SECURITY

Moving Closer to a One-Person, One-Password World?

Alison Diana | Date: 12-09-11 | Comments

Identity, Credential and Access Management (ICAM) certification addresses issues including digital identity, credentialing, privilege management, authentication, authorization and access, cryptography, as well as auditing and reporting. One identity service provider has now earned ICAM Level 3 security certification.

The world of cyber-security recently took a step closer to the reality of a one-person, one-password world, in which users no longer have to memorize multiple, meaningless strings of random numbers, letters and symbols�then remember a new string several weeks later for each of the Websites they visit at work and home.

That, at least, is the goal of Verizon, which in December was named the first company to earn Identity, Credential and Access Management (ICAM) certification. ICAM, which was established by a subcommittee chaired by the General Services Administration and the Department of Defense, is designed to streamline and align the government�s identity-management activities. Many also view the certification as the initial step in a mass protection of digital identities that public- and private-sector organizations, as well as individuals, can use to protect and confirm that they are who and where they say they are.

ICAM is divided into four levels of assurance (LOA), with LOA 1 being the lowest and LOA 4 being the most secure. Each layer builds on the previous layer�s features by requiring a higher burden of identity proof on the user.

LOA 1 offers little or no confidence in the identity�s validity, no identity-proofing is required, and only a single factor, such as a password, is required for authentication.

LOA 2 offers some confidence in the validity of the identity; identity-proofing includes the presentation of identifying materials.

LOA 3 offers high confidence in the validity of the asserted identity and requires at least two factors for authentication. For example, to achieve LOA3 assurance, a user would need to provide a password and at least one other item, including a soft token, hard token or a one-time password.

LOA 4 offers very high confidence in the asserted identity�s validity. Beyond meeting the requirements for LOA3, proofing of identity must be done in person and must include verification of identifying materials.

Recently Verizon became the first identity provider to earn levels 1 through 3; today, no other provider is certified above level 1�although, of course, several developers are working to change this. Verizon�s Universal Identity Services are ICAM-certified under the Kantara Trust Framework as an identity provider for LOA 1, 2 and 3 credentials.

�As the first ICAM-certified identity provider at level 3, Verizon is leading an identity-management revolution with a simple premise: to let in the right people and keep out the wrong people,� said Peter Tippett, vice president of Verizon. �As the foundation of a new identity ecosystem, we intend to better safeguard Americans and protect sensitive organizational data. By doing so, we are taking an important step in addressing the nation�s identity issues.�

ICAM addresses potential areas of insecurity such as digital identity, credentialing, privilege management, authentication, authorization and access, cryptography, as well as auditing and reporting. Via its Universal Identity Services, or UIS, Verizon uses smartphones and cloud technology to deliver high confidence in an asserted identity�s validity using verification of identity materials and at least two authentication factors, said Tracy Hulver, director, Identity Marketing-Security Innovation Group at Verizon Business, in an interview.

�Typically, historically, people use tokens with the one-time password generator. We can certainly support that, but our view is the last thing I want to do as an organization is incur the cost of all these tokens. From a user standpoint, I�ve already got a bunch of stuff I carry�and I don�t want something else I have to carry,� he said. �Our view is, if you want to use a token that�s fine. But why not use something you already carry�and that�s a smartphone.�

Although, of course, Verizon might prefer that organizations use its smartphones and wireless services, the company supports Apple, BlackBerry and Android, and is carrier-independent, Hulver said.

As to organizations� most-often voiced concerns about cloud computing�that is, security�turning over identity-management to a trusted partner makes sense, said Hulver. In many cases, organizations are ill-equipped to handle the logistics as well as a company that focuses extensively on security as one of its core lines of business, he said. Tactics change fast, and many non-security-focused firms cannot adapt as quickly as necessary, said Hulver.

�If you look at cloud technology, doing it for an application is one thing. There is something about outsourcing their security [that] at least gives them pause,� he said, adding that more organizations are becoming comfortable with the concept. �I think identity is right now starting to pick up. If you can�t control who gets into your bank, it doesn�t matter what security you have inside. Part of that is because there really haven�t been carrier-class identity cloud solutions, and we feel we�ve got one of the best and strongest. I think people are going to be more interested in looking at cloud-based identity management now.