Since then a number of changes have occurred that have prompted me to update these posts. For example, an Assurance, Identity and Trust Working Group was established by the national Identity Management Steering Committee. This team prepared a report, the Pan-Canadian Assurance Model,that provides more guidance and detail than the original framework.
Having said this, the goal of the model remains unchanged; it strives to standardize identity assurance to allow for provincial and federal systems to interoperate. It is foundational to the broader Pan-Canadian framework, and is key to implementing citizen services across the country.
The identity assurance model is primarily concerned with establishing agreed-to levels of assurance and defining the concepts and terms each party need to understand. It has an emphasis on federation and looks to support risk management activities within partnering organizations.
The Pan-Canadian identity assurance model is represented as follows (click/tap to enlarge):
While this model is an important input into this blog post series, it needs to be supplemented by real-world experience. For each topic in the series, I will inject examples from my experience implementing IAM solutions over the past ten years, and provide insight into the opportunities and challenges offered by the model.
Identity matching is tricky. I have been working on health-sector project recently where it really matters that the identity in one system matches the identity in another. When access to patient information is being managed, identity matters. A lot.
So when I boarded my flight today my ears perked up when the boarding agent asked his coworker “Mike, Michael. Okay, eh?” The coworker said she thought so and after checking a list of allowed first name synonyms I was free to board.
Of course, the issue here is that my flight was reserved under Mike and my government ID has my legal name Michael. The airline – fairly recently as far as I can tell – has created this list and added a double check before boarding.
Identity matching matters and I’m guessing we will see a lot more of this type of process implemented for transactions where a high level of assurance is needed.
In my own city, Edmonton, they have been talking up e-voting for a while now. There was an announcement yesterday that a pilot project is being conducted to validate the process of running an online election. (More information can be found here and here.)
First of all, I think that this is exactly the type of pilot project that governments must run to be progressive and forward-thinking. These types of initiatives are high value, not just to validate a solution for this defined need, but for the organization’s other online initiatives. And the proposed e-voting identification process is an interesting one…
To be frank, I don’t have e-voting very high on my personal list of municipal problems to be solved, BUT I do have a keen interest in how people are identified online.
The City’s new project has an identity proofing process for this pilot project. It includes a unique method of collecting identity proofing documents that I haven’t seen before: citizens scan (or take a picture of) their real-world identification, then upload it to the City’s website. Allowed documents include drivers license, passport, Canadian military cards, etc. (see sidebar).
The image of the identification document is then reviewed manually by employees in the elections department and presumably compared to lists of eligible voters. Only when the document matches up with a previously registered voter will a credential be issued to the citizen for voting purposes.
This approach is convenient to citizens, or at least those that are savvy enough to scan a document and upload it to a website (which is probably a pretty high percentage of those that will consider online voting).
But whenever I see ‘convenience’ cited as a reason to do something online, I can’t help but look for the security and privacy compromises required to make that thing convenient. On first review (I haven’t done a deep dive s feel free to correct me!) here are a few things that might be compromised by such a process:
How does the process ensure that the citizen is in control of the document at the time e-voting registration takes place? For example, the passports for a household might be stored in a filing cabinet. Let’s say one member of the household is politically active and the rest don’t vote at all. How difficult would it be for the one family member to round up the passports and create multiple e-voting credentials?
There may be a privacy issue here. Scanned identification documents contain a payload of sensitive information. My passport has my legal name and birthdate — two attributes that are useful for the voter vetting process. But it also contains my passport number, my place of birth and my citizenship. None of these attributes are needed by this process, and should not be collected and stored as part of the process. (Update: The City’s 311 service has informed me that the data will be stored in Canada and destroyed no later than December 31, 2012. Also, only authorized personnel can view the data and they are subject to confidentiality agreements.)
Finally, how can one be sure that the scanned identity document has not been digitally tampered with? Paper and plastic documents have physical safeguards to increase reliability. For example, the Alberta drivers license has a hologram on it and ‘declined width text wave’ feature (and these are just two of a dozen security features). How do these features translate to the scanned image? Assuming many of these features do not translate well, how well does the scan of the document actually prove the citizen’s identity? As a comparison, would such a scan, subsequently printed, be acceptable as ID at the polling station?
It will be interesting to see how these and other challenges of e-voting will be overcome in the coming months.
