IAM Strategic Drivers

Identity and Access Management is fast becoming a strategic, enabling technology for business and government.  With today’s business landscape filled with identity fraud and security risks, a well thought-out and effectively delivered IdM program is becoming critical to meeting business needs.

An IAM strategy directs an real-world IAM program and the strategy must be driven by business needs if it is to be accepted.  There are many potential roadblocks to IAM projects — cost, complexity, resource priorities, perceived value, etc. — and the strategy is an effective way of removing these obstacles.

So what are the business drivers that need to be considered in an IAM strategy?  Here are four things:

  1. Compliance — Whether it be regulatory compliance, government internal policy or legal restrictions, both private and public-sector organizations must be compliant with privacy and security regulations.  For example, privacy needs of both the identities being managed and the sensitivity of the information being protected must be considered.  IAM supports compliance in many ways, from suitably protecting access to information assets to providing an audit trail should security be breached.
  2. Competitive Advantage — IdM allows businesses to deliver better services to their customers.  With a comprehensive IAM solution in place, companies can better identify and manage their users’ electronic identities.  This in turn allows for a greater depth of online service offerings.  For example, a bank that offers strong authentication, real-time layered security and robust auditing can better support customers who want to conduct high-value transactions online.  Obviously, these customers are high-value themselves.
  3. Partnering — Federated identity solutions allow for greater integration between business partners. Single sign-on (SSO) and automatic provisioning are just two ways for partnering companies to securely share identity information.  Users in each organization benefit from increased access to information with much lower administrative friction.
  4. Reduced Costs — All businesses are looking to identify ways to reduce or avoid future costs.  IAM offers high return on investment, particularly for larger organizations with complex needs.  For example, Passlogix’s ROI is high given savings in help desk services (fewer password resets), increased user productivity (via reduced or single sign-on) and the product’s ability to easily integrate with legacy systems.
Keeping an IAM strategy targeted on the priority business advantages is the key to a well defined strategy — and this focus is vital to delivering an effective IAM program.

User-Centric IdM

I’ve been working on an Identity Management (IdM) strategy for a client over the past few months.  They have been investing in IdM solutions to meet their needs for several years, so it was becoming important for them to look at the bigger, long-term picture.

A key recommendation in the strategy is to establish user-centric IdM in this organization.  This is based on emerging research that shows users desire more control over identity information, even if that control amounts to simply viewing the information the IdM system possesses.

As I’ve commented on this blog a few times, this emerging user trend is being talked about regularly in industry circles, by select academics and by identity management ‘thought leaders’.  User-centred, or user-centric, IdM can provide practical approaches to meet the increased needs of individuals who wish to better manage their own identity information.

What is less reported and commented on is that user-centric IdM is not a technology, but rather a model or philosophy that is primairly concerned with putting user needs first in IdM solution design.  To be successful, designers of user-centric solutions have to consider the user identity’s full life-cycle and be ‘in tune’ with their needs for privacy and control.  Two noted examples illustrate this point.

Three years ago Kim Cameron came to my city to talk about information cards.  This was a completely new paradigm for those of us that had been designing and building centralized IdM systems.  Mr. Cameron’s use case that day was the payment of an online purchase.  He showed how a user with a Visa account could use an information card to present a cliam to an e-commerce site.  The claim didn’t have to provide any details about the user — simply that the user had been authenticated and that they, Visa, would honour the payment.  All the e-commerce site had to do was present this claim to Visa in order to receive payment.  The user in this scenario did not have to supply personal information to the web site in order for the payment to be processed (of course, a name and address would need to be provided to the shipping department, but that was outside the actual financial transaction).

Around the same time, Dick Hardt was wowing them at the O’Reilly OSCON conference with his Identity 2.0 presentation.  His use case was that of how he, a responsible adult, might purchase a quality vodka product from the local liquor outlet.  The main point was this: in real life we present credentials of our choosing to clerks in order to prove an aspect of our identity, such as our current age.  Liquor store clerks don’t need to record our name and address in order to conduct the transaction — they simply need to verify that the birthdate works out to the correct minimum age for the purchase and, in effect, discard the information after the transaction is completed.  Mr. Hardt goes on to say that there are technology solutons that can virtualize this approach, hence user-centric and privacy-smart identity solutions can emerge.

In both these cases, the needs of the individuals are considered first.  Mr. Cameron could easily have stuffed the vitual credit card with user information, and made the case that the e-commerce site would highly value that information (think Facebook).  Similarly, Mr. Hardt’s example focused on the only reason the individual would want to present identity information: to confirm one aspect of their, that being their age.  Both of these are in tune with the demands of privacy-aware citizen and are excellent examples of user-centric philosophy.

