towards a new balance in identity management v1.0

7/29/2019 Towards a New Balance in Identity Management v1.0

1/8

TowardsaNewBalanceinIdentityManagement

by:

ElisabethdeLeeuwBusinessConsultant,OrdinaInfrastructureSolutionsNieuwegein,The

Netherlands

MaxSnijder

CEO,

European

Biometrics

Group

Naarden,

The

Netherlands

February2008

www.eubiometricsgroup.eu


2/8

TableofContents

1. Introduction................................................................................................................32. Trendsinnationalidentitymanagement...................................................................32.1. Introductionofbiometricsonnationalidentitydocuments .............................32.2. Qualityofidentitydata ......................................................................................3

2.3. Costs

of

identity

fraud........................................................................................43. Trendsincorporateidentitymanagement................................................................43.1. Theriseofvirtualidentities ...............................................................................43.2. Improvingcorporateidentityandaccessmanagement ....................................4

4. Genericimprovementstrategies ...............................................................................54.1. Biometricsandnationalidentitymanagementschemes ..................................54.2. Corporateidentitydataqualityandidentitylifecyclemanagement.................6

5. Conclusions.................................................................................................................7

Towards a new balance in Identity Management - De Leeuw/Snijder February 2008ALL RIGHTS RESERVED

2


3/8

1. IntroductionFrom

22nd

till

24th

of

May,

the

yearly

conference

on

information

security

of

the

InternationalFederationforInformationProcessing(IFIP),theSEC2006,tookplacein

Karlstad,Sweden.ThethemeofthisconferencewasSecurityandPrivacyinDynamic

Environments.AtthisconferenceanewworkinggrouponIdentityManagementwas

presented.Typicalforthenewworkinggroupistheinterdisciplinaryapproach.

Representativesofpublicandprivatepartiesareparticipatingaswellasscientistsand

membersofthesocalledprivacylobby.Theaimisinvestigateidentitymanagementinallits

aspects.

Onthisoccasion,wewouldliketodiscusscurrenttrendsinnationalandcorporateidentity

managementand

analyze

acouple

of

strategic

issues

in

this

field.

2. Trendsinnationalidentitymanagement2.1.Introductionofbiometricsonnationalidentitydocuments

Asanaftermathof911,thefieldofnationalidentitymanagementissubjecttorapidchange.

TheUnitedStatestookthedecisiontocompeltheapplicationofbiometricsonpassportsof

allcountriesparticipatingintheVisaWaiverProgram.Soon,theEuropeanCommunity

followedby

issuing

similar

requirements.

The

first

documents

containing

biometric

features

aretobeexpectedAugustthisyear.

Theimpactoftheapplicationofbiometricsisnotlimitedtonationalidentitydocumentsbut

istobeunderstoodinthebroadercontextofnationalidentitymanagementandofsociety.

Biometrics,subsequentlythecentralstorageofbiometricdata,willchangethelogicand

qualityofidentificationprocessesfundamentally,andsowillthecentralstorageofbiometric

data.Thiswillbeofimpactonsocietyasawhole,economicprocessinparticular.Anew

balanceoftrustcomesintoplace.Identificationprocessesaremorethoroughlywhichmakes

identityfraudmoredifficult.Atthesametime,citizensareaskedtoidentifythemselves

more

frequently

and

as

a

consequence,

the

need

for

identity

fraud

is

growing.

2.2.QualityofidentitydataArelativeweaknessisconstitutedbythenationalpopulationrecords.Thequalityofthese

recordsisunsatisfactoryandinsufficientlymonitored1,

2.Registereddataoftendonotmatch

withreality,estimatederrorratesvaryingfrom590%.

1 'GBA: werkelijke en administratieve werkelijkheid lopen uiteen', korte samenvatting van de toespraak van bijzonder hoogleraar ICT A.Zuurmond te Leiden, gehouden op het congres Burgerzaken, georganiseerd door de VNG en de Nederlandse Vereniging voor Burgerzaken(NVVB) op 22 en 23 april 2004 in Noordwijkerhout), in:Burgerzaken en Recht, 11 (2004)


3


4/8

Itisnotyetevidentwhethertheapplicationofbiometricsisfeasibleinthecontextof

nationalidentitymanagement.However,alackofreliabledataontheidentityofcitizenswill

renderany

other

improvement,

including

the

application

of

biometrics,

useless.

2.3.CostsofidentityfraudThecostsofidentityfraudaresignificanttobusinessingeneralandtofinancialservices

industryinparticular.Directcostsincludefraudlossesandthestaffingoffrauddepartments.

Indirectcostsareduetoadecliningconsumersconfidencein(online)commerceanda

growingnumberofcriminalinvestigations.

Theoccurrenceofidentityfraudandtheftwillprobablyriseduringthenextfewyears,asthe

needfor

identity

fraud

is

growing.

An

overview

of

total

costs

connected

to

identity

fraud

is

missinganddifficulttocreate.Thefollowingfigures,thoughnotmutuallyconsistent,are

illustrative.EstimationofcostsofidentitytheftintheUnitedstatedvaryfrom$680million3

to$50billionyearly.4CostsconnectedtolostorstolennationalidentitydocumentsinThe

Netherlandsareestimatedtobeashighas36.300Euro5,thus5.5billionyearly.

