Coverage AreasServicesAbout UsPressClient AccessComplimentary ContentContact Us
Burton Group Home  


Burton GroupPress
 About 
 Categories 
 Burton Group News
 Digital Rights Management
 Directory Services
 Essays & Columns
 General
 Identity Management
 Infrastructure
 Personal Notes
 Science
 Security
 Web services
 Recent Posts 
 Hurry, Get 'Em While They're Hot!
 Signs of the Times?
 Seriosity Looks Interesting
 IdPS Blog is Up
 Microsoft's Open Specification Promise
 Cloning RFID Passports
 The End of This Story?
 Can You Say "BackLash"?
 What About Bob?, Part II
 On Blakley
Jamie Lewis - CEO and Research Chair
Opinions from Burton Group's CEO and Research Chair

« More on LID | Main | BMC to Buy Calendra »

January 10, 2005

Security Breach at George Mason University

This story on News.com demonstrates all too well that, while they solve some problems, centralized identity stores create other problems.

According to the story, intruders broke into a server that's part of the university's identity card system and downloaded personal information on thousands of students, faculty, and staff, including social security numbers. While the story says that university officials believe that the intruders weren't after the specific identity data that they got, I doubt that they were disappointed in their bounty.

I was talking to Kim Cameron last week about the British ID card efforts, and he used a great term to describe the problem: "information calamity." Centralized identity stores automatically become prime targets for criminals and other nefarious folks. Yes, with fewer stores we can, in theory, protect them better. But when you build a fence around something, you sometimes only bring it to the attention of the folks who want to break in. And if (more like when) someone breaks into the right kind of store, there will be hell to pay.

I'm not saying we won't have identity stores; we obviously have to. But as identity systems aggregate information, they also aggregate risk. And the custodians of those stores must take the proper precautions, including risk and threat assessments and the implementation of a reasonable protection posture.

January 10, 2005 in Identity Management | Permalink


 

HomeTerms of UsePrivacy PolicySite MapFeedback © 2003 Burton Group. All rights reserved