Click here to Subscribe

BPL
LMDS
GPU
VoP
OLED
DSP
Opera Browser
The FCC
More...

View this feed in your browser

Other Services:


Search All Issues, Conference Reports and Tutorials

Web Services Summit

Fair Use or Copyright?

Deregulation Smoke and Mirrors

More...

 

Digital ID World Fall 2005
By John Latta, WAVE 0549 12/9/05

New York
November 9 - 10, 2005

DigitalID World is focused on the financial sector and thus a much smaller conference (200 vs. 800) than the broad event in the spring in San Francisco. The conference organizers have partnered with IDG to run future conferences but it did not happen in time for this event. The intent going forward is to have broad based conferences on each coast with the spring conference on the West coast and the fall conference on the East coast. This remains a unique conference focusing on the broad issues of how to add an identity layer to networking. As a result it covers a broad range of topics, mostly in the enterprise space.

 

Microsoft Discusses InfoCard

Building on the concepts articulated by Kim Cameron at Digital ID World in San Francisco, Mike Jones, Director of Connected Systems Evangelism, Microsoft, outlined InfoCard and Strong Authentication. Key points he made included:

The Internet is missing an identity layer and there are no easy solutions.

Digital Identity is about claims. These claims are represented by a drivers license, credit cards and even business cards. These claims are the basis on which all modern access technology is based.

We need a level of abstraction above identity to make it practical. Microsoft calls this the Identity Metasystem. The players in this Metasystem are Relying Parties, Identity Partners (in some cases the individual), and the Subjects who are the individuals.

The Metasystem Architecture uses a WS-Trust and WS-MetadataExchange layer between the subject and the ID Provider and Relying Party

A mockup demonstration was given using Flash technology to show how an individual is in control of the access to web sites where identity is to be passed. This allows both verification of the site authentication and the information to be passed to it.

It was stated that InfoCard is a simple user abstraction for digital identity and based on the metaphor of physical cards. This will be shipping with Windows Vista and available for Windows XP and Server 2003.

 

The complexities of Identity Management

Biometrics fits into Identity Management as one factor in multifactor authentication. This typically happens in the case of “strong authentication.” But Identity Management covers many areas of enterprise IT. Some discussed include:

Virtual Identity
Single Signon (SSO)
Simplified Sign-on
Roles Based Access (RBA)
Federated Security
Privacy and Regulatory Compliance
IT Security
Directory Services
Employee Provisioning and Exit
Internal IT Call Services
Authentication
Compliance certification

There is a large burden of regulatory privacy compliance in the US and Europe. Some of the US mandates include:

Foreign Corrupt Practices Act
Homeland Security Act
Patriot Act
Basel II
CoCo
Gramm-Leach-Bidley
Sarbanes-Oxley
HIPAA
California SB 1386
SEC 17A-4
OSHA Mandates

Thus, in the whole context of enterprise identity management issues, biometrics is but one small element. Further, identity management is increasingly becoming a major IT activity because the scope encompasses many high priority IT areas, as outlined above.

 

Panel on Strong Authentication

The panel on Strong Authentication was a mirror of the status of where biometrics fits.

The only panel participant that has implemented a biometric factor is United Bankers’s Bank. This company presented its case study at the Biometrics Summit in February 2005. Its fingerprint biometric technology goes to 2500 bank customers – mostly retail banks and not end-customers. In response to Questions, here are some issues they have found:

Fingerprints change with age.

Some individuals do not have fingerprints – especially those who have come in contact with chemicals, such as farmers.

Only one customer refused to participate in the required use of biometrics.

eTrade and eBay are planning to go to strong authentication but it was indicated that this would be optional. The intent is to offer this to high use customers. However, biometrics is not a part of this plan but an OTP which augments an existing password already in use by both merchants. This will use either RSA or VeriSign. The additional information for the OTP will be appended to a regular password. It will appear to come from eBay but actually one of the two companies will supply this. The branding of this solution was felt to be important to many companies.

In response to a question from the audience, it was indicated that biometrics just does not provide the necessary FAR and FRR performance. Further, it is expected that some individuals will not agree to use biometrics, as a result of the negative impression of fingerprints, for example. However, this was not confirmed with any data.

It was clear that the tokens are viewed as the best current technology solution, compared to biometrics, when it comes to strong authentication technology based on multi-factors.

 

Identity is a Struggle

There was not a single presentation on the second day, only panel discussions. But the discussions continued to reiterate the challenges which Identity Management is facing.

 

Panel Discussions – The Hard Road Ahead

Wachovia Bank participated in the first session in the form of an interview. Key points include:

Identity management cannot be justified based on ROI. The only compelling proposition related to Identity Management is password reset automation. Once this has been addressed, it is difficult to make a case for the broader functions of identity management.

Yet, the next major driver for identity management is regulatory compliance. This is not an ROI issue but a mandate and thus outside of the bounds of what must be justified with an ROI.

Security has been painted in many ways. It is the ugly bear of the banking/financial business. Most IT security issues are after the fact – security weights in when something has happened. At Wachovia Bank we have changed our focus. Instead of security, we consider issues based on risk. That is, how is risk managed? Risk assessment and management is at the manager level. That individual must sign off on risk and accept the management of risk. This has important organizational implications. When incidents happen, one does not just call in security but looks to the management of risk and what happened when risk mitigation did not work.

One of the problems of SOX compliance is that it results in large access lists – who accessed what applications when. The audit of these lists is a data mining problem. In the banking industry, auditors want to see these lists and know the bank is in compliance. One strategy in implementing an Identity Management architecture is to make the collection, analysis and mining of the access information an automated process.

At Wachovia we have seen the privacy and identity management related issues reach the CEO level. This is the kind of visibly that few CIOs want. The justification of funds to accomplish Identity Management becomes much easier but this also raises the expectations of management. Words we have heard include “…you have this money. I don’t want to hear about this again.”

Federation has the potential of being a major issue. So far our systems are within the firewall but we expect them to migrate to our business partners and it is here that federation is critical but we can also see this migrating to our customers.

The regulatory and legislative environment was discussed in another panel.

It was claimed that some 300 privacy and related bills have been proposed in the last few years. There was some skepticism about the ability of the Congress to pass useful legislation which addresses the issues. An example, of bad legislation is the CanSpam Act which is ineffective.

Part of the issue is that the industry has been lax in moving forward. eBay and Paypal are the subject of continual phishing attacks but have done nothing to halt them. It is considered a cost of doing business rather than a consumer protection issue. The compromises of consumer data at ChoicePoint and others have received considerable press and Congressional attention. It could well be that legislation similar to California SB 1386 will be passed on the national level but this does not address privacy management responsibilities, only notification.

The question was asked – Is the US a leader in privacy compromises and criminality? One response was that criminal activity here is 3 years ahead of England. [Hardly something to be proud of.]

In follow-up conversations, it is not clear that any legislation will emerge from Congress. There are too many powerful competing interests which are likely to dilute consumer supportive legislation.

 

FFIEC Authentication Guidelines

On October 12th, 2005, the Federal Financial Institutions Examination Council issued guidelines for Authentication in an Internet Banking Environment. This is significant because it requires two-factor authentication. At the DigitalID World panel there was not a clear assessment on what this means in terms of technology and implementation. This is an area which could foster the use of more secure authentication technology of which biometrics is one possible factor. Here is a summary of the decision:

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

 

 

Comments?
E-mail webmaster
Page updated 1/24/07
Copyright 4th Wave Inc, 2007