Identity Management.
ECA has been defining the principles and
working on the practical issues surrounding Identity Management for
some years, latterly with the Home Office UK National Identity Card
Programme and the Identity and Passport Service where a highly experienced
ECA team advises on the most appropriate levels of Information Assurance,
Security, Privacy and Fraud Prevention measures and how to achieve
Integrity in the overall national Identity Management process.
Identity
management is key to operating in business today and in the future.
The United States have already set various standards that organisations
wanting to work with government must meet (HSPD12/FIPS 201). ECA
has been helping various companies around the world meet these stringent
policies so they may continue their work within the US. (http://tscp.org/)
The process of Identity management is to standardise
communication between organisations, so they can identify the company
and member of staff who is attempting to contact them.
Identity Management
is a matter of establishing the policies and procedures around the
attributes of identity to ensure the integrity of the end-to-end
process. It is the process surrounding the application and enrolment
into any Identity Management system or database that is pivotal.
The integrity of the staff and process around this are crucial. Weaken
or compromise any part and the outcome or product is undermined and
flawed.
This is NOT a matter of technology; technology can
be used to bind an assured or established identity to make it transportable,
predictable and more secure. Technology itself is no panacea in identity
management.
What is identity management, why does it matter?
In simple terms Identity Management is the identification
and management of those attributes that are used to assert that you
are who you claim to be.
The process of Identity management is to standardise
communication between organisations, so they can identify the company
and member of staff who is attempting to contact them.
- Can I show that I am who I claim to be
in a simple manner, beyond reasonable doubt?
- Identity is based
on an established biographical record that can be linked to an
individual
- The
credential then links that established identity to the person.
The best credentials are an ID Card and linked Biometric attributes
These attributes
(they may not be fact in the legal sense) are what “identifies” you
as an individual and enables you to be differentiated from others
in an acceptable, manageable manner. These attributes are broadly
those we take for granted:
- Biographical details,
increasingly taken from a “Biographical Database” sometimes
called a “footprint check” assembled from openly available
public records, commercial or government sources of varying accuracy.
- Name
- Address
- Date and place of Birth
- Records from utility
companies ie telephone or gas bills to form a link of association
of name to place
- Passport
- Driving licence
- Office pass
Increasingly
these simple attributes are insufficient for some travel, commercial
identification purposes, or where strong levels of government authentication
are required. In these cases additional attributes are gathered
and associated with your identity records (informal or formal) to
form a stronger or more “assured” claim of associations that together
can be used to demonstrate that you are you. These are:
- Physiological
attributes
- Speech recognition
- Gait (eg the way you walk)
- Other
physical attributes or disabilities (eg loss of finger etc)
- Biometric
attributes
- DNA
- Fingerprint
- Photograph (sometimes digital)
- Other biometric attributes (eg iris scan)
How do I prove my identity?
First with documentation or evidence – beyond reasonable doubt?
- A
bit of plastic with information?
- An index to a database?
- A
credential that links a person to an identity?
- All of these?
An ID card can be a credential that can be used
in low risk situations via visual verification. It can be an index
to a record on a database and work with other credentials, some of
which may be biometric, to link a person to that record. It can also
contain information and be used for offline identity checks.
Why
does being able to prove your Identity matter?
In an increasingly
electronic age we no longer sign or authorise a commercial transaction
by pen but instead use electronic tokens, the most important of which
are the credit cards and the electronic office pass.
Last year in
the UK and in many other places in the developed world more financial
transactions were authorised using the internet electronically than
on the traditional “High
Street”. In direct proportion is the rising level of credit
card and other types of electronic fraud. All of these frauds and
thefts are possible because the attributes of identity are weak and
can be borrowed or stolen by others to assume unauthorised attributes
of electronic identity ........YOURS – This is “Identity
Theft”.
Identity Theft
Unless these electronic tokens require
another physical or biometric attributes, they can be stolen
or misused by others for fraudulent financial gain.
In most instances
of so called “Identity theft” your identity is not stolen
as such but your electronic identity attributes are hijacked for
another person’s use and gain. Recovering the situation where
your credit card has been used, bank account rifled or transactions
undertaken in your name can be distressing and take hundreds of hours
of effort to put right.
Your electronic identity attributes and personal
information are valuable and so ought to be protected appropriately.
Criminals can discover your personal details and use them to open
bank accounts and get credit cards, loans, state benefits and documents
such as passports and driving licenses in your name. It is estimated
that more than 100,000 people are affected by identity theft in the
UK each year and this costs the UK economy an estimated £1.7
billion annually .
Integrity in awarding an “Assured Identity”
In certain other circumstances, but increasingly
in commercial or government transactions your ability, or the ability
of your employer to prove your identity, is of crucial importance
in international and global access to electronic information. Some
commercial or government organisations require other assurances that
work from the basic building blocks of an “assured identity”.
You have an identity as a citizen of a country with the associated
levels of entitlement that citizenship bestows. Within a corporation
you are a citizen but also an employee with access to valuable corporate
information and perhaps transacting with another government or corporate
entity, globally.
In all of these circumstances the Integrity
and assurance of the process surrounding Identity Management is absolutely
vital.
ECA has extensive experience Identity Management
at National and International level:
- The UK National Identity Card
Programme (IDCP)
- The Transatlantic Secure Collaboration
Programme (TSCP)
- The UK Identity and Passport Service
(IPS)
- The International Proofing and Vetting Working
Group
Privacy Issues
The rapid evolution of information
systems is casting a spotlight both on the privacy of personal data
and on those responsible for safeguarding it. Any information that
can be linked either directly or indirectly to an individual might
be deemed ‘private’.
Yet many organisations have a limited understanding of the necessity
and implications of good privacy management. Organisations often
fail to recognise the risks that can arise from poor privacy practices.
ECA firmly believe that privacy issues are vitally
important in the maintenance of assured identity and accordingly
are sponsors of the Enterprise
Privacy Group which was created specifically
to act as the thought leaders in the management of personal information
and to set the standard for good privacy practice.
return to services |
