Authenticating users on a secure network is absolutely vital to maintaining the integrity of the system, and today organizations have many options for identity and credential providers.

But how can an organization trust these providers? An independent auditor can provide a stamp of approval, but who accredits the auditors?

In the case of credentials, that accreditation comes from the Kantara Initiative. Kantara’s Identity Assurance Accreditation and Approval Program aims to grow identity credential services based on the four levels of assurance that are measured and validated in the U.S. Federal Identity Credential and Access Management (ICAM) trust framework.

It’s the only government-approved accreditation provider of its kind that accredits assessors and gives service approvals at levels of assurance 1, 2 and 3 (non-crypto) for the ICAM trust framework. Assessors are not the organizations providing or issuing credentials, explains Joni Brennan, executive director of the Kantara Initiative, rather, they are third-party organizations verifying the processes employed by the credential issuers against a set of criteria.

Brennan says the reason companies and agencies don’t audit themselves is that a third party forces separation and impartiality. Other models, such as universities, may be able to audit their own credentials because they are large enough and have enough legal separation within the organization to enable neutrality. But this is not the case for most organizations.

Firms that seek Kantara Accreditation are typical auditing firms. “[They can be] small scale to large scale,” says Brennan. Kantara-accredited Assessors include large global firms like Deloitte & Touche and Europoint, as well as smaller organizations like Electrosoft, which has 20 employees, and eValid8, with just a single employee.

Kantara’s Assessors Qualifications & Requirements (AQR) document stipulates the criteria and qualifications an assessor’s organization must have to take part in the Kantara environment, says Brennan.

The organization looks at a company’s ability to follow requirements including: industry practices, its insurance, its ability to remain impartial and its privacy policy. Kantara looks at these aspects and how the business operates. “Can those processes be translated into an audit environment?” asks Brennan.

The Accreditation process requires the applicant has to provide documents and assessments, but it also includes a “prequalifying area,” that recognizes prior certifications counting them toward a Kantara Accreditation. “As long as they can prove that a recognized third-party certification is valid and in good-standing, Auditors can get prequalifying credits,” says Brennan. “We don’t make them prove x, y, and z all over again.”

Applicants then use the Assessors Qualifications & Requirements to determine what evidence they need to present to Kantara. The company then provides evidence for the claims made in the application. “It’s almost like performing an audit on an auditor. Here are the answers to the questions, and here is the proof,” says Brennan.

It typically takes two to three weeks to put together the application. Brennan says smaller organizations may provide the proof more easily, but a large company like Deloitte & Touche, may have more regulations around what they can share.

Due to these sharing restrictions, Kantara may make an on-site visit to review what it needs to evaluate the applicant, while at the same time not compromising the applicant’s security.

Next, Kantara’s Assurance Review Board (ARB) evaluates the application and evidence, a process Brennan says takes three to four weeks. Brennan says the board review has three possible outcomes. It may satisfactorily recommend to the board of trustees to grant Accredited Assessor Trustmark. It may recommend Accreditation on a conditional basis, giving the applicant six months to come back with the additional information required to approve or revoke the conditional Trustmark grant status. Or, it may deny the application, most often due to insufficient evidence.

The cost of becoming a certified assessor is based on the size, scale and resources of the organization. A company with one to 100 employees pays $5,000 for its initial application. A 101 to 1,000 employee-organization pays $11,000; a 1,001 to 25,000-employee firm pays $17,000 and companies with more than 25,000 employees pay $25,000.

These fees cover the application and first year of Accreditation, says Brennan. Companies must renew their certification annually. Year two and each subsequent year costs $1,000 less than the initial fee.

In the annual renewal process, Kantara conducts a conformity review to make sure that nothing has changed from the previous year, says Brennan. Every three years organizations must again go through the full review process.

One assessor’s journey

Electrosoft is among the most recent organizations to earn assessor certification. The process began at the end of 2011, when company officials decided to make the investment into the certification process, says Scott Shorter, principal security engineer at Electrosoft. The application was submitted early in January 2012.

Shorter says the company had to provide a good amount of information and cite corporate policies with regards to corporate management, ethics, recruitment and contract administration. “It was almost entirely stuff from our internal policies, although we did have to develop a couple of policies for the application,” says Shorter.

Once the Assurance Review Board looked at Electrosoft’s application, they had some follow-up discussions about methodologies and PKI compliance audits, which, Shorter says was part of the reason they applied for the certification status.

One round of questioning happened in early February, and Electrosoft had one week to respond to the committee’s questions.

In early March, Kantara had another round of questions and spent a week onsite at Electrosoft offices. Shorter says that even with the follow-up questioning, the process was “not terribly active.”

In early April, Electrosoft received word that it had been certified.

Shorter says that possessing the Accreditation enables Electrosoft to participate in business opportunities that Kantara accredits. “We’ve been in the business of ID assurance for some time,” he says. “We are seeing more involvement with the trust framework that supports FICAM in federal government.”

---

Kantara Initiative in brief

Founded in 2009, the Kantara Initiative is an independent, non-profit organization that is a program of the IEEE’s Industry Standards and Technology Organization. It was formed out of the Liberty Alliance, a standards organization that worked to provide a holistic approach to identity and identity management on the Web.

Building off the principles of its name, which means “bridge” in Swahili, the community collaborates on interoperability issues that exist between enterprise identity systems, Web 2.0 applications and other Web-based initiatives.

Kantara is working to speed up adoption of digital identity solutions by relying parties. The initiative does this by building trust frameworks and promoting interoperability and assurance through compliance and certification.

Its membership includes government agencies, credential services, audit and testing firms, private sector companies in health care, telecom, entertainment and finance, research and educational institutions, technical and user community organizations and individual contributors.

• Number of members: 79
• Number of Work & Discussion Groups: 12, covering policy, jurisdiction and user-focused issues
• Governance: Volunteer Leadership Council comprised of Chairs of the Working Groups
• Membership levels: Member and Trustee have voting privileges; Subscribers do not