• Home Page
• Corporate
  • BCRM Approach
  • BCRM FAQ
  • Case Studies
  • Certifications
  • Code Of Conduct
  • Company details
  • Customer satisfaction
  • Industry Endorsements
  • The Team
  • Why us?
• Policies
  • Business Continuity
  • Conflict of Interest
  • Corporate Social Responsibility
  • Data Protection
  • Disability Discrimination
  • Environment
  • Equal Opportunities
  • Health and Safety
  • Information Security
  • Personnel Screening
  • Quality
• Services
  • Health Checks
    • Business Continuity
    • Security Vetting
    • Data Protection Act
    • Software Asset Management
    • Service Management
    • Information Security
    • PCI DSS
    • Risk Management
  • Information Assurance
    • Disaster Recovery
    • Information Security
    • Physical Security
    • Employee Vetting
    • Software Asset Management
    • Risk Management
    • Identity Management;
    • Secure Disposal
  • Compliance
    • Governance Today;
    • GRC
    • FSA Compliance
    • Data Protection Act;
    • PCI DSS;
    • Sarbanes Oxley;
    • FSAP
    • Workflow and GRC;
    • Using XBRL for GRC;
    • Inspection of Records;
    • Litigation Support
    • Employment Law
    • FSA Support
    • Money Laundering
  • Management Systems Consultancy
    • ISO 9001
    • SO 14001;
    • ISO 17025
    • OHSAS 18001
    • ISO 20000
    • BS 25999;
    • ISO 27001;
    • Do you need us?
    • Auditing
    • Polices and Procedures
  • Continuous Improvement
    • ISO 9004;
    • Total Quality Management (TQM)
    • Six Sigma;
    • Capability Maturity Models;
    • ServQual / RATER;
    • EQF
    • Balanced Scorecards;
  • Certification Services
    • Standards Implemented
    • Management System Implementation Methodology
    • Consultancy to Support Certification
    • Certification Body Audit Markings
    • Certification Pre-Audit Services
    • Remediation
    • Certification FAQ
  • Digital Forensics
    • Forensic Evidence Recovery
    • Expert Witness Services
• Records Management
• Training
• Standards
  • Management Systems
    • BS 25999
    • ISO 14000
    • ISO 17025
    • ISO 20000
    • ISO 27000
    • ISO 9000
    • OHSAS 18000
    • PAS 99
  • Other Standards
    • BS 10008
    • BS 10012
    • ISO 25777
    • BS 7858
    • BS 8470
    • BS 7858
    • BS 8549;
    • ISO 15489
    • ISO 19770
    • ISO 24762
    • ISO 38500
• Legislation
  • Basel II
  • Data Protection Act
  • Financial Sector Assessment
  • Financial Services and Markets Act (UK);
  • Health Insurance Portability and Accountability Act US);
  • Markets in Financial Instruments Directive (EU);
  • Miscellaneous relevant EU Directives;
  • Payment Card Industry Data Security Standards (worldwide);
  • Sarbanes Oxley (US);
  • Single European Payments Area (EU);
• Legal
  • Copyright
  • Legal Disclaimer
  • Privacy
  • Security
  • Links to other sites
• Site Map
• Contact Us
•  

---

?

Identity Management Consultancy

---

• overview;
• service offering;
• approach
• benefits
• next steps

Overview

The requirement of Identity management is to standardise communication between two or more parties, so they can identify and verify the other party(ies) to their own satisfaction prior to undertaking any digital interaction with them.

Historically, in the real world, identity management was typically carried out by physical introduction and references between the interacting parties or those that are trusted by them. With the advent of the internet and international communications this has become almost impossible.

The traditional way of addressing this issue as espoused by a number of major consultancies and vendors is an IT solution that typically has a centralised database containing identity credentials. We have all seen how data leakage from such databases, how this information is wrong or has been (mis) used for such purposes as data matching across databases (see Stephen's Story on page 10 for a classic example)

Identity management is key to operating in business today and in the future. The United States have already set various standards that organisations wanting to work with government must meet FIPS 201, that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.

Identity Management requires that there are processes and procedures in place to ensure the integrity of the end-to-end process of identifying and verifying claimed identities. The integrity of the processes and staff around this process is essential and if any part of the process is subverted or contains exploitable vulnerabilities then the whole process of establishing and verifying an identity can be compromised.

This will always be a major concern if a third party looks after an individual's identity, as their duty of care to the identity owner may not be as high as they want and the identity owner has absolutely no control of the handling of their identity once they have 'given their identity away' to a third party.

