towards a new balance in identity management v1.0
TRANSCRIPT
-
7/29/2019 Towards a New Balance in Identity Management v1.0
1/8
TowardsaNewBalanceinIdentityManagement
by:
ElisabethdeLeeuwBusinessConsultant,OrdinaInfrastructureSolutionsNieuwegein,The
Netherlands
MaxSnijder
CEO,
European
Biometrics
Group
Naarden,
The
Netherlands
February2008
www.eubiometricsgroup.eu
-
7/29/2019 Towards a New Balance in Identity Management v1.0
2/8
TableofContents
1. Introduction................................................................................................................32. Trendsinnationalidentitymanagement...................................................................32.1. Introductionofbiometricsonnationalidentitydocuments .............................32.2. Qualityofidentitydata ......................................................................................3
2.3. Costs
of
identity
fraud........................................................................................43. Trendsincorporateidentitymanagement................................................................43.1. Theriseofvirtualidentities ...............................................................................43.2. Improvingcorporateidentityandaccessmanagement ....................................4
4. Genericimprovementstrategies ...............................................................................54.1. Biometricsandnationalidentitymanagementschemes ..................................54.2. Corporateidentitydataqualityandidentitylifecyclemanagement.................6
5. Conclusions.................................................................................................................7
Towards a new balance in Identity Management - De Leeuw/Snijder February 2008ALL RIGHTS RESERVED
2
-
7/29/2019 Towards a New Balance in Identity Management v1.0
3/8
1. IntroductionFrom
22nd
till
24th
of
May,
the
yearly
conference
on
information
security
of
the
InternationalFederationforInformationProcessing(IFIP),theSEC2006,tookplacein
Karlstad,Sweden.ThethemeofthisconferencewasSecurityandPrivacyinDynamic
Environments.AtthisconferenceanewworkinggrouponIdentityManagementwas
presented.Typicalforthenewworkinggroupistheinterdisciplinaryapproach.
Representativesofpublicandprivatepartiesareparticipatingaswellasscientistsand
membersofthesocalledprivacylobby.Theaimisinvestigateidentitymanagementinallits
aspects.
Onthisoccasion,wewouldliketodiscusscurrenttrendsinnationalandcorporateidentity
managementand
analyze
acouple
of
strategic
issues
in
this
field.
2. Trendsinnationalidentitymanagement2.1.Introductionofbiometricsonnationalidentitydocuments
Asanaftermathof911,thefieldofnationalidentitymanagementissubjecttorapidchange.
TheUnitedStatestookthedecisiontocompeltheapplicationofbiometricsonpassportsof
allcountriesparticipatingintheVisaWaiverProgram.Soon,theEuropeanCommunity
followedby
issuing
similar
requirements.
The
first
documents
containing
biometric
features
aretobeexpectedAugustthisyear.
Theimpactoftheapplicationofbiometricsisnotlimitedtonationalidentitydocumentsbut
istobeunderstoodinthebroadercontextofnationalidentitymanagementandofsociety.
Biometrics,subsequentlythecentralstorageofbiometricdata,willchangethelogicand
qualityofidentificationprocessesfundamentally,andsowillthecentralstorageofbiometric
data.Thiswillbeofimpactonsocietyasawhole,economicprocessinparticular.Anew
balanceoftrustcomesintoplace.Identificationprocessesaremorethoroughlywhichmakes
identityfraudmoredifficult.Atthesametime,citizensareaskedtoidentifythemselves
more
frequently
and
as
a
consequence,
the
need
for
identity
fraud
is
growing.
2.2.QualityofidentitydataArelativeweaknessisconstitutedbythenationalpopulationrecords.Thequalityofthese
recordsisunsatisfactoryandinsufficientlymonitored1,
2.Registereddataoftendonotmatch
withreality,estimatederrorratesvaryingfrom590%.
