In his latest post, Security Consultant Stephen Williams discusses how the introduction of a 'Bring Your Own Identity' (BYOI) programme has the potential to deliver significant business value for organisations.
bring your own identity?
Introduction of a 'Bring Your Own Device' (BYOD) programme has the potential to allow organisations to both reduce their capital expenditure and their operational expenditure on device maintenance, whilst at the same time increasing employee satisfaction. In light of today’s current economic environment and renewed focus on achieving ROI and real business value for the IT services provided by an organisation, it is wise to consider which other areas of an organisation's IT service can also be applied to the Bring-Your-Own strategy. One such area involves the exchange of mobile and trusted identities within an Identity Assurance framework, which together can support the realisation of a ‘Bring Your Own Identity’ (BYOI) approach.
A Federation as a Trusted Community
In my earlier paper post “Classifying and choosing a Federated Identity Management approach” I asserted the belief that “federations within business have existed for a long time, and that these relationships have only recently been transferred to the IT systems that support them”. These federations or ‘trust communities’ can be aligned horizontally or vertically to a common interest. For instance a horizontal trust community could encompass a Customer Relationship Management (CRM) Software-as-a-Service (SaaS) offering and its customers sourced from different industries. A ‘vertical’ trust community could encompass all UK based financial organisations and the Financial Services Authority which provides governance over these parties.
Understanding the current issues
Whilst these trust communities can allow organisations to realise significant business value around a specific purpose, they can also begin to introduce identities that are only valid in a particular silo if the user in question is a member of more than one trust community. By uniting trust communities at common touch points, users would be to reuse their existing identities for completely disparate services and organisations would be able to take part in a wider BYOI policy which would drive down organisational wide identity management and self-service costs.
To illustrate the restrictions of siloed trust communities, consider an identity that we are commonly required to hold and use on a regular basis. A national ID card or passport, issued by the government of the country in which you reside, can be accepted across the world as a form of identity for all the members of that specific trust community; i.e. the countries who have a trust relationship with your country of residence. It is not however possible to use a passport within separate trust communities, such as those which collectively form your local public transit system, or, perhaps the trust community that includes your employer. Whilst it would support significantly more agile business models, as well as lower operational and adaptive access management services, efforts towards allowing a person to logon to their employer’s intranet – for example by using their Google account as a first authentication factor - are currently quite immature.
If united trust communities are capable of delivering great benefits to users and organisations, why hasn’t this been accomplished yet, and what are the major hurdles? Who will provide high assurance identities, and how do we assess and audit such providers?
The major barriers here are formally establishing and recognising the relevant parties, and the support for relationships between trust communities. Today, if I were to present my driver's license to my employer as a form of identity when accessing a company building or its systems, how could they definitively know what identity evidence I had provided to gain this in he first place, if that identity is still valid and if it is even legitimate?
Working towards a standards-based solution
Organisations such as the Kantara Initiative are working towards the formalisation and creation of Identity Assurance frameworks, which seek to meet to answer these questions. These frameworks themselves rely on the formal definition of the parties involved in a trust community, their roles and principally how they describe a recognised authenticated identity. This groundwork was completed by the United States in 2003 as part of its National Strategy for Trusted Identities in Cyberspace (NSTIC), specifically in its memorandum M-04-04, which was later formalised in 2006 by the National Institute of Standards and Technology (NIST) in its Special Publication 800-63.
While these recommendations were specifically created in the United States, they are broadly applicable to any community that requires the assertion of an authentication identity. In its paper NIST defines four levels of Identity Assurance, which range from level 1 for weakly assured identities, to level 4 for identities that are of the absolute highest assurance. Each level has its own associated requirements for the registration, proofing and authentication. For example an identity with LoA 4 cannot be registered for online, and instead must be done so in person using a government issued photo ID, a second factor of photo ID, a biometric scan and confirmation of the person’s registered address.
Returning to Identity Assurance Frameworks, these have now built upon the work initiated by NIST and have defined:
- What services a credential provider must deliver
- What services a credential verifier must deliver
- How an organisation can be assessed and registered as such a party, and
- How these parties are independently audited
The registration process for providers, assessors and auditors has been open since 2011, and a number of large service providers and auditor organisations have now gained certification of their role within this framework, with several others in the submission and approval stages.
In the SaaS marketplace organisations such as Google, Facebook, LinkedIn and Twitter have in the last few years deployed Identity Provider services to facilitate the services that they deliver, with other organisations in vertical trust communities - such as pharmaceuticals and finance - now following suit. In the coming 12-24 months we will see more commercial Identity Assurance providers in other trust communities coming online, with greater adherence to the Identity Assurance Framework model and greater interoperation between these parties.
By creating an open, trusted, and recognisable marketplace where service providers can seek Identity Assurance Providers for their trust community, and vice-versa, users will ultimately benefit from mobile identities and greater BYOI support, with organisations gaining more adaptive services combined with reduced capital and operational costs.