I'm maintaining an Intranet website for my company that they want to expose to the big, bad outside World. Right now, it has no authentication or authorisation whatsoever. My idea to manage user accounts is by using existing technologies to validate user accounts and build an authorisation model on top of this. Existing techniques would be CardSpace and OpenID, which would save us from maintaining lists of usernames and passwords, thus making the site less interesting for hackers. The data on the site isn't that sensitive either. Actually, we just export the same data to users of one of our desktop products as XML and anyone can view this information if they know where it is. We're just blocking everyone from modifying the data, except for a few super-users. At worse, a superuser destroys all data in which case we'll have to restore a backup. In the worst case, we lose one day of data entry which would translate to a hundred modifications at most. (98 was actually the highest number of modifications in a single day so far.)
All in all, it's not very critical data. We just want some security added to it all.
Now, management has suggested to build an additional database where we would store usernames and passwords, add encryption and do all kinds of other things to protect this user data and they're basically making up all kinds of weird schemes to handle user accounts. None of them are experienced with the technical aspect of software design and none of them has any knowledge about making systems secure. Thus, their designs become complete Chaos. (With a capital C.) It is taking them two months already to come up with a functional design since they even fail to agree with one another on certain security aspects.
So they asked me to provide them an easy-to-understand insight in proper security. Since I know that both CardSpace and OpenID are reasonable secure, I want to introduce these to them as the best options for managing accounts. Add a simple role system to this where every account is connected to a special role, granting additional rights beyong "View only", this would be quickly to implement and easy to maintain. Building this, making a proof-of-concept and finding enough technical information is easy. I only have one question...
How do I explain techniques like CardSpace and OpenID to people who have absolutely no technical background? Something like "OpenID for Dummies" but even easier to understand. Am having trouble finding the proper words without becoming a bit technical again. (And worse, if I fail to explain this correctly, they might decide not to use this technique and I'll be doomed to implement a monstruous construction.)
Please, Help! :-)
Oh, well. Simplified question: How do I explain in non-technical words the advantage of using OpenID or CardSpace over any home-brew solutions?
You could sell it with the "Verisign" argument.
We could all generate and store our own strong cryptographic keys, but it's a huge overhead and Verisign do it for a nominal charge, and like a secure bank (not that there's too many of them around anymore) it has a huge amount of trust from the business community, and while there are other companies providing the same products, Verisign is the market leader.
Another aspect of Internet security are user ids & passwords
An "Open Id" is like (forgive the metaphor) a passport, it proves who you are because you have declared your identity to a trusted agency (the issuing country for passport, Verisign et al for Open Id) and it can there after be used to prove who you are.
Verisign provide open ids, Versign are trusted in the marketplace ergo, you can trust open ids.