Implementing an identity management system
What are you protecting?
It’s worth assessing what you really need before beginning implementation. Not all information requires an identity system to manage access. You can protect the privacy of users and reduce the security risk to your systems by avoiding any unnecessary collection of personally identifiable information — this even includes contact details.
You might not need to implement an identity system if:
- You do not need to have an ongoing relationship with users.
- Transactions don’t depend upon personal information being accurate.
- You can rely on other forms of security.
To answer this, ask
What transactions will users need?
Will the transactions be ongoing, as when users bookmark benefits or grant applications to fill out later, then return repeatedly to check the application status? Or will they be a one-time or infrequent, as when people download medical or financial records?
What kind of information do you need to protect your customers?
Do you need full name and other personal information so that users can access private information? Or do you only need to verify that a user fits in certain categories, such as the veterans category or the senior citizens category?
What sort of crime might access to this information make possible?
Information that seems innocent on its own might still be valuable to fraudsters and other criminals in combination with other easily accessed information.
What other means of security are available?
Postal tracking numbers, for example, are not secrets because the package will only be delivered to a specific address. The safety of the delivery rests on the security of the building and the conduct of the delivery person, not on the secrecy of the number itself.
What kinds of resources do you already have to identify customers?
Your agency may already have mission-specific information and resources that can be used to identify customers. By integrating resources you know and trust, you can increase the reliability of identification.
To answer this, ask
What resources are unique to your agency?
Individuals’ confidential interactions with government agencies can generate a trail of metadata. Used carefully, that metadata can facilitate identity verification based on knowledge of those activities. Other government organizations serve as authoritative repositories of biometric data available for internal use. Some agencies may have physical locations that customers can visit.
What is a consumer identity management system?
When you’re at home and someone knocks at your door it’s easy enough to decide whether or not to answer. Based on your knowledge of who’s outside, you can decide whether to open the door. Is the person outside a friend? A mail carrier or other expected service provider? A complete stranger? Online, the question of deciding “who’s there” is much harder. Consumer identity management systems make it easier for system administrators to decide whether or not to open the door, and how wide.
What is an identity?
In the world of security, “identity” has a very specific technical meaning that differs from a plain English sense. An “identity” in technical terms is a special kind of record — a bundle of different types of data that together describes only one system user [NIST 800-63-3]. That data can include references to official government records, such as driver’s license numbers and registered birth dates, as well as more mutable data such as email addresses and usernames. Physical attributes such as fingerprints and DNA can also be part of an identity record.
How does identity and access management work?
System administrators assign access privileges to each identity record. These privileges authorize certain activities and forbid others. To “open the door” safely, however, administrators need confidence that the users knocking at the door are who they say they are.
To give the system and its administrators confidence in their identities, users need to prove their identities through an activity called authentication. Users authenticate themselves by presenting evidence linking themselves to records. To do that, users first help the system validate their record — for example, by typing in a username. Then users hand over the evidence — often, passwords or other information only the real person would know.
What does having an identity record enable?
Identity systems don’t just benefit system administrators. Users can do some very handy things with an authenticated digital identity. Here’s a small list:
- Pre-filling online forms with verified information speeds up application processing. There’s less redundant effort, and users don’t need to worry about basic errors.
- Authenticated users can access and download data the system holds about them, such as account activity. With a verified legal identity, the user can access very sensitive medical or financial records and even download them.
- Identity systems can protect your privacy. If you need to be 21 or older to access a service, you can authorize an identity system to confirm your age without sharing your exact birth date.