Digital Identity

10 Oct 08:57

Planning and Creating an Identity Management Architecture - O'Reilly Releases "Digital Identity"

The rise of network-based, automated services in the past decade has definitely changed the way businesses operate, and not always for the better. Offering services, conducting transactions, and moving data on the Web opens new opportunities, but many CTOs and CIOs are more concerned with the risks. Like the rulers of medieval cities, they've adopted a siege mentality, building walls to keep the bad guys out. It makes for a secure perimeter, but hampers the flow of commerce.

Fortunately, some corporations are beginning to rethink how they provide security, so that interactions with customers, employees, partners, and suppliers will be richer and more flexible. "Digital Identity" by Phillip J. Windley explains how to go about it. Drawing on his experience as CTO of iMall, Inc., VP of product development for Excite@Home, and CIO in Governor Michael Leavitt's administration in Utah, Windley provides a rich, real-world view of the concepts, issues, and technologies behind a key concept known as "identity management architecture" (IMA).

According to Windley, IMA is a method to provide ample protection against malicious attacks while giving good guys access to vital information and systems. In today's service-oriented economy, digital identity is critical: it provides a set of standards, policies, certifications, and management activities that enable companies to manage digital identity effectively - not just as a security check, but as a way to extend services and pinpoint the needs of customers.

The ATM machine is one of Windley's favorite examples of the way digital identity increases business. "Before ATMs were invented, a bank's customers took care of their banking needs by presenting pieces of paper to a human teller," recalls Windley. The papers included instructions to the bank, cash, checks, and other financial instruments. Unless the teller personally knew the customer, the customer also presented some kind of identity credential, such as a driver's license, that allowed the teller to verify the customer's identity and proceed with the transaction. "The ATM was possible only because banks created a means of identifying their customers digitally," explains Windley. "With the advent of a digital identity infrastructure, banks no longer needed a human in the loop to verify the customer's identity, allowing them to provide around-the-clock access to banking in a broad range of convenient locations.

Windley likens IMA to good city planning: cities define uses and design standards to ensure that buildings and city services are consistent and workable. In "Digital Identity," CIOs, other IT professionals, product managers, and programmers will learn how security planning can support their business goals and opportunities, rather than holding them at bay.

[I beg to differ from the opinion stated by the author, that "banks created a means of identifying their customers digitally". It is precisely because they failed to do this (and for commercial reasons carried on pretending that they had succeeded) that credit card fraud and to an extent identity fraud are prevalent sources of finance for terrorism and organised crime. Expect a review of this book in one of the next issues of ISB! --Ed.]

Related links: (Open in a new window.)
www.oreilly.com/catalog/digidentity/

Taken from Information Security Bulletin.