E-SECURITY
The Role of Identity in Identity Management
-- Neha Vivek Nair
There are many traditionally run identity management systems that are used to establish authentication and authorization amongst individuals. This article focuses on the role that identity plays in identity management system, the scope of digital identity management system and explores the privacy aspect of identifying an individual.
The term `identity management' has now become a generic name. It deals with how a person is identified and, at the same time, how he is authorized across computer networks. Identity management takes into account those processes that deal with the use of Information and Computer technologies. Many scholars have claimed that the term `identity' is abstract in nature and is hence difficult to explain. Identity management can be defined as: "A set of data management systems and practices to increase the confidence in the identity of individuals, where appropriate."
The IT industry has developed several dimensions related to identity management. There is only a subtle difference between digital and physical identity. Companies work on the culmination of physical and digital identity concepts and do not rely on digital concepts alone. The main task associated with identity management is managing user credentials appositely. Many organizations, today, are working online and this implies the fact that the employees have login ids to access their online systems. It is a well-known fact that the online systems are vulnerable to attacks from intruders in the form of hacking, phishing, etc. Identity management focuses on the age-old theory of assigning namespaces, where a name is assigned to a real, identified, authenticated object. It also concentrates on employee turnover. It stresses on the fact that the application should curtail the setting up of new data stores of the users. This has given rise to a new concept of identity engineering which talks of management of interrelated items.
Guidelines of Privacy in Identity Management
Privacy is the most significant objective that needs to be considered while developing an identity management system. Generally, minimal information is collected while building an identity management system. This is a generic rule that has to be followed for protecting the privacy of the users. Though the principle appears to be easy, practically it is not. There are many debates on this topic as to how much information will have to be collected for an identity management system to work under any condition. The concept of identity risk analysis calculates the probability of whether there was any identity theft. To make the risk analysis work well, one needs to gather much more information about an individual than what is required. Hence, it is essential to maintain a rich profile of every individual.
Many guidelines have been proposed by experts on the issue of privacy in identity management. But understanding the application of those principles in the working system requires a great deal of learning. The Organization for Economic Cooperation and Development (OECD) has prepared a set of guidelines which follow the Fair Information Practice principles (FIPs). These guidelines focus on privacy of data flows among 30 member nations of the OCED. These principles concentrate on how data should be collected and used. There are seven concern areas for FIPs to function properly:
• The facts about the data that has been involved in the establishment of an identity system to all the users should be made public.
• Every individual should view the information/data that have been collected regarding him. There should be options of editing wrong data that has been entered or deleting obsolete information to the system.
• If personal data of an individual is to be stored, it should be on a fair basis and with the approval of the individual concerned.
• The data quality, in case of personal information, should be relevant to the cause of the identity system.
• The use of personal data should be as minimal as possible and should not be subjected to the changes mentioned previously to the individual at the time of collection.
• The information within the system should be properly safeguarded against all sorts of hazards.
• The custodian of information should be fair enough in using it accordingly.
There are many building blocks used for privacy in identity management. But two areas are of major concern for any user when private information is being stored.
• The chances of a fraudster accessing the victim's confidential information is high.
• Many times, there are chances of creating links between the data and the individual. Sometimes many data links are created between different data sets which are then put for further analysis.
If we take the example of any social networking site, there will certainly be security controls. These controls allow one to keep a check on the amount and type of information that is to be viewed, even if it the case of his friends. This is related to the fact that the profile information might be accessed by others.
Hence, an organization's prime responsibility is to be very clear about its privacy policies. The policies should be made public for creating awareness about the type of information that is to be provided. Graphical representation of privacy policy symbols is a good step in this direction. (Refer Figure 1)
Digital Identity Management
It has now become very essential to have a digital identity management system as more and more people are working through ICTs. Following are the trends which would be induced by introducing digital IDM systems by Camp.
• Information flows more freely, compared to face-to-face and paper-based transactions.
• Information can be copied at no expense.
• Transactions become information dependent.
• Transactional histories become more detailed and trust depends on it.
In all the practical models of digital identity, the given identity object would have a finite set of properties.
There is an increased level of freedom observed in the choice of pseudonyms by the identity object. Some of the most common ones used in case of digital IDMs are: email address, contact details, credit card information, etc.
`Surveillance' is the new terminology which has been coined with advent of the latest ICTs. Surveillance gives rise to the ability of gathering an individual's information secretly just as it is done by those in the police department. This is termed as a major societal concern. There should be systematic use of personal data systems in the monitoring of the actions or communications. The methodology adopted for this purpose should have effective controls over the techniques used to gather data surveillance. The trend of data collection is now prevalent in many private sector organizations, where customers are distinctly classified into clusters. Here, the target segmentation is done using algorithms of data mining.