Centralized systems, like the Canadian government’s ePass, scale to millions of users and are well understood by users and designers alike.  But these legacy systems are fraught with challenges related to security, lack of privacy controls and, potentially, accusations of ‘big brother’.  In no way are these system user-centric — they simply were built in a time when user ‘control over identity’ needs were not a priority.

For organizations like large companies and governments, these systems do a disservice because they ultimately will discourage privacy-aware individuals from using the very online services the IdM system is intending to enable.  Only by adopting user-centric philosophies in solution design can IdM systems meet the changing needs of individuals in an increasingly privacy-aware world.


Secret strength

A while back, I wrote about the three keys to a quality process for using shared secrets in establishing an individual’s identity: quantity, quality and the degree to which a secret is shared.

The quality (i.e. relative strength) of a shared secret is critically important if it is to be used to establish a credential for access to government information.  Quick, rank the following in order of declining strength:

  • a provincial student number
  • your last federal tax return refund or payment amount
  • a randomly generated PIN that is mailed to you
  • your birth date
  • your mother’s maiden name

The student number is a common identifier for the education system.  It uniquely identifies students ‘in the system’ and, in most cases, is assigned at entry into kindergarten and used right through post-secondary.  It’s strength comes from its uniqueness, its ability to be independently verified, the authority that issues it (the government), and the strong processes they follow to issue and maintain the number.  However, student numbers are often displayed on report cards, certificates and countless other paper and electronic documents.  It is not difficult to find out a person’s student number.

Dollar amounts from federal tax returns are similarly unique to an individual (or, at least, the combination of the user’s name, perhaps their SIN and the dollar amount is considered unique).  The information is securely delivered to the individual’s household via Canada Post.  It is reasonable to assume that if you answer this shared secret correctly, you are the individual you claim to be — with one exception: others in your household have access to your mail and tax papers.

One-time PINs are useful in e-government applications when issued to individuals for identity assurance purposes.  Often the government will have good information on the identity of the user, have a reliable address and perhaps a request from the user to establish an electronic identity.  A PIN is created, mailed to the user and then provided by the user in a prescribed online credential creation process.  By having appropriate one-time and PIN expiry processes, the government can be reasonably assured that the individual is who they claim to be with one exception: others in the household may gain access to the correspondence containing the PIN.

Your birth date and your mother’s maiden name are both fairly common shared secrets that have the benefit of easy recall for the user, but suffer from overuse and low secret strength.  Genealogy sites, social networking sites and public records can easily be used to retrieve these ‘secrets’.  A large disadvantage to this type of secret is that it does not change — once compromised it cannot be reset to another value (unlike a password) and becomes useless.

It can be seen that none of these mechanisms allow for absolute assurance — and really, without a strong in-person verification there will always be gaps.  However, several online implementations have been successful by combining shared secrets of different strengths when establishing the identity and by notifying the user when the process was executed.  For example, you wanted to mail the user a PIN but there is concern that it could be used by someone else in the household, two mitigating processes could be used:

1. Send the user a follow-up notice (letter or email or both) when the PIN is consumed thereby alerting them if they had not performed the process themselves; and/or

2. Combine the PIN with additional shared secrets.  A student number and a PIN and one’s birth-date and a previous course mark is a difficult combination to crack, even by someone in the same household.

Striking a balance between the quality and quantity of shared secrets, and introducing a confirmation notice, are the keys to establishing workable online identity assurance solutions.


CIPS Security Lunch

I offered up a presentation on Identity Management to the local CIPS Security Special Interest Group a few weeks back, and yesterday was the day to present.  I titled the talk Evolution of Identity Management.

The presentation highlights the changes in IdM over the past few decades, from system administrator-controlled centralized systems, to the latest in federated and user-centric models.

Many thanks to CIPS Edmonton for inviting me, and an extra-special thanks to my client, Alberta Advanced Education and Technology, for letting me ‘re-cycle’ some slides for inclusion in the talk.



Identity Renewal

I lost my drivers license this week.  No, not from being reckless orspeeding — I lost the physical plastic credential that various authorities use to confirm that I can drive a car, open a bank account or have an adult beverage.

So, here in Alberta, when you lose this rather important identity credential you can turn to our very convenient registry office system to get it replaced.  Some years ago, our government privatized the customer service for all provincial registry services.  Today, there are over 220 locations around the province where you can get counter services for things like vehicle registrations, marriage licenses and so on.

There is a registry office across the street from where I work, and I paid them a visit yesterday afternoon:

Me: I have lost my drivers license.

Registry Agent: Oh. That’s too bad.  Maybe you should slow down or something…

Me:  No!  I lost the plasticized thingy.  Can I get another?

RA: Yes, of course!  Do you have a piece of picture ID?

Me: (handing over my oh-so-precious Canadian passport) Here you go. 

