September 17, 2009

Social Networking a Tool for More Secure ID Management?

Among battle-hardened IT security practitioners, social networking is often seen as either a security joke or a bona fide security threat. For one example, see Slapped in the Facebook: Social Networking Dangers Exposed.

But when Facebook Platform Engineer Luke Shepard suggested social networking could be a force for stronger identity and access management (AIM) Wednesday at CSO Magazine's Digital ID World conference, nobody was laughing.

Maybe that's because many security practitioners are addicted to Twitter, LinkedIn and Facebook despite the risks they often warn about -- see [Facebook, Twitter, LinkedIn: Security Pros Warm to Web 2.0 Access]. Or, it's because the speaker before Shepard, IDC Research Director Charles Kolodgy, suggested that social networking and IAM might just be compatible after all.

Shepard pointed out that the basic Facebook set-up allows for trust enhancement. For example, when the user receives a friend request from someone they may deem a stranger, the user is able to see who among their friends are also connected with the stranger. The more common connections, the less of a stranger that person becomes. LinkedIn works in a similar fashion, he acknowledged.

"This is at the core of how identities are established on Facebook," he said. "Adding to the level of trust is that 25 percent of users share their cell phone numbers. With sites like Facebook and LinkedIn, you have what we call real-world identity."

He noted that Facebook profiles are being used in ways beyond their original intent, much the same as how the value of a driver's license has evolved well beyond its original purpose over time.

"Driver's licenses used to be about being able to drive a car, but it has since become required by retailers, government agencies and others as a way for someone to confirm their identity," Shepard said.

One key for making social networking a potent force in IAM is in the various social networking sites coming together to hammer some form of standardization, he said.

He noted that Facebook Connect -- a tool that allows people to use their Facebook account to log into a growing pile of outside websites and services -- has been increasingly embraced by the likes of Netflix, USA Today, Digg, YouTube and Salesforce.com as a way to verify identities and allow those identities to share content with other trusted entities.

"We are working on ways to help other companies enhance communication and trust through Facebook Connect," he said. "This tool really isn't just for Facebook. It's a broader trend that companies are offering real-world IDs. The key is to find a way to standardize all of this."

Speaking before Shepard, IDC's Kolodgy made it plain that he's not a Facebook fan, though he does use LinkedIn. Asked how the social networking realm fits in with the world of IAM, his initial answer was that social networking was something to be avoided. But after a pause, he suggested that the myriad IAM tools out there now could eventually be harnessed and fused with social networking in ways that would benefit everyone.

"The key is that we need to create a larger trust environment, but there are ways to potentially get there," he said, using federated identity management as an example. If sites like Facebook, Twitter and LinkedIn made use of a federated ID credential for additional trust, he said, "We could have something." The goal could also be achieved with something like certificates.

But, expressing a view Shepard would later echo, Kolodgy said, "A lot of this also comes down to standards."

---

DONATION: www.anti-keylogger.org and www.keylogger.org is an independent research projects supported by a team of enthusiasts. If you find this project useful and would like to help foster its continued development, please consider making a donation.

Thanks in advance for your support!