It has been observed that, of late, the use of CCTV cameras or ID cards based on the newly available identity information is on the rise in public sector organizations.
The fundamental value to make digital IDM is to have minimal personal information. This criterion has been accepted well by everyone.
The following aspects are primarily covered with a digital IDM:
• The system should reveal the information only after ensuring the person with proper user consent.
• There should be minimal amount of information and this needs to be put to the best use.
• Information has to be disclosed only to the concerned member.
• The identity system must have human integration for taking some of the informed decisions.
• The system should be consistent in performance.
There are certain core concepts which are important to understand identity management in a better way. (Refer Figure 2)
Identification
Identifying an object is the most crucial task in any identity management system. In the digital environment, there is some data available which can be uniquely associated with the object in the form of a record or a transaction, and can be readily used for the purpose of identifying. The term `identification' can be defined as: the set of approaches and mechanisms that intervene in the course of an interaction and which are very broadly related to the disclosure of identity information. Identification can prove to be of great help in the following areas:
• Control access rights to the restricted areas of the system
• Giving out relevant information after access has been given
• There should be a system to record and audit the actions of the member.
There are two areas of identification:
• Explicit Identification: It is done intentionally by the user itself. Hence, there is an active participation from the user's end. Some of the examples are passwords, ID cards, biometrics, business cards, etc.
• Implicit Identification: It is done without the knowledge of the user. This is possible with the help of the acquaints of the user.
Authentication
The term `authentication' refers to validating the authenticity of someone or something. Many people understand it as the process of verifying a person's original identity. Authentication is defined as the process of testing an assertion in order to establish a level of confidence in the assertion's reliability. Verification is usually carried on many parameters. It is also possible to perform verification of an object using outsourced third party sources. Once the authentication procedure has been completed and the outcome is positive, the respective access controls can be granted to the user on the basis of the user controls right management.
Anonymity
Anonymity is one of the most important concerns for identity management. It usually arises when a person's identity cannot be verified. Anonymity could also signify that the identifier is unacknowledged or has not been defined properly. Anonymity can be defined as: the subject is not identifiable within a set of subjects, the anonymity set. There have been several debates on the topic of anonymity. If the user opts for conditional anonymity, then the verification procedure can be done to a certain extent. Some of them wish to be anonymous as it gives them their required privacy in any identity management system.
Pseudonymity
There are many people who prefer pseudonymity to anonymity in case of digital identity management systems. Pseudonym is defined as a fictitious name used by a person when he wants to concede his identity. Many people use pseudonyms when carrying out transactions online. It also employed when a person wants to make some comments/suggestions to an organization. Three major questions arise when a person opts for pseudonyms. These are:
• Can someone trace the person's pseudonym?
• Is the pseudonym a unique possession of that specific person?
• Can the pseudonym provide some sort of linking of information related to the person?
Person pseudonyms are used as substitutes for real names. Role pseudonyms are mentioned with a person's current role. Relationship pseudonyms are mentioned with respect to specific communication partners. Role relationship pseudonyms combine role and relationship pseudonyms. Transaction pseudonyms are used for transaction purposes only (Refer Figure 3 for Flow Chart of Pseudonym). There are two ways to provide pseudonymity in an online transaction:
• Authentication of eligibility, rather than identity.
• Authentication of identity without recording it.
Common Identity Management Systems
There are many tools available for performing the task of identity management systems. Some of the most common are making use of public key infrastructure, directories, smart cards and biometrics. Though there are shortcomings in the identity management systems, most of the brands manufacturing IDMs claim that the flaws are because of using outdated technologies. An IDM solution is being built for the European FP6 project, known as Privacy and Identity Management for Europe (PRIME), to provide optimal services to consumers. There is a Higgins Project which is getting contributions from Google, IBM, Novell, Oracle and Serena for an open source internet identity framework.
Conclusion
It is essential to understand the significance of an identity management system. It should be analyzed whether an identity management system will resolve all the existing problems because many times it has been observed that many objectives are accomplished without using an identity component. There are many pros and cons for collecting information and they should be used appropriately, satisfying all the legal requirements, so that privacy does not become the biggest concern in building an identity management system!
About the Author
|
Neha Vivek Nair is a Faculty Member - IT and Operations at IBS in Ahmedabad. The author can be reached at nehaviveknair@gmail.com.
|
No comments:
Post a Comment