Too many solutions proposed are technology driven and ignore the business or personal issues around identity management. Technology can be used to support the business processes required to establish and verify an identity but technology is NOT the universal panacea or 'silver bullet' for solving the identity management problem - no matter what the salesmen from technology vendors or management consultancies tell you.

The main question in identity management that must be asked is:

"Can I prove to another party, beyond reasonable doubt and to their satisfaction, that I am who I claim to be, and am acting in the delegated role I claim for some organisation?"

This needs to be done in the simplest but secure manner.

Typically, this is done with identity cards, perhaps backed up by biometric information - again held on a centralised database and subject to the possibility of identity theft.

Service Offering

It is BCRM's conjecture that this whole process is fatally flawed as identity theft is so simple with any physical credential that can be carried such as a passport, ID card or similar - even if supported by a biometric confirmation. Holding all this information in a centralised location, even if from public sources allows a whole identity to be stolen with all necessary supporting evidence to support the claimed identity - not only that - but also much of the database that can be accessed may also be subject to subversion as well.

These flawed systems include all current database centric identity management systems.

BCRM propose a revolutionary approach that does not use a centralised database but a peer-to-peer model where the individual is in charge of their own identity, which we have called a Personal Digital Identity (PDI). This is used to provide references from a known legal starting point (e.g. registration of birth, entries on the relevant company business register etc) and is built up over time as more digital interactions are undertaken allowing more references to assert that you are who you claim to be. This reverts to the pre-internet days where identity management was based on introductions and references. As time goes by and more references become available, the identity becomes more difficult to forge as the references can be individually checked by the reference receiver directly with the reference giver to ensure that they are both current and valid.

The reference requester can request references from the other party that meet their requirements and come from someone they trust - either on a personal basis or because they are 'reputable'. Once the identity has been established to the satisfaction of all interacting parties, the digital interaction can take place.

The owner of the PDI, can agree with the other interacting parties things like:

• encryption strength to be used;
• jurisdiction in case of dispute;
• signing requirements;
• supporting biometrics to be used;
• etc;

The whole process is business policy driven modelling real world processes and is not technology driven, but relies on technology to communicate securely between the parties. Whilst acting in a delegated role for some organisation, the owner of a PDI can:

• accept a delegated role from any organisation (e.g. Salesman, CFO, etc);
• be accountable for actions taken with their PDI whilst acting in that delegated role;

Additionally, in this model, each interacting party can choose their own independent witness service provider (WSP) who will hold an audit trail of all digital interactions in case of later dispute. In that case; there is always at least one independent witness that holds an encrypted and hashed copy of the detail of the digital interaction that is time stamped from a known and reputable time source and this is held in accordance with the relevant legislation where the WSP resides. If required, an organisation can set up their own WSP so they can maintain control over their own audit trails.

This infrastructure has been working satisfactorily in a number of locations and first went live in 2003.

A number of solutions have been developed using this infrastructure.

Approach

BCRM has developed a standardised approach to implementing identity management projects:

• defining the scope of the project;
• understanding your business;
• understand the accountabilities, authorities and responsibilities of all delegate roles in your organisation;
• define the requirements for implementation;
• link the implementation to the existing infrastructure;
• implement the relevant roles on the relevant PDI;
• connect the WSPs, or commission a new WSP for the organisation;
• integrate the infrastructure into existing processes and procedures;
• test end to end processes;
• provide training;
• go live.

Benefits

The use of a PDI with a WSP:

• agrees, in advance, the dispute resolution process;
• allows trust to be built over time between interacting parties;
• complies with relevant legislation and regulation;
• eliminates the 'attack point' of a centralised database containing multiple sets of identity credentials;
• ensures that references are appropriate and can be verified;
• has been favourably benchmarked against a range of legislation, regulation and international standards;
• meets the requirements stated in Kim Cameron's 'Laws of Identity';
• places control of the identity back in the owner of that identity;
• provides a simpler process for managing access within your organisation, including termination and job change situations;
• provides independent verification of the content of an interaction;
• provides total traceability and transparency;
• reduced the chance of identity theft;
• uses robust and provable technology that has been successfully running for over 5 years;

Next Steps

• BCRM has a number of other service offering, these are listed here;
• BCRM is committed to providing a consistently high value service to our Clients;
• David Lilburn Watson, who remains personally 'hands-on' throughout the process, manages this process.
• to understand how the BCRM suite of offerings can be used to transform your business, please contact us
• we look forward to discussing your specific requirements, at your convenience;
• whatever other type of consultancy you require, we can possibly offer a free Health Check.