Security in Identity Management – There’s a long way to go

Security in Identity Management is this week’s hot topic in London, with a Conference at DTI tomorrow on the subject of “Ensuring privacy and consent in identity management infrastructures”, followed up by an IAAC Conference on Wednesday on “Government’s Role in Identity Assurance”. Although there’s a strong Government flavour to these events, they are subjects that affect all of Industry.

It’s about time too. For the past three decades we’ve all lived with leaky network perimeters, insecure platforms, poorly designed access control systems and inadequate management of access rights. Not to mention the risks presented by information brokers and organised crime infiltrating our call centres to gain access to identity information or sensitive database records. On top of that we now have a growing backlash of citizen concern about what happens to all the sensitive customer information they give up to vendors and service providers. Are these organisations applying adequate safeguards? Are they selling it off to the highest bidder?

So there’s a lot to do. Start with a few regulations requiring reporting of incidents and security standards for safeguarding sensitive citizen information. Californian Law SB 1386 and the PCI Security Standard are both making a big difference to the attitude of organisations. They may be painful but they work. Then try to bridge the gap between the sophistication of the security standards community and the practical realities of actually implementing federated identity management. There is a need for a lot more guidance on best practice in action. Finally address the human factors, including how to design systems that are less susceptible to human mistakes and social engineering. It’s a big, big field. And it requires immediate attention by Government, Industry and Academia.