What is “Identity Assurance”? Why should enterprises care? If you browse the web you will find a wide set of “answers”, mainly centred on “solutions” that range from “biometric” products to more comprehensive approaches involving management of identity processes and involved risk.
Actually, an IAAC position paper on Identity Assurance brings some clarity to this space (http://www.iaac.org.uk/Portals/0/identity_management_paper_v1-7.pdf). It makes a good job at describing this concept and identifying the relevant aspects and issues.
Identity Assurance is ultimately concerned with the proper management of risks associated with identity management. It is about the “process” of ensuring that identity management is under appropriate control.
Why enterprises should care? In many senses identity management is a mature discipline within enterprises. There are standard technologies for single-sign-on, directories and for group or role based access control. However, many aspects remain procedural and reliant on people doing the right things. This makes identity assurance difficult.
As industries move more to outsourcing of IT, business processes, and ultimately to federated services the reliance on process and people becomes more problematic. Such approaches seem unlikely to address questions such as: how a business can convince an auditor that they have sufficient control and visibility of the people and processes being applied by service providers a few steps away and outside of their control. Identity assurance is all about ensuring that these processes are well controlled and therefore risk is mitigated.
This is particularly true in the context of federated identity management where identity providers and service providers rely on each other to ensure that the right identity management processes are in place, that identity information is disclosed and used for the right purposes, consistently with users’ expectations.
So, I believe that Identity Assurance is another key area that will be subject to investments and R&D activities in the coming years – in order to deal with a growing demand in the compliance management and risk mitigation areas. I will come back to this topic with future posts …
A “spin-off” of this area would be bringing aspects of Identity Assurance back to end-users (e.g. customers), in a suitable and intuitive way, to boost their trust and reputation in organizations. How this can be done, in a suitable way, is really open to investigation and research …
Have you had any experience in the Identity Assurance space? What is your view?
No comments:
Post a Comment