pause.

Take last week, for example, when ABC News caught an  airport security agent stealing an iPod in an Sting Operation.  In another segment the same week, ABC News interviewed a  former TSA officer, Pythias Brown, convicted of stealing over eight hundred thousand dollars of personal electronic equipment.

How was Pythias caught?

It turned out that he didn’t bother to remove the CNN labels off some cameras he was reselling on eBay.

How Did He Do It?

Most of us have gone through airport screening at one point or another.  Think about that process.

You take off every single metal thing you own, stick it in a tray, go through the line, grab your stuff quickly, and run off to catch a plane.  Not only are we prone to lose things, but it is likely that when we remember, we are hurtling through the skies at 500 miles per hour in the wrong direction.

If Pythias had any money problems, that provides a motive.  The airport screening job gave him opportunity, and the realization that ‘everyone is doing it’ provided in a rationalization.

Motive, Opportunity and Rationalization are three elements of what investigators call the “fraud triangle.” These three are always present in fraud cases; even the psychopath has the rationalization, even if it is “other people don’t matter.”

Now let’s talk about corporate IT.

Back in the Enterprise

During August and September I worked to help create an application for a Fortune 500 corporation; it was actually in the top twenty.  The work was contracted to a smaller vendor, that kept project management and some testing in the United States, and outsourced most of the development to a developing nation.  I don’t have a problem with that; I logged into a VPN and pulled the source code down and got to work at home.

Now at home, I have physical security; my door is actually physically locked.  I did not fly, but I did work a few days at a local co-working facility.

What about those contractors that do fly?  Unless they pay equal attention to login and access security as the regular employees, then when their personal devices are stolen, the systems they work on could be compromised.  Perhaps not by the TSA Agent, but anyone could buy those devices off of eBay …

For that matter, what about the contractors that have ill intent?

Natural Conflicts

Real security – actual security, not theater – causes inefficiencies in the system.  If you bring in a contractor for two months, then his credentials should expire in two months.  Renewing the contract should take a formal request and approval process, which, most likely, means the contractor could spend a day or two waiting for access to the system he needs to do his job.

Role-based security, where we only allow people to use what they ‘need’, has the same problem.  When the scope expands to include a new database, server, or, sometimes, directory, I need to send a ticket to the help desk for permission and … wait.

Giving everyone all access makes the contractor risk even higher.

How to Fix It

In my case with the subcontracting assignment, all the application really did was create a GUI wrapper for a REST API.  My access was to the contracting company’s network, not the parent — so you could argue that someone did a fair amount of risk assessment and threat modeling and came to some reasonable conclusions.

As companies become more extensive, as we talk in terms of extranets, supplier networks, and the extended sales force, we will continue to create subnetworks, sand-boxes, and role based permissions — with a hard look at the company crown jewels, how to protect them … and what to let go.

Thieves will continue to operate out of airports.  From a security standpoint, we have the choice of locking down everything, giving away the keys to the kingdom, or making sure that what the bad guys can get doesn’t really matter.

The middle way is going to take a fair bit of real, honest-to-goodness security work.

I wouldn’t have it any other way.

As you probably know by know, when Apple Computer Corporation released the newest version of their mobile operating system, iOS 6 last week, the mapping application was broken.  Spectacularly broken.  Loses train station, shrinks tower, and creates new airport broken.  Slideshows of ridiculous glitches broken.

Tim Cook, CEO of Apple apologizes broken.

How did this happen?

A Quick Dose of Reality

Apple Computer launched a major upgrade of it’s operating system across an entire family of mobile devices – iPhone, iPod, and iPad.    The upgrade took ~600MB and was one-click easy.  Devices sensed an upgrade needed to happen, told the user, and upgraded themselves without a hitch.

Of all the major supported to apps on the system, only one fell down: Maps.

Meanwhile, on the PC side, most of my friends don’t both to do operating system upgrades.  They purchase a new computer with the new operating system, or, more likely, limp along on the old OS until they can no longer limp, then purchase a new computer, because the process is just that painful.

All of this tempest over Maps tells me one thing: Location and Direction Applications are now mission critical.

Maps Are Now Mission Critical

Ten years ago, a few forward thinking friends would have a GPS in the car.  If they got lost, they could open the GPS, type in the address, and get directions.  A few years after that, maps started to appear in cell phones.  At the time, I thought this was mostly due to digital convergence (“and it’s a camera too!” / “and it’s a Personal Digital Assistant!” / “And it does email!” / “And it …”)

Over time, people began to rely on these, to the point that they don’t both to get print directions at all; just fire up the iPhone and drive. I confess, after I got my latest iPhone, I’ve done this a time or two.  Now, all of a sudden, these apps go from optional to having to work.

That said, it is king of strange that maps fell down in iOS 6 – the errors look more like data errors than software glitches.  Why would that cause a problem?

Only because Apple replaced the underlying engine driving the software, switching out Google Maps for their own.

This wasn’t an incremental release of iOS maps; it was an entirely new engine.

And there’s one secret that folks might not know about mapping applications.

With traditional applications, you can develop examples (“tests”) up front, and require your programmers to have them passing before the application is passed off to a group that will test the application like a user.  Maps are different.

Testing Mapping Applications is Incredibly Hard

With Map software, there is a second unknown: The data underneath the application can have a problem, and that problem can require massive amounts of late-stage test and evaluation.  Here’s James Whittaker, then a engineering director at Google, talking about that problem (advanced to 19 minutes in by me):

Whittaker gives examples in Google Maps at the time.  Whittaker asks for a walking route from Cambridge to Hall, England, that requires swimming the English Channel – twice. In another example, he shows Arlington National Cemetery, with an icon above it indicating the facility is a resturant.

