Four industry leaders breakdown the importance of online credentials
There have been many discussions about digital identities and online credentials in 2011. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is picking up steam and organizations are seeking to further secure IT networks as threats from hacking increase.
But questions and uncertainty abound. What are digital identities and how do they work? Will one credential work with another? How will they impact privacy and help address regulatory compliance?
In light of these and other pressing questions, Re:ID editors asked some of the leaders in the space to share their thoughts and vision for online ID.
Participating in the roundtable are: Jeremy Grant, senior executive adviser and manager of the National Program Office for NSTIC; Mollie Shields-Uehling, president and CEO at SAFE-BioPharma; Judith Spencer, former co-chair of the Federal Identity, Credential, and Access Management Subcommittee at the U.S. General Services Administration and now CertiPath’s policy management authority chair; and Scott Rea, board member and director of operating authority at the Research and Education Bridge Certification Authority (REBCA).
How will these identities play together? How will they interoperate?
Jeremy Grant, NSTIC
Digital Identities will not have to interact. They need to interoperate with the services we wish to interact with online but in no way does the identity ecosystem determine where identities play together. Moreover, the adoption of the identity ecosystem trustmark will help preserve the anonymity created by widely accepted credentials while simultaneously providing increased piece of mind. The result is an environment where people can safely pick and choose with whom they both work and play.
Through the use of interoperable technology and policy, individual users will be able to transport their identities across service providers, communities and entities due to a common conformance to the identity ecosystem framework. Additionally members of the ecosystem will be able to identify those who maintain the established policy and security standards through the use of a trustmark. This will be a visual or digital device used to validate membership in and accreditation by the identity ecosystem.
Judith Spencer, CertiPath
The secret to interoperable identity credentials is a mutually understood trust framework within which the credentials are issued and managed. Such a trust framework constitutes a federation comprised of organizations that will perform identity verification, identity credential issuers and authoritative sources of claims associated with the identity.
The trust framework will have an established set of criteria for the issuance and maintenance of credentials by its member organizations and a neutral third-party Federation Operator will ensure that the member organizations adhere to these criteria.
Relying parties will make the determination concerning whether a particular trust framework provides the level of identity assurance required. Tools are available that can process multiple identity credential protocols and provide a standard output to specific back-end applications.
It is important to also keep in mind that relying parties will exist at both ends of the transaction. Just as a Web site/application wants to know the identity of the individual requesting access, the individual needs assurance that he/she has accessed the intended Web site/application. Therefore, it is entirely likely that individuals will utilize the trust framework as much as the Web site/application does.
Mollie Shields-Uehling, SAFE-BioPharma
As the only trust hub serving the specific needs of the life sciences, the SAFE-BioPharma standard provides a unique and important bridge to other life science companies, U.S. federal agencies and to other industries.
A few years ago we cross-certified with the Federal Bridge. As a result, participating U.S. government agencies trust the identities asserted by SAFE-BioPharma. Any other trust hubs that have cross-certified either with the Federal Bridge also accept them.
An example of the ease of that interoperability is the ongoing study between the National Cancer Institute and biopharmaceutical companies that are part of the SAFE-BioPharma community. The study examines use of interoperable digital identities and cloud-based digital documents to eliminate reliance on paper forms in clinical trials.
NCI researchers use their federally-issued digital identity credentials from the Federal Bridge Certification Authority. Bristol-Myers Squibb and sanofi-aventis researchers use their SAFE-BioPharma compliant digital identity credentials.
Clinical trial start-up documents were placed in the cloud where the researchers, using their interoperable digital identity credentials can access them, apply digital signatures to them and return them to the cloud for additional action. The study has successfully demonstrated the ease of the process. It eliminated paper, reduced costs, saved time and eliminated document loss. From our perspective, it is an important first step in transforming the global clinical trial process from paper to being fully electronic.
Scott Rea, REBCA
A credential issued by a research institution in accordance with the controls and standards published by the Research and Education Bridge Certification Authority (REBCA), can be utilized or relied upon at a known level of assurance by any other research institution or business partner that subscribes to the same or similar standards.
REBCA polices have also been mapped to those produced by another trust hub – the Federal Bridge Certification Authority (FBCA), meaning institutions subscribing to REBCA can issue credentials that are not only trusted within the research community, but also by government agencies and all their other subscribing partners, at established levels of assurance.