Redefining Convergence 'Systematics'

Logical and physical access control convergence discussions refocus on digital identity and credentials


Convergence is not a product category or service that is delivered. It is the result of the onward march of the connected world. And there exists a crucial set of security services that are required in this converged world related to identity registration; the privileges’ of individuals; binding these to privileges to smart devices; managing the “identity” of the devices; and the services to support them.

Recognition prospects

The identity opportunity for individuals, organizations, products and services stems from a number of factors. One aspect is the rapid rise of the Internet and our need to be connected in our daily lives. The ratio of online to offline continues to shift toward a state of continuous connectivity and with this comes a shift toward the increased use of our digital identities over our physical ones.

A related factor is that cybercrime and fraud exceed physical (kinetic) theft. And it’s not just affecting theft, but also war. For example, the priorities in the Department of Defense budget continue to shift from kinetic war to cyber warfare. One trillion dollars a year of fraud (six percent of the national debt) stems from an increase in electronic transactions. All of these factors increase the demand for strong trusted identities.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) in the U.S. eschews the idea of a government issued national identity (“Identity Ecosystem” The National Strategy for Trusted Identities in Cyberspace (NSTIC), 2012, http://www.nist.gov/nstic/about-nstic.html).

NSTIC looks to create a public/private but industry lead identity for citizens. Many other countries around the world have national identification credentials (“List of national identity card policies by country.” Wikipedia, January 8, 2012, http://en.wikipedia.org/wiki/List_of_national_identity_card_policies_by_country).

Thus, the U.S. is more of an outlier in its approach. Canada, in comparison, has a number of credential programs underway for its citizens.

Internet identities are many but there are some standards evolving. The U.S. standard for personal identity verification (FIPS 201) used for government employees and contractors provides best practices for the creation of a digital identity (as opposed to the creation of the token where it is bound). Those who wish to play in this market need to develop solutions that incorporate these best practices into their identity and credentialing process. Some of the keys to achieve this include:

Separation of roles in the digital identity creation process. Recognize that the strongest identity credentials are created when the applicant, sponsor, enrollment officer, adjudicator, issuance officer and system administrators all are distinct individuals with the requisite training and controls on their actions;

Create an enterprise registration authority as the “identity vault” where the personal data is kept and access this on a need to use basis. Develop solutions and skills around this key requirement. This is much different than printing cards from a database;

Pay special attention to the individual’s binding to the access token, whether it is a smart card, key fob or smartphone. The strongest binding involves the use of secrets and biometrics unique to the identity/credential pair;

Use technology that is cryptographically sound and standards-based. Be very careful of claims about superior proprietary techniques;

Look across the enterprise at the existing applications (there are typically hundreds) that you need to support. Look to provide an identity token that meets these needs today and into the future. In this way you can create an identity, credential and access control solution that can be accessed as an authentication and access services across the enterprise; and

Look to develop analytics-based intelligence applied to the identity transactions supported by the enterprise identity services. The benefits in terms of governance, risk, compliance, productivity and privacy are much more powerful than consolidated graphics and reports.

Providing identity, credentials, access control and security systems and services that take into account this evolving context will increase the relevance of the security systems integrator. This positions them to deliver products and services that meet enterprise needs and place them at the front of the line for enterprise budgets as convergence happens.