1 'GBA: werkelijke en administratieve werkelijkheid lopen uiteen', korte samenvatting van de toespraak van bijzonder hoogleraar ICT A.Zuurmond te Leiden, gehouden op het congres Burgerzaken, georganiseerd door de VNG en de Nederlandse Vereniging voor Burgerzaken(NVVB) op 22 en 23 april 2004 in Noordwijkerhout), in:Burgerzaken en Recht, 11 (2004)
Towards a new balance in Identity Management - De Leeuw/Snijder February 2008ALL RIGHTS RESERVED
3
-
7/29/2019 Towards a New Balance in Identity Management v1.0
4/8
Itisnotyetevidentwhethertheapplicationofbiometricsisfeasibleinthecontextof
nationalidentitymanagement.However,alackofreliabledataontheidentityofcitizenswill
renderany
other
improvement,
including
the
application
of
biometrics,
useless.
2.3.CostsofidentityfraudThecostsofidentityfraudaresignificanttobusinessingeneralandtofinancialservices
industryinparticular.Directcostsincludefraudlossesandthestaffingoffrauddepartments.
Indirectcostsareduetoadecliningconsumersconfidencein(online)commerceanda
growingnumberofcriminalinvestigations.
Theoccurrenceofidentityfraudandtheftwillprobablyriseduringthenextfewyears,asthe
needfor
identity
fraud
is
growing.
An
overview
of
total
costs
connected
to
identity
fraud
is
missinganddifficulttocreate.Thefollowingfigures,thoughnotmutuallyconsistent,are
illustrative.EstimationofcostsofidentitytheftintheUnitedstatedvaryfrom$680million3
to$50billionyearly.4CostsconnectedtolostorstolennationalidentitydocumentsinThe
Netherlandsareestimatedtobeashighas36.300Euro5,thus5.5billionyearly.
Whateverthetruthmaybe,thefiguresaboveshowclearlythatitisworthtoworryabout.
3. Trendsincorporateidentitymanagement3.1.Theriseofvirtualidentities
Duetothegrowthofebusiness,thenumberofdigitalidentitiesisgrowingfastandidentity
managementisofgrowingimportancetobusinessingeneral.Thedomainofebusinessis
impersonalandtransactionsontheinternetaretoahighdegreeintangible,creatingnew
opportunitiesforfraud,includingidentityfraud.
3.2.ImprovingcorporateidentityandaccessmanagementMany
organizations
want
to
save
on
ICT
costs
and
improve
their
business
processes.
Due
to
this,thenumberofdifferentsystemshasincreasedduringthelastyears.Themutual
connectionofthesesystemshasfrequentlyledtoanopaquejumble.Organisationshaveno
longeraclearviewofresponsibilitiesandauthorizations.Usingidentityandaccesssolutions,
manycompaniesareabletoimprovethissituationdrastically.Costsofidentitymanagement
2 Hollandse Helden Overheidsinnovatie volgens uitvoerders, Initiatiefgroep Belgendoenhetbeter.nl, Noor Huijboom, Jorrit de Jong, MarcoMeesters, J oeri van den Steenhoven, Arre Zuurmond3 Newsweek, J an. 25, 20064http://www.fightidentitytheft.com/5 Mensensmokkel in beeld 200 2001, Informatie- en Analysecentrum Mensensmokkel en Landelijk Parket, Rotterdam, najaar 2002
Towards a new balance in Identity Management - De Leeuw/Snijder February 2008ALL RIGHTS RESERVED
4
http://www.fightidentitytheft.com/http://www.fightidentitytheft.com/http://www.fightidentitytheft.com/http://www.fightidentitytheft.com/ -
7/29/2019 Towards a New Balance in Identity Management v1.0
5/8
andidentityfraudarereducedandaccesstosystemsandassetsiseffectivelyandreliably
managed,bringingtheorganizationbackincontrol.
Inmany
cases,
however,
organizations
rely
on
national
identity
documents
and
thus
depend
onthequalityofnationalidentitymanagement.But,aswesawbefore,theembraced
nationalidentitiesorelementsofidentitiesmayverywellbefictitious.Thefinancial
risksconnectedtotheexistenceofthesefictitiousidentities,however,areperceivedby
governmentsasmainlyexternal.Duetothis,publicauthoritiesdisplayalackofzestto
mitigatetheseriskseffectively.Instead,costsrelatedtofalseandforgedidentitiesare
passedontoprivateparties,wheretheyaredifficulttocontrol.
