I've been writing about technology for nearly 20 years, including editing industry magazines Connect and Communications International. In 2002 I co-founded Futurity Media with Anthony Plewes. My focus in Futurity Media is in emerging technologies, social media and future gazing. As a graduate of philosophy & science, I have studied futurology & foresight to the post-grad level.
January 17, 2011 Stewart Baines , Security
Blog readers everywhere will be wringing their hands following the compromise of 1.3 million user login credentials collected by Gawker Media. It could have broader ramifications, given many peoples' predilection for using one password across many services - and it carries lessons for the enterprise.
Gawker Media, which operates sites including Gizmodo, Lifehacker, and gaming blog Kotaku, admitted that its database and content management system had been compromised. A list of the readers' login credentials had been published on BitTorrent, causing sites such as Yahoo, LinkedIn, Twitter, and World of Warcraft to prompt users to reset their passwords.
This is a perfect example of the need for single sign-on or federated identity systems as a means of solving security problems. Such systems make it possible to manage multiple services with a password controlled at a single point. On the one hand, this potentially increases the risk by providing a single point of failure. On the other hand, with adequate management, that single point of failure can be strongly protected.
We have seen a variety of attempts to manage single sign-on and federated identity in the past, with some limited success in the corporate environment. One of the biggest challenges for companies internally has been the rich legacy of heterogeneous systems already installed, many of which have been created by different teams, according to different criteria. Managing all of these via a single password system is technically daunting.
The problem is exacerbated when dealing with partners on an inter-company basis. Authenticating users across different trust domains between organisations can be not only a technological challenge, but a political nightmare, as different organisational criteria must be met.
On the consumer side, organisations are turning increasingly to cloud-based companies such as Google and Facebook for solutions. These days, many web 2.0 services offer users the chance to login with their Google, Facebook, or Twitter IDs, instead of creating their own accounts and managing their own passwords.
Consumers these days are having a larger effect on corporate IT policy. They are demanding the same kind of functionality as employees inside the company that they see at home when using everything from photo sharing services, through to instant messaging and collaboration tools.
This presents companies with a problem. To what extent should they allow federated identity to be governed by today's consumer organisations in the absence of internal enterprise solutions, and what are the security ramifications of doing so? This is a problem that will continue to unfold over the next couple of years.