RA: Thank you.

At this point the registry agent glances at the passport picture, glances at me – yup, that’s him – and notes the passport number on an official form.

RA: Has any of your information changed? Hair – brown; eyes – hazel; height – 5′ 11″?

Me: Uh, no.

A few more particulars are exchanged.  Then the agent asks the shared secret question! (Only I could get excited about such a question!  And, at this point, I am positively bristling with excitement!)

RA: What is your home phone number?

What is my phone number?  My jaw drops.  I stop bristling.  Really, is that the best she could do?  I was hoping for some other nugget from the government’s mighty store of personal information.  How about the high school I attended?  Perhaps my health care number? Or my third child’s middle name?  PHONE NUMBER??? C’mon people, give me a challenge here.

Me: (mutters phone number)

RA: Hey, that’s just one number off of my phone number!

Me: Oh.

And that was about it.  I signed a few forms, she pecked a few keys and off the bits flew to the Canadian Bank Note company, the outsourced operation in Ottawa that prints and mails Alberta provincial drivers licenses.  I was given a temporary license until my new plastic-coated beauty arrived.

How does my experience compare with the government’s defined process?  It is based on ‘who you are, what you have and what you know.’  To confirm who I am, the agent uses their computer system to retrieve a picture of me from my last renewal.  So, they have a way of confirming I am who I say I am.  That’s good.

However, a few comments from this experience:

  • The agent forgot to ask me for secondary identification that further identified me and/or proved that I still live in Alberta.  I could have moved to BC or Zambia and the government process prescribes a way to catch this and confirm that I’m still a tax-paying Albertan.  An additional ‘what you have’, beyond my passport, would have strengthened the identity assurance.
  • The ‘what you know’ secret used in this case, my phone number, isn’t secret at all… I use it as my frequent shopper ID at Safeways, and blurt it out regularly in all kinds of situations.  Oh, and it is in the phone book, right next to my name…  I know that this was likely just a secret (among several possibilities) that the registry agent chose off the screen, but perhaps there should be less choice in the process to ensure stronger secrets are used.

There, in a nut-shell, are a few issues with the license replacement — an identity credential renewal –process.  But are these significant enough to be of concern?



William the Conqueror invaded England in 1066 and gained control over most of the country within the next decade.  As a new ruler in an unruly land, he didn’t have a good handle on his new subjects.  If he was to quash rebellions, exploit resources and, most importantly, collect taxes, William needed to have comprehensive information.

Enter the Domesday Book.  This exhaustive text recorded details about the land, its inhabitants, their buildings and livestock and pretty much anything else of value in England at that time.  Wikipedia’s entry on Domesday sheds light on how the register came to be named:

The name Domesday comes from the Old English word dom, meaning accounting or reckoning. Thus domesday, or doomsday, is literally a day of reckoning, meaning that a lord takes account of what is owed by his subjects.

Perhaps most interesting to those of us that are involved in identity management, the Domesday Book was the first detailed register of individuals, and therefore was also the first significant identity document for a country.  It not only recorded the names of the land owners and under-tenants, but also enumerated the peasants.  From this, the population of 11th century England was estimated to be 1 million people.

The king was then able to rule from a position of knowledge.  He knew who owned what land, what that land was worth, and who worked for each of the barons.  Domesday told the king what he could tax and the information in the book could not be challenged or appealed.

Knowing the under-tenants of a baron was of particular interest to William — as part of solidifying his hold on the country, he sought these men out individually and had them pledge allegiance directly to him rather than their feudal lord.

Domesday provides an early example of the power of information, especially when that information is held exclusively (and non-transparently) by an absolute ruler.  It is partly responsible for today’s well developed values of accountable government, democracy and appeal processes.

And, I suppose, herein lie the drivers for modern privacy legislation.  In William’s world, privacy was not a concept so the collection of exhaustive information for any purpose was not even considered an issue.  But as these registries became more and more common in subsequent governments, including democracies, the increasingly educated citizenry demanded increased transparency.

Over the centuries, the concepts of ‘need to know’ and ‘information collected for a defined purpose’ became part of the privacy debate — a debate that still rages in the modern world today.


Victoria Conference Feb 6th

Day Zero (pre-conference) of the Privacy and Security Conference in Victoria, BC is over; here are some observations and fodder for future blog entries:

  • Note to self: fly direct.  Transfers in Vancouver not recommended… An unexplained 2 hour delay turned this simple trip into a half-day epic…
  • Very interesting Identity Management workshop put on by the British Columbia Government Office of the CIO.  Lots of info on the Pan-Canadian IdM work, an over view of a great identity and trust model, plus a presentation on BC’s new User Centric identity architecture.  More on this (with links) to come, but start with www.cio.gov.bc.ca/idm.
  • Call me a Canadian sentimentalist, but you can’t beat the “CP” hotels.  I’m staying at the grande dame herself, The Empress, and she’s lookin’ mighty fine for her 100 years…


Shared secrets for establishing identity

We are all familiar with the use of shared secrets for establishing our identity when we do business online or over the phone.  These secrets are things like account numbers, our mother’s maiden name or a dollar amount from a recent statement.