4. Genericimprovementstrategies4.1.Biometricsandnationalidentitymanagementschemes
Nowthatthesecurityofnationalidentitydocuments,e.g.passports,andinmanycasesalso
theapplication,productionandissuingprocesses,hasimproved,ashifthasoccurredfrom
documentfraudtolookalikefraud.Thatmeansthatthereisanincreaseofrisksconnected
tothepassportapplicationprocess,especiallyinthecaseofpeoplewholosttheirpassport,
andincaseofthemanualverificationprocessatbordercrossingpoints.
AccordingtotheEuropeandirectiveCOM(2004)116/2004/0039(CNS)biometricsneedto
bein
place,
primarily
in
order
to
verify
the
authenticity
of
the
passport
itself,
and
also
to
preventlookalikefraud,i.e.toverifytheauthenticityoftheidentityclaimmadebyshowing
thepassport.However,underthepressureofpoliticaldiscussions,theenvisageduseof
biometricstendstoshiftfromlocaluse(1:1verification)toseveralformsofcentraluse(1:n
identification,i.e.lookinguppeopleincentralidentitydatabasesusingbiometricfeatures).
AlthoughthereisnotyetacommonagreementwithinandbetweenEuropeanmember
statesonwhatthefutureuseofthebiometricswillbe,severallargeprocurementsfor
nationalidmanagementschemeshavebeendonealreadyorareintheprocessofbeing
tendered.NosingleandstrongEuropeancoordinatedapproachseemstobeinplaceyet,to
bringtogetheruserrequirementsconcerningbiometrics,legalimplicationsof and
constraints
to
the
application
of
biometrics,
and
independent
testing
capabilities
to
verify
conformityofthosesystemstostandardsandsecurityrequirements.
Inthegeneraldiscussionbetweenpolicymakersabouttheapplicationofbiometricsthereis
anemphasisonthesecuritythatbiometricscanprovideisstressed.Althoughthereisno
firmevidence,basedonexperience,ourimpressionisthatcurrentlythefocusofthe
discussionismovingfromsecuritytowardsconvenienceandefficiency.Intheend,efficiency
andconveniencecanhaveanimportant,ifnotcrucial,impactonthesecurityofbiometric
processes.Majoradvantagescanbeachievedbyimprovingrequirementsforbiometrics
enabledapplications.
Towards a new balance in Identity Management - De Leeuw/Snijder February 2008ALL RIGHTS RESERVED
5
-
7/29/2019 Towards a New Balance in Identity Management v1.0
6/8
Thecoreofbiometricmatchingalgorithmsisbaseduponstatisticalanalysis.Theoutcomeof
thematchingprocessasawhole,however,istheresultofmanynonmathematical,some
timeseven
unpredictable,
conditions,
for
example
the
physical
environment,
the
human
interactionwiththebiometricsensorsandthequalityoftheoperatorsofthebiometric
equipment.Improvedconvenienceandefficiencycanhaveapositiveimpactonthe
reliabilityofbiometrics.
Biometricscanbearelativelyweakauthenticationinstrument:theoutcomeisneveran
absoluterightorwrongbutratheraprobability,expressedinapercentage.If,asinthecase
ofbordercrossing,thevalueoftransactionsishigh,itisrecommendedtocombine
biometricswithoneormoreauthenticationinstrumentslikeforexamplephysicallysecured
identitydocumentsorsmartcards.Withrespecttobordercrossing,thispleadsforcautious
applicationof
conventional
authentication
procedures
and
against
the
use
of
biometric
databasesforidentificationpurposes.Wemustnotbetemptedtodrawconclusionsonthe
identityofpeoplebasedsolelyonvagueormutilatedfingerprints,smilesorgrins.
Asdiscussedearlier,specialattentionneedstobepaidtotheinitialregistrationprocess,
wherethequalityoftheidentitydataisbeingdetermined.Atthesametimearealistic
discussionshouldleadtoabetterunderstandingoftheactualaddedvalueofbiometrics,
leavingbehindthephaseofwishfulthinkingandunrealisticclaims.