Whateverthetruthmaybe,thefiguresaboveshowclearlythatitisworthtoworryabout.

3. Trendsincorporateidentitymanagement3.1.Theriseofvirtualidentities

Duetothegrowthofebusiness,thenumberofdigitalidentitiesisgrowingfastandidentity

managementisofgrowingimportancetobusinessingeneral.Thedomainofebusinessis

impersonalandtransactionsontheinternetaretoahighdegreeintangible,creatingnew

opportunitiesforfraud,includingidentityfraud.

3.2.ImprovingcorporateidentityandaccessmanagementMany

organizations

want

to

save

on

ICT

costs

and

improve

their

business

processes.

Due

to

this,thenumberofdifferentsystemshasincreasedduringthelastyears.Themutual

connectionofthesesystemshasfrequentlyledtoanopaquejumble.Organisationshaveno

longeraclearviewofresponsibilitiesandauthorizations.Usingidentityandaccesssolutions,

manycompaniesareabletoimprovethissituationdrastically.Costsofidentitymanagement

2 Hollandse Helden Overheidsinnovatie volgens uitvoerders, Initiatiefgroep Belgendoenhetbeter.nl, Noor Huijboom, Jorrit de Jong, MarcoMeesters, J oeri van den Steenhoven, Arre Zuurmond3 Newsweek, J an. 25, 20064http://www.fightidentitytheft.com/5 Mensensmokkel in beeld 200 2001, Informatie- en Analysecentrum Mensensmokkel en Landelijk Parket, Rotterdam, najaar 2002


4
http://www.fightidentitytheft.com/http://www.fightidentitytheft.com/http://www.fightidentitytheft.com/http://www.fightidentitytheft.com/


5/8

andidentityfraudarereducedandaccesstosystemsandassetsiseffectivelyandreliably

managed,bringingtheorganizationbackincontrol.

Inmany

cases,

however,

organizations

rely

on

national

identity

documents

and

thus

depend

onthequalityofnationalidentitymanagement.But,aswesawbefore,theembraced

nationalidentitiesorelementsofidentitiesmayverywellbefictitious.Thefinancial

risksconnectedtotheexistenceofthesefictitiousidentities,however,areperceivedby

governmentsasmainlyexternal.Duetothis,publicauthoritiesdisplayalackofzestto

mitigatetheseriskseffectively.Instead,costsrelatedtofalseandforgedidentitiesare

passedontoprivateparties,wheretheyaredifficulttocontrol.

4. Genericimprovementstrategies4.1.Biometricsandnationalidentitymanagementschemes

Nowthatthesecurityofnationalidentitydocuments,e.g.passports,andinmanycasesalso

theapplication,productionandissuingprocesses,hasimproved,ashifthasoccurredfrom

documentfraudtolookalikefraud.Thatmeansthatthereisanincreaseofrisksconnected

tothepassportapplicationprocess,especiallyinthecaseofpeoplewholosttheirpassport,

andincaseofthemanualverificationprocessatbordercrossingpoints.

AccordingtotheEuropeandirectiveCOM(2004)116/2004/0039(CNS)biometricsneedto

bein

place,

primarily

in

order

to

verify

the

authenticity

of

the

passport

itself,

and

also

to

preventlookalikefraud,i.e.toverifytheauthenticityoftheidentityclaimmadebyshowing

thepassport.However,underthepressureofpoliticaldiscussions,theenvisageduseof

biometricstendstoshiftfromlocaluse(1:1verification)toseveralformsofcentraluse(1:n

identification,i.e.lookinguppeopleincentralidentitydatabasesusingbiometricfeatures).

AlthoughthereisnotyetacommonagreementwithinandbetweenEuropeanmember

statesonwhatthefutureuseofthebiometricswillbe,severallargeprocurementsfor

nationalidmanagementschemeshavebeendonealreadyorareintheprocessofbeing

tendered.NosingleandstrongEuropeancoordinatedapproachseemstobeinplaceyet,to

bringtogetheruserrequirementsconcerningbiometrics,legalimplicationsof and

constraints

to

the

application

of

biometrics,

and

independent

testing

capabilities

to

verify

conformityofthosesystemstostandardsandsecurityrequirements.

Inthegeneraldiscussionbetweenpolicymakersabouttheapplicationofbiometricsthereis

anemphasisonthesecuritythatbiometricscanprovideisstressed.Althoughthereisno

firmevidence,basedonexperience,ourimpressionisthatcurrentlythefocusofthe

discussionismovingfromsecuritytowardsconvenienceandefficiency.Intheend,efficiency

andconveniencecanhaveanimportant,ifnotcrucial,impactonthesecurityofbiometric

processes.Majoradvantagescanbeachievedbyimprovingrequirementsforbiometrics

enabledapplications.


5


6/8

Thecoreofbiometricmatchingalgorithmsisbaseduponstatisticalanalysis.Theoutcomeof

thematchingprocessasawhole,however,istheresultofmanynonmathematical,some

timeseven

unpredictable,

conditions,

for

example

the

physical

environment,

the

human

interactionwiththebiometricsensorsandthequalityoftheoperatorsofthebiometric

equipment.Improvedconvenienceandefficiencycanhaveapositiveimpactonthe

reliabilityofbiometrics.