Instead of thinking of the digital data as something collected by others and somehow used against you, it becomes a mechanism for you to get companies to send you information about things you actually want to buy.
Personal.com, located in the Washington, DC area, have built a personal data service that encourages users to enter personal information into Personal’s cloud-based vault. The service allows people to organize their data into ‘gems’, then send this information to family, friends and business associates. Here are some quick-hit videos that explain the company and the concept.
I have direct experience with personal data vaults and, frankly, the uptake on this type of service is currently poor. It may well be a generational thing, and perhaps time has to pass before enough people will trust a cloud service with their secrets.
But I think that the real obstacle for existing personal vaults may well be the current ‘user pay’ business model. People don’t see the value in a paid-for personal data service — but could they use a service that allows them to control and sell their own personal data?
Personal’s model anticipates a future where advertisers will seek out personal data from prospects and pay for the information. Personal is hoping to capitalize on this by becoming the broker for millions of personal data transactions, and take a percentage of the transaction fees as commissions. We — as rightful owners of the data — get the rest!
Is this the future of personal data? Are we seeing a move away from intrusive data collection for the service operator’s profit alone (the Google and Facebook models) to a world where we own, control and reap the benefits of our own information?
An important issue is being raised by our federal Privacy Commissioner around changes to legislation to combat online fraud and other crimes. These changes look to be more than cursory — they would potentially create a legal environment where law enforcement can implement excessive surveillance on Canadians.
To quote Jennifer Stoddart’s letter to Vic Toews, the Minister of Public Safety:
By expanding the legal tools of the state to conduct surveillance and access private information, and by reducing the depth of judicial scrutiny, the previous bills would have allowed government to subject more individuals to surveillance and scrutiny. In brief, these bills went far beyond simply maintaining investigative capacity or modernizing search powers. Rather, they added significant new capabilities for investigators to track, and search and seize digital information about individuals.
This is an important issue, one worth paying attention to over the coming months.
Because I spend most of my days implementing IAM systems, Identity Assurance is a bit of a pet topic of mine – it seems that IAM design frequently comes back to the type of information being accessed and the quality of the end-user’s identity. In enterprise systems that provide access to sensitive information, a review of Identity Assurance is critical to ensure appropriate controls are in place to protect that information.
Identity Assurance is, according to Wikipedia, ‘the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity … can be trusted to actually belong to the entity.’ Identity Assurance is commonly expressed in ‘levels of assurance’, ranging from 1 (low assurance) to 4 (very high assurance).
When doing IAM assessments I have found many client systems have been built without levels of assurance in mind. Systems with sensitive information are accessed with the same electronic credentials created for a system with basic, publicly-classified information. In other words, an account is created for a simple site and reused for access to a site with more confidential information.
This poses a number of problems…
The credential itself is not of sufficient strength to access the confidential site. For example, the password rules used may be sufficient for the simple site but are not strong enough for the confidential site. This could make the confidential site prone to vulnerabilities (e.g. dictionary attacks on weak passwords) that would have significant consequences.
The credential has been issued to a user without adequate identity proofing. There are many examples of low level credentials from social media sites. An OpenID based on a Google account is not verified and linked to a real-world user – something that may well be fine for access to Google apps. But accepting that same self-issued credential to access more confidential information is likely not appropriate without increasing the identity assurance.
The user may no longer be in sole possession of the credential – either they have stopped using it for an extended period (and it has been unknowingly hacked), or they are willingly sharing it with a co-worker, spouse, etc. Sharing a credential is actually fairly common within households, especially for access to family blogs, Flickr and other social media sites. Using such a credential for a sensitive application poses a number of risks.
Fortunately there are some excellent standards and frameworks for determining appropriate levels of assurance. These tend to be based on a business-driven information classification exercise, i.e. the level of assurance required is directly related to the sensitivity of the information and how it is used. Once that classification has been performed, the assessment can be done to ensure:
appropriate identity proofing is performed;
the credential is issued in a secure manner;
the credential’s lifecycle is properly managed (e.g. dormant accounts are revoked);
the credential has been properly authorized to be used by the application or site; and
the technical environment in which the credential is used is appropriately managed and secured for the type of information being accessed.
By understanding the information being accessed and applying a standardized process to assessing Identity Assurance, the strengths and weaknesses of the IAM system can be readily determined.