Ifputintherightcontextandsurroundedbytheproperprocedures,humanguidanceand
supervision,biometrics
will
offer
an
unparalleled
ability
in
connecting
the
physical
identity
of
apersontotheidentityasclaimedbythatsamepersonbyshowinganidentitydocument.In
casebiometricsareusedforidentificationpurposes,thegreatadvantageisthespeedand
accuracywithwhichlargedatabasescanbesearched;millionsofrecordscanbesearched
justinseconds,thusidentifyingindividualswithareasonablechanceofsuccess,alsoincase
otherpersonalinformationisnotavailable,incompleteorincorrect.
4.2.CorporateidentitydataqualityandidentitylifecyclemanagementAssaidbefore,manycompaniesareabletoimprovetheiridentitymanagementprocesses
byapplyingidentityandaccesssolutions.Thequalityofdata,however,isstillapointof
concern.In
most
instances,
national
identity
data
lay
at
the
basis
of
corporate
identity
data.
Thesedata,asshownbefore,areofquestionablequality.Andwithoutfurthermeasuresitis
impossibletokeepthesedata,onceacquired,uptodateandclean.Sowhatwearelooking
forisamethodforcontinuousqualitymanagementofidentitydata.Thewholelifecycleof
dynamicidentitiesistobemanagedratherthanthemanagementofstaticidentitiesas
establishedbynationalgovernments.
Identitylifecyclemanagementincludesthefollowingsteps:
Towards a new balance in Identity Management - De Leeuw/Snijder February 2008ALL RIGHTS RESERVED
6
-
7/29/2019 Towards a New Balance in Identity Management v1.0
7/8
1. Riskanalysis:inordertodeterminethedependenceonidentity(related)dataandthethreatstowhichthesedataareexposed;asapartofthis,attackscenariosaretobe
describedoneachcomponentofidentitymanagement,bothprocessesanddata6;
2. Establishmentofanidentitymatrix:tobeestablishedinaccordancewiththeriskprofile,theauthenticationmatrixconstitutesacriticalsubsetoftheidentitymatrix;
3. Importingidentitydata:thesourceofdataandselectioncriteriaaretobedetermined,eithersingleormultiplepublicorprivatedatabasesmaybeused;
4. Filteringandcleansingoftheacquiredidentityinformation,whichmaybedonebyapplyingidentityresolutiontools;
5. Monitoringofidentitymanagementapplicationsanddata;6. Reportingandauditingoftheidentitylifecyclemanagementandactupontheresults.Schematic:
5. ConclusionsCurrenttrendsinnationalidentitymanagement,amongwhichtheapplicationofbiometrics
innationalidentitymanagementisthemostconspicious,haveanundeniableimpacton
corporateidentitymanagement.Theriseofvirtualidentitiesposesaparticularchallengeto
identitymanagementingeneral.Anewbalanceoftrustinidentitiesistobefound.
6 Elisabeth de Leeuw, Master thesis Risks and threats attachted to the application of biometrics in national identity management, TIASBusiness School, Eindhoven, at: https://secure.gvib.nl/afy_info_ID_1322.htm, [Thesis MSIT.zip.
Towards a new balance in Identity Management - De Leeuw/Snijder February 2008ALL RIGHTS RESERVED
7
https://secure.gvib.nl/afy_info_ID_1322.htmhttps://secure.gvib.nl/afy_info_ID_1322.htm -
7/29/2019 Towards a New Balance in Identity Management v1.0
8/8
Towards a new balance in Identity Management - De Leeuw/Snijder February 2008ALL RIGHTS RESERVED
8
Thequalityofidentitydataareacauseofcontinuousandseriousconcern.Thecostsin
connectiontoidentityfraudarehighandjustifyabusinesscaseforimprovement.
Inorder
to
actually
bring
about
improvements,
an
integrated
appoach
is
needed.
Biometricscanofferanunparalledpossibilitiestoconnectthephysicalidentityofaperson
totheidentityasclaimedbythatsamepersonbyshowinganidentitydocument.However,a
balanced applicationaswellasaseriousconcernforthequalityofidentitydataare
preconditionsforsuccess.
Theapplicationofidentitylifecyclemanagementcanhelptoachievethishighqualityof
identitydata,inbothnationalandcorporateidentitymanagement.