Biometricscanbearelativelyweakauthenticationinstrument:theoutcomeisneveran

absoluterightorwrongbutratheraprobability,expressedinapercentage.If,asinthecase

ofbordercrossing,thevalueoftransactionsishigh,itisrecommendedtocombine

biometricswithoneormoreauthenticationinstrumentslikeforexamplephysicallysecured

identitydocumentsorsmartcards.Withrespecttobordercrossing,thispleadsforcautious

applicationof

conventional

authentication

procedures

and

against

the

use

of

biometric

databasesforidentificationpurposes.Wemustnotbetemptedtodrawconclusionsonthe

identityofpeoplebasedsolelyonvagueormutilatedfingerprints,smilesorgrins.

Asdiscussedearlier,specialattentionneedstobepaidtotheinitialregistrationprocess,

wherethequalityoftheidentitydataisbeingdetermined.Atthesametimearealistic

discussionshouldleadtoabetterunderstandingoftheactualaddedvalueofbiometrics,

leavingbehindthephaseofwishfulthinkingandunrealisticclaims.

Ifputintherightcontextandsurroundedbytheproperprocedures,humanguidanceand

supervision,biometrics

will

offer

an

unparalleled

ability

in

connecting

the

physical

identity

of

apersontotheidentityasclaimedbythatsamepersonbyshowinganidentitydocument.In

casebiometricsareusedforidentificationpurposes,thegreatadvantageisthespeedand

accuracywithwhichlargedatabasescanbesearched;millionsofrecordscanbesearched

justinseconds,thusidentifyingindividualswithareasonablechanceofsuccess,alsoincase

otherpersonalinformationisnotavailable,incompleteorincorrect.

4.2.CorporateidentitydataqualityandidentitylifecyclemanagementAssaidbefore,manycompaniesareabletoimprovetheiridentitymanagementprocesses

byapplyingidentityandaccesssolutions.Thequalityofdata,however,isstillapointof

concern.In

most

instances,

national

identity

data

lay

at

the

basis

of

corporate

identity

data.

Thesedata,asshownbefore,areofquestionablequality.Andwithoutfurthermeasuresitis

impossibletokeepthesedata,onceacquired,uptodateandclean.Sowhatwearelooking

forisamethodforcontinuousqualitymanagementofidentitydata.Thewholelifecycleof

dynamicidentitiesistobemanagedratherthanthemanagementofstaticidentitiesas

establishedbynationalgovernments.

Identitylifecyclemanagementincludesthefollowingsteps:


6


7/8

1. Riskanalysis:inordertodeterminethedependenceonidentity(related)dataandthethreatstowhichthesedataareexposed;asapartofthis,attackscenariosaretobe

describedoneachcomponentofidentitymanagement,bothprocessesanddata6;

2. Establishmentofanidentitymatrix:tobeestablishedinaccordancewiththeriskprofile,theauthenticationmatrixconstitutesacriticalsubsetoftheidentitymatrix;

3. Importingidentitydata:thesourceofdataandselectioncriteriaaretobedetermined,eithersingleormultiplepublicorprivatedatabasesmaybeused;

4. Filteringandcleansingoftheacquiredidentityinformation,whichmaybedonebyapplyingidentityresolutiontools;

5. Monitoringofidentitymanagementapplicationsanddata;6. Reportingandauditingoftheidentitylifecyclemanagementandactupontheresults.Schematic:

5. ConclusionsCurrenttrendsinnationalidentitymanagement,amongwhichtheapplicationofbiometrics

innationalidentitymanagementisthemostconspicious,haveanundeniableimpacton

corporateidentitymanagement.Theriseofvirtualidentitiesposesaparticularchallengeto

identitymanagementingeneral.Anewbalanceoftrustinidentitiesistobefound.

6 Elisabeth de Leeuw, Master thesis Risks and threats attachted to the application of biometrics in national identity management, TIASBusiness School, Eindhoven, at: https://secure.gvib.nl/afy_info_ID_1322.htm, [Thesis MSIT.zip.


7
https://secure.gvib.nl/afy_info_ID_1322.htmhttps://secure.gvib.nl/afy_info_ID_1322.htm


8/8


8

Thequalityofidentitydataareacauseofcontinuousandseriousconcern.Thecostsin

connectiontoidentityfraudarehighandjustifyabusinesscaseforimprovement.

Inorder

to

actually

bring

about

improvements,

an

integrated

appoach

is

needed.

Biometricscanofferanunparalledpossibilitiestoconnectthephysicalidentityofaperson

totheidentityasclaimedbythatsamepersonbyshowinganidentitydocument.However,a

balanced applicationaswellasaseriousconcernforthequalityofidentitydataare

preconditionsforsuccess.

Theapplicationofidentitylifecyclemanagementcanhelptoachievethishighqualityof

identitydata,inbothnationalandcorporateidentitymanagement.

towards a new balance in identity management v1.0

Documents