Again, mapping data need to be scrubbed, and, without massive peer review, ‘unclean’ data purchased from multiple sources and combined in likely to  be a mess.  It took Google years (and lots and lots of temporary and contract workers) to sort out the issues in Google Maps — the main point of Whittakers talk is that, despite the automation rhetoric, manual testers still play a critical role in application development.

To give you some idea of how long this process was, keep in mind: Google Maps went public in 2005 and Dr Whittaker gave his talk five years later, in 2010.

All of the publicity around these problems actually give me hope.

I hope that we are slowly transitioning from a ‘let the users find the bugs’/Facebook/Twitter world (what James Bach calls “Quality is Dead“) to one where companies recognize certain applications as critical, and give test and quality the attention it deserves.

Mapping Applications are mission critical, and there is a chance they might actually be treated that way in the future.

What else is mission critical that we are not treating that way as a society — and how can we change it?

Do you remember Microsoft Passport?

The idea behind passport was a single web-based login.  You could use it for your Microsoft account, then surf on over to Amazon.com and you are logged; surf on over to eBay, or Hotmail, or Etsy, whatever, take your pick, and you remained logged-in.  Combine that with Microsoft Wallet, and you could purchase items direct to your credit card.

It was a great idea, to become part of Microsoft Hailstorm, a collection of web-based services.

Except that, oh yeah, right, it wasn’t.

Microsoft Hailstorm failed and was scrapped, almost exactly ten years ago.  You could argue, I think it’s worth taking seriously, that Hailstorm was ahead of it’s time, and the time actually is today.

Today all the building blocks are in place for an identity service, and it could directly impact your business.

Let me explain

Problems (And Solutions) with Hailstorm

The obvious reason that Hailstorm/Wallet/Passport failed was because Microsoft was unable to secure the partners it needed – the eBays and Amazons of the world were unwilling or unable to trust Microsoft with the login keys.  (For that matter, I suspect neither were the Mastercards or the Discovers.)  A second was the Hailstorm pushed a centralized services model — the applications existed “in the cloud”, and how they would interoperate with your personal devices was murkey.  Finally, in those days, integrating with one of these services was a “project” that probably a small team of people and a large amount of time.  Like the chicken and the egg, companies didn’t offer passport because it did not guarantee users, and users didn’t sign up because they couldn’t use it anywhere.

Facebook, on the other hand, hit 500 million users two years ago.

Beyond Facebook, there are several other popular options, including a Google Account, Twitter, or Linkedin.  On some “badge” or point-based sites, like StackExchange, I have lost track of which account to log in as, which means I have three accounts, each with about a third the points I should have.

It also means new website don’t need to build an authentication feature; they can re-use a code sample from one or two companies and be off to the races.  Instead of taking time, sharing authentication suddenly saves you time.

Back in the Enterprise

“Bring Your Own Device”, or BYOD, is getting a lot of press right now; there are entire conference tracks about it.  The gist of BYOD is that journalists got frustrated they could not get iPads, so they bought them for themselves and started using them for work — and started blogging and writing about it.

I’m only mostly kidding.  iPhones and iPads (and that other thing about a robot, and the one that’s a fruit) all can take time that used to be ‘lost’ to the business and make it productive.  It seems reasonable in my mind for people to take the systems they pay for out of pocket and volunteer to get company e-mail and, sometimes, some web services, on those devices.  IT will figure out how to support these folks; it won’t even take very long.

I’m not talking about BYOD here – I am talking about my identity.  Why do I need a separate login for work as I do for LinkedIn?  LinkedIn knows who I am.  They know where I work.  To some extent, it seems reasonable that the company have an interest in my LinkedIn account.  For example, I might make claims about what I do, or claim that I continue to work at the company after my employment ends.

Shouldn’t logging in to the company computer be as easy as logging in to LinkedIn?

It’s not that easy

Oh, I understand the objections.  There are privacy concerns – who owns the data and the login?  There are practical concerns; LinkedIn and Facebook are websites, and I need to authenticate to LDAP and Active Directory inside the firewall just to get to the machine.  Plus there are a pile of permission issues; who can modify what email list, who can FTP to what box, what group am I am a member of and what permissions does that group have on what machines — I get it.  We’ve got a long way to go.

But, for the moment, just hear me out.  What if we started to move our web architecture to make multiple, overlapping authentication schemes available, not just for public websites, but to streamline operations within our companies?

Repeat after me: The future is not Bring Your Own Device; that is the present.

The future is bring your own identity.

Tomorrow

Right now, today, I can stitch together external services I have described above.  I am not talking about that.

I am talking about internal services.

Say you hire a new administrator tomorrow at BigCo.  In Windows Seven and Eight land, he is stuck – he needs a security Wallah to create a user id, then needs to learn a new userid and password combination.

What if, instead, there was a “User my facebook login” button in Windows nine?  What if you configured the machine to allow the first person who clicked it to login, the create his LDAP account based on the user who logs in.  With today’s monitoring software, the risk is minimal, and you’d have to create all logins to external servers, FTP accounts, database, etc, just like the old way.

Again, there is no “login with facebook” feature in Windows 9.

Perhaps there should be.

]]> http://itknowledgeexchange.techtarget.com/unchartered-waters/bring-your-own-identity/feed/ 2