Shared secrets are very useful because they significantly reduce the chances that an imposter can gain access to our information by guessing the information being requested.  Shared secrets are also used when digital credentials are first established, and this is an area of significant interest in the public sector where potentially millions of users need to be efficiently enrolled into government services.

Further, both quantity and quality matter.  As governments strive to move more services online, the question of ‘who is at the end of the wire’ takes on more and more significance.  When digital credentials are being used to access confidential data, the impact of improperly identifying an individual can be catastrophic for both the public authority and the individual.

  • A single shared secret on its own makes a poor choice for identifying an individual.  In almost all cases, even those where non-confidential or low-value transactions are taking place, multiple shared secrets are needed to ensure appropriate identity assurance is carried out.
  • The quality of the shared secret is also critically important.  Using a secret that is relatively easy to obtain — e.g. a professional certification number that is displayed on a certificate in the individual’s outer office — is of less value in identity assurance than a secret that is known only to the user.

The best identity assurance schemes are therefore those that use multiple strong shared secrets — information that only the user would generally have access to and information that, typically, is not known by others.

This last point is somewhat critical.  Sharing of confidential information in a household is very common: spouses open each other’s mail; report cards and bank account statements are left in plain view; and personal details such as birthdates are commonly known throughout the household.

A well-constructed identity assurance process must therefore also consider the degree to which shared secrets are known amoung a household, workplace or other group of individuals.

Fortunately government organizations have a wealth of citizen information in their databases.  These stores of shared secrets allows a government system to select from a range of options when validating user identity.

An effective enrolment solution depends on carefully analyzing the strength and appropriate combination of multiple secrets in order to select the best ones for e-government applications.


BC Privacy and Security Conference

In a little less than a month, I’ll be escaping the wind-swept, snow-filled prairies for a 3 day visit to Victoria.  The event?  The 9th Annual Privacy and Security Conference.

I attended this conference last year for the first time and came away suitably impressed.  Lots of good speakers, decent content, great location — my hometown no less.  This year, Dr. Lawrence Lessig is doing the keynote.

The plan is to hit a pre-conference workshop on identity to try to get a feel for other identity management implementations, then attend the main conference over the next two days.

And, yes, after a hard day of slogging, 100 different varieties of draft beer can be found at the Irish Times Pub on Government St.


Virtual info cards and choosing the right guinea pigs…

Dick Hardt from Sxip was interviewed last month by IT Conversations on the Government of BC’s plans for a virtual information card pilot.

Mr. Hardt points out that privacy laws in BC and Canada are very strong compared to the rest of the world, and that governments are actually not interested in collecting and linking citizen data unnecessarily.  The goal is to NOT have an electronic ID card like those that are being rolled out in other countries.

There is a lot of interesting information in the interview, but for now I’ll stick to some comments on the implementation.  Mr. Hardt maintains that the virtual info cards are more advanced than traditional tokens because they allow for a user to select what information can be shared with the site being accessed.

The first use case being implemented is not particularly ambitious from a identity standpoint.  Recognizing that government staff tend to work together and often travel to each other’s work sites, there is a need to share wi-fi connections at dozens/hundreds of sites.

Info cards will be used to control a user’s access at these sites.  By integrating the technology into the wi-fi portal, access can be restricted to those that possess a valid info card.   Users that want Internet access at the site simply present the virtual card to gain access.  This results in improved privacy because the card is only used to confirm that the user is allowed access — it does not identify them.

It is an interesting choice for a first implementation.  The users are all known to the organization (typically senior-level staff) and have a well defined need.  Both privacy and security is improved and, apparently, a standard solution can be rolled out to many locations easily.

But most intriguing to me is the user audience.  This implementation targets roving users — and most often these are director-level and higher in government.  As these laptop enslaved decision-makers roam around the province, the ease of the solution should win converts.  When designs for more tricky info card  implementations, such as those for public citizens, arise in the future, the management teams are already well-versed with the technology and able to make informed decisions.

This is of critical importance to identity and access management systems.  Having had direct experience designing identity systems in the public sector, I can attest to the importance of having educated decision-makers at the table.  When issues around privacy and security need to be escalated, you want your sponsor and team to be knowledgeable and comfortable with the topic — and, ideally, the technology.

The BC Government appear to be making smart choices with this project, it will be interesting to hear how it progresses in the next few years.