It’s probably the most critical question ever asked from an infosec point of view. Who are you? Proving the identity of people and systems that connect to your network and access your data is a critical element of your security posture.
So, what are the big issues when it comes to identity? We spoke to HID’s Allan Malcolm, the Regional Director in APAC for Government ID Solutions at the recent Technology in Government conference held Canberra’s National Convention Centre.
“The two key areas are concerns over who accessing your data. The second one is the aspect of physical validation of an individual versus their written validation – whether you use biometrics or some other method of physically associating someone with their electronic identity,” he says.
One of the recurring refrains from the conference was a look back at the failed Australia Card initiative. Although that was 30 years ago, there’s still a lingering memory of its failure. But today, the idea of a single identity that potentially links together multiple datasets from many sources, is still a concern.
“I think that’s very much a perception issue,” says Malcolm. “One of the key considerations of that is, in this particular case we’re talking about a government, but if we look at some commercial and private organisations – Google being a specific case in point – they probably have far more data and information about people’s behaviour and their movements, likes and dislikes and they store all of that data and they openly admit they keep and retain all of that information. Whereas a government is really just trying to make sure that a citizen is genuinely a citizen and has a right to whatever services and facilities that the government is trying to provide”.
In order for an identity program to be accepted, there needs to be an understanding by citizens that there is a need for some sort of validated identity. Although there is lots of concern about cybercrime and that a government identity could be an avenue to cybercrime, there’s a counterpoint that a “highly-secured validation token” could be a far more secure method of validating a person.
Importantly, having a robust identification system does not abrogate the need to secure data and ensure its integrity. The breach at the Office of Personnel Management in the US highlights this.
Malcolm says the amount of data that would be needed to validate an identity would actually be quite small.
“It’s your date of birth, information about your birthplace and parents – who they are - and where you are and where you live, how old you are and some biometric information that’s used to validate you when you are trying to apply for other services”.
The objective would be simply to answer yes or no when asked if you are who you say you are.
Malcolm reiterated the same message we heard from Rachel Dixon from the Digital Transformation Office – there needs to be a clear benefit for consumers to have a digital identity. He says not needing to physically attend a government office in person or having to wait for various background checks to be done is a clear convenience for citizens.
“In addition, there’s a cost saving from a government perspective which could, in theory, be passed on,” he adds. Alternately, different cost models could be applied to services depending on how they are accessed.
What does an optimal identity system look like? Malcolm says “You have to be quite stringent about what your rules of acceptance are, what defines a citizen. Once you’ve reached that point, they key is to make sure the system is fit for purpose – make sure you have the information you need to support the services you want to offer”.
Malcolm noted that biometrics can be a critical element of an identity system. He pointed to international passport controls using automated gates where photos and facial recognition are not only faster for travellers but more accurate than customs staff.
But it’s also important to compartmentalise where data is kept. “There’s no need for someone from a national identity department to access your taxation information or your passport,” Malcolm says. “But the authentication system can be the same for all”.