When I reviewed the Pan-Canadian Identity Management & Authentication Strategy in 2008, my first interest was to understand what it could mean to my client’s identity management projects. In the area of Identity Assurance I was, frankly, hoping that this new framework would not stray too far from the baseline standards and methods I had been using since 2003.
It turns out that the Pan-Canadian Assurance component was fairly close to the approaches I was already using. Where it differs is primarily in terminology or in the way the classifications for information, registration processes, credential strength and overall assurance have been organized. Another difference is in the ‘stitching together’ of all components that make up Identity Assurance.
To put this to use on your projects, you need to first establish organizational standards that are aligned with the Pan-Canadian Assurance component:
- Create a set of four information classifications — and provide examples of your own information when you draft this standard. These map to your requirements for Identity Assurance Levels.
- Document standards for registration processes that map to the Assurance Levels. These don’t have to be detailed use cases, but rather descriptions of minimum process sets that are needed at each level.
- Select different levels for credential strength by combining passwords, ‘secrets’, issued authenticators, and — if it is applicable to your business applications — biometrics. Keep in mind that the quality of the operational infrastructure needs to be consistent with the authentication events you plan to support.
Once these standards are in place your system design can be formally supported. The process that each project will need to follow is summarized as follows:
- Classify the information that will be accessed — this becomes the Security Classification of Information.
- State the Identity Assurance Level required (it is the same as the Security Classification).
- Determine which Registration Process will be required to match the Level of Assurance.
- Select a Credential Strength at the same level. This is a critical decision — it needs to be strong enough while still being affordable and sufficiently convenient to use.
- Review the design: analyze the levels assigned in each category and document.
One final comment: the Pan-Canadian Strategy defines a framework, not a set of fixed rules. Adapt the models and components described in the strategy to suit your business needs. Provided you don’t stray too far from the intent of the framework, your systems will still be able to interoperate with others that based on the framework.
Tired of reading? Check out the 72 Things I’ve Learned About IAM…
For more information on designing identity assurance systems and processes, please contact Code Technology at firstname.lastname@example.org or 780.990.7742.