Defining digital identities: part five of five
Four industry leaders breakdown the importance of online credentials
23 December, 2011
category: Biometrics, Contactless, Corporate, Digital ID, Government, Library
There have been many discussions about digital identities and online credentials in 2011. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is picking up steam and organizations are seeking to further secure IT networks as threats from hacking increase.
But questions and uncertainty abound. What are digital identities and how do they work? Will one credential work with another? How will they impact privacy and help address regulatory compliance?
In light of these and other pressing questions, Re:ID editors asked some of the leaders in the space to share their thoughts and vision for online ID.
Participating in the roundtable are: Jeremy Grant, senior executive adviser and manager of the National Program Office for NSTIC; Mollie Shields-Uehling, president and CEO at SAFE-BioPharma; Judith Spencer, former co-chair of the Federal Identity, Credential, and Access Management Subcommittee at the U.S. General Services Administration and now CertiPath’s policy management authority chair; and Scott Rea, board member and director of operating authority at the Research and Education Bridge Certification Authority (REBCA).
Explain the role of standards in achieving privacy, security, and interoperability.
Jeremy Grant, NSTIC
Instituting open and accepted standards is essential to establishing trust within the identity ecosystem. However, standards by themselves do not increase or impair security or privacy. In order to achieve privacy, security, and interoperability it will be necessary to also create an enforcement mechanism which assures that solutions in the ecosystem support the framework.
Scott Rea, REBCA
Without standards, any disparate heterogeneous distributed community will have difficulty achieving privacy, security and/or interoperability. When multiple parties are involved, without bilateral agreements between each and every one, it may be impossible to guarantee any sort of privacy or security required of trust infrastructures. Such bilateral agreements are extremely inefficient as is any system involving more than just a few participants.
Setting standards for a varied trust community and auditing against those standards is the most efficient way to ensure there are consistent application of controls and interoperability amongst the participants.
Mollie Shields-Uehling, SAFE-BioPharma
Standards are the policies and rules whose alignment allows for order in achieving privacy, security and interoperability. Their use is essential to achieve interoperability at the technical and policy levels. SAFE-BioPharma is a standard and our policies are aligned with those of other trust hubs, including those employed by each of the other Four Bridges Forum participants.
Judith Spencer, CertiPath
Interoperability of digital identities requires conformity with standards across three axes: technology, process and policy/governance.
Technology standards drive uniformity in the implementation of specific technical solutions and with increased uniformity comes increased interoperability among products from different providers. Process standards ensure uniformity in the way digital identities are deployed and managed, which enhances trust. Finally, policy and governance standards provide the overarching framework that addresses the privacy and security aspects of digital identities.
Do you envision a global proliferation of identity trust hubs?
Jeremy Grant, NSTIC
I envision that the market will determine this. From a private sector perspective, I think the roles within the identity ecosystem offer many sectors a chance to participate in a meaningful way. We are already seeing organizations with large user populations form frameworks to support interoperable federated digital identities. Service providers, such as firms in health care, e-commerce and finance certainly can reap benefits from participating in a trust framework, rather than issuing identities of their own.
Judith Spencer, CertiPath
Identity Trust Hubs or Trust Frameworks already exist globally in the physical world and their influence will continue to grow in the virtual world. In many countries, they will be government sponsored, while in others they will be the product of government and industry partnerships. Over time, they will become the dominant trust mechanism for identity credentials in cyberspace. Just like the World Wide Web itself, there will be trust nodes that interconnect and broker trust across national boundaries, between industry sectors, and ultimately down to the individual computer user.
Mollie Shields-Uehling, SAFE-BioPharma
Yes, most regulated industries and those exchanging secure and confidential information within their own industries and across industry and government borders will operate within an identity framework infrastructure. This enables them to take full benefit from the efficiencies of electronic communications in cyberspace. An ecosystem of identity trust hubs already is forming–i.e. the Four Bridges Forum–and is being actively advanced by the National Strategy for Trusted Identities in Cyberspace.
Scott Rea, REBCA
I would not necessarily categorize the expected expansion of identity trust hubs as a proliferation, but I do believe there will be some natural outgrowth of these types of services in those communities that demand it. Financial services, health services and utility services are likely sectors and in fact some developments are already underway in these communities. It will be critical for any decent sized heterogeneous distributed community with any sort of trust infrastructure requirement, to establish standards and policies related trust tokens.
How do interoperable digital identities play a role in your area of responsibility.
Jeremy Grant, NSTIC
One of the most important responsibilities of my current position is the establishment of a National Program Office tasked with implementing the NSTIC. Our primary mission is to convene private sector representatives, consumer and privacy advocacy groups, individuals, and the government in an effort to implement the strategy. We are, in effect, a facilitator for the establishment of the identity ecosystem. That ecosystem will be built upon the four NSTIC guiding principles, that identity solutions will be privacy enhancing and voluntary; cost-effective and easy-to-use; secure and resilient, and; interoperable.
Judith Spencer, CertiPath
As a federation operator, CertiPath is the broker of trust that makes interoperable digital identities a reality within the aerospace-defense community as well as between aerospace-defense and various national governments.
In addition, CertiPath works with organizations in establishing trusted physical access control systems that accept digital identity credentials from multiple sources and make access control decisions based on the relationship with the trust framework.
Mollie Shields-Uehling, SAFE-BioPharma
SAFE-BioPharma is the global standard for digital trust in the life sciences and its credentials are used to authenticate the identities of persons accessing applications and VPNs and to apply digital signatures to virtually every electronic document used from the discovery through all phases of clinical development and manufacturing. They are used by researchers to sign electronic laboratory notebooks documenting research activities. They are also used to sign electronic submissions made through the FDA’s eSubmissions Gateway and to EMA.
Scott Rea, REBCA
Securing information can be a challenging mandate. Ensuring that only the correct individuals or processes can access and utilize specific data requires strong controls to be applied consistently through the entire ecosystem.
Interoperable digital identities facilitate access and protection of data at appropriate levels of assurance for the type of transaction being undertaken. Many universities and centers collaborate on research projects and the data associated with this research can be more easily managed and protected–typically at lower costs–when interoperable digital identities are utilized.