“Identity” Rules On-Line Access (and Offline Too)

Knock Knock … Who’s there – and what can I let you in to do?

In both the real and virtual world this question is no joke as it gets to the heart of the security and well being of a system. As more and more of our lives are lived online and automated systems are performing more and more functions this question becomes increasingly important and harder to answer. The evolution of cyberspace also requires an evolution in the methods used to protect you and your data while enabling an appropriate flow of information and ideas within a safe and secure environment.

When I was introduced to the perspective of Faith and AI it was clear that there was a tremendous opportunity and challenge in combining the two. As a person of faith I do believe that the more the fundamental faith-based values of the world can be incorporated into our real and virtual activities the better but the first big challenge is determining what those values are. While this article discusses fundamental concepts as to how they can be implemented in cyberspace and hopefully provides a perspective from which to view and pursue that challenge, there needs to be a wider discussion in parallel to determine the high level concerns and values that the world can agree on. As the world becomes more and more automated what will the rules of behavior be and how will they be implemented?

Much of the functionality in cyberspace really does come down to controlling what entity can access what data and what actions they can take regarding other entities. This is the realm of Access Control. Access Control is the traditional center of computer security and it is primarily concerned with the identity of the entity that is trying to gain access AND what the entity is trying to do. Many in the field have come to refer to access control as Identity and Access Management (I AM) with the Identity portion dealing with the authentication of the entity attempting to perform an activity and Access Management dealing with authorizing, or not authorizing, the entity’s ability to perform a requested activity.

 

Identity

Whether the “actor” is AI or not, its Identity is a critical element in access control decisions. “Who” the entity trying to perform an activity really is must be crystal clear. Identities can represent human users or automated processes that are attempting to perform a particular activity. The industry has put a lot of effort into authentication (AuthN) over the last number of years and it has done a pretty good job of evolving it to try to meet the demands of modern computing environments. However there is still work to be done.

Fundamental Identity questions for the AI community include: When does the AI rise to the level of an Identity “who’s” interactive capabilities need to be controlled (vs. an isolated self contained system) and how do you define the limits/boundaries of an AI entity so that it can have a specific Identity that is known and limited within a larger system or environment?

Once these questions have been answered for a particular system and a known entity has been defined, the AI identity can be treated like any other Identity type. Often this means that by executing a particular protocol, beyond simply logging in, it can become part of a population of known and trusted entities/Identities. Trust in this population and at this stage of the access control process simply refers to trusting that the Identity is “who” it says it is when it tries to do something.

 

Access Management

Identity, however is just the first step in Access Control. The next question is what is this entity allowed to do? Or more specifically, is it authorized to perform the activity it is requesting? You can’t just open the gate and let them in uncontrolled and this is where Access Management/Authorization comes in. It is the responsibility of the system that the actor identity is attempting to access (the resource) to control what actions the actor can take. These actions can include accessing its data or initiating other functions. Either way the resource can protect itself by implementing policies/rules that determine if a requested activity is allowed by a particular Identity. This can create a barrier around the resource that can only be accessed by authorized members of the trusted population mentioned above. For those familiar with the “walled garden” model (where the actors and resources are behind a common wall) this represents an evolution to a different structure where each resource has its own “wall” within an Identity pool that could possibly operate under an agreed upon set of high level rules/values.

While there are a number of methods that could be used to implement these policies, industry development in the Authorization (AuthZ) space has lagged behind that of Authentication (AuthN). Much of the AuthZ used by the industry today has not evolved in a way that effectively deals with modern systems and new methods must be implemented. Inadequate authorization is a major contributing factor to the security breaches we hear about so often and proper access control is at the heart of the solution. AI can play a significant role in the authorization process and possibly even add values into the mix but care must be taken as the AI would not just be doing isolated analysis—it could be in control.

As for controlling AI, access to data is the life blood of many current AI systems and controlling access to specific data can either limit or enable AI’s functionality. If an AI algorithm cannot get the data it needs, it cannot produce a result. Therefore controlling this access is one way to control what AI can do (i.e. what jobs it can replace and what actions it can take, etc).

With surveillance capitalism on the rise and situations like Facebook’s handling of user data and the Cambridge Analytica scandal, the industry is certainly aware of its data security problems but truly effective solutions have yet to be developed. Once the data is “out”/available it can be used any way imaginable and simply “opting out” of sharing your data does not solve the problem as companies like Google and Facebook etc already control so much data about you that, for many purposes, they don’t need to ask anyone for permission to access and use it. Additionally opting out does not protect your information from hacks.

In conclusion, the challenges of controlling AI and using it to create a better world can be addressed in part by better Identity and Access Management (I AM). While I’m not comparing it to “the Great I AM,” I do believe it is a place where the fundamental values of the world could potentially be incorporated. This all gets back to policies/rules or even something like commandments. If effectively implemented, and at a very high level, faith and the common good can be addressed by the authorization policies and systems that are used to make access control decisions and I hope we can all work on this together.

X