Event Recording

Identity Management Protocols

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Well, I appreciate the opportunity to talk. And I wanted to give you some background about Canara or we run an assurance program for identity management, and I'm giving you some of the basis for where that got started. So Qatar has been around since 2009, and it really got started because of an interest in how to balance, if you will, privacy and security, when it comes to the use of personal data and for identity management in particular, and it is an industry group, it's a nonprofit, but it is supported by a variety of private sector and public sector companies and organizations. We are very much technology agnostic in that it doesn't matter what kind of innovation and what kind of technology is being used in the field. But what we do care about is that that technology is used in the highest compliance with standards in the industry.
And the standard that it began with was the N standard 863, which is about identity proofing. And I'm gonna kind of talk you through that because going back to 2009, what Qatar did was look at that government standard and implement a framework of governance and rules and policy. And then on top of that drill down further to establish criteria so that government entities and private companies can have assurance that the technology complies with those standards, the standards in them of themselves are very broad. And what Qatar did was take that and figure out how do you execute on this? How do we make sure that these standards are really working in the field in real life? So, alright, I'm having trouble advancing my slides. What happened here?
Try again. Ah, okay. So hopefully you can see this. So, so what, so what Cantar did is create like this risk management framework and, and it's called the identity assurance framework. And it really, like I said, it starts to take these high level standards and, and figure out how do we make this so can execute on it. What does it really mean? So the point of creating this framework is really to help agencies tailor the controls for identity proofing, authentication and Federation. So it is, it, it looks at it based on the risk of a specific transaction, a given online transaction. And it has a combination of what we call normative controls and information controls. And the normative controls are mandatory, right? These in order to comply, you shall do X, Y, and Z information are best practice. This is what you should do. These are examples of something that would make, would make this a better process or a better system.
The, the standard that we, we built this around was the nest 863, and it's divided into three sections enrollment and identity proofing, which is the guidance to validate that an identity is real. And it verifies that a user is that person, right? The authentication and the life cycle management gives guidance on how you secure a login and account from takeover so that you don't have to worry about that security risk, right. And Federation and certain, and assertions are guidance on how to make a digital login and identity portable through a single sign on. And for each of these types of identity management, there are various levels. And so what, what Qatar has done is looked at the standards and said, you know, here's how you can comply in a minimal way. And as you want to get it to become more progressively stricter at each level of assurance, the technology is assessed against whether it's able to comply with higher levels of, of a standard and, and more rigorous criteria.
So in the identity assurance levels, for example, we have three different areas that we could provide assurance. So one would be a review and assessment of identity assurance level one, which is the least restricted, which is essentially a self-assertive identity by a user where there's no identity proofing, really, but now if you progress to identity assurance level two, it now requires either two strong or one strong and two fair pieces of evidence to confirm a user's identity. And it would allow for supervised remote, even access, right? And at the strongest level, which is identity assurance, level three, it is the strictest and it actually requires in-person Verifi. So it permits some supervised remote, but it has very specific restrictions authentication. So the authentication assurance level looks a little bit different. It's focused on having confidence that the same user who enrolled is still the one in control of the account.
So at the bare minimum, the authentication assurance level one allows for a single authenticator. So it could be a single, it could be a multifactor, but there aren't real restrictions on what those authenticators might be. However, if you begin to drill down into what does that look like? The authentication assurance level two requires multifactor authentication for login and it, and it requires authenticators that vary by type. So things that, you know, versus things that you have versus things that you are so knowledge might be something like a, a password, a pin, something like that. Something you have might be an authenticator might be a key. A token could be something like that. Things that you are often includes, biometrics, fingerprints, eye, facial recognition, and so on at as authentication assurance, level three has the strictest limit limits. And it is something you have. So it has to be something like a hard work key, or it has to be something, you are something that is impersonation resistant.
And then the third area that we provide criteria for Federation assurance. This gives you confidence in the strength and authenticated session where the user is accessing different applications, either within or across agencies or organizations. So the Federation assurance level one is an assertion is signed by the credential service provider for level two. It's signed by the credential service provider, and it's also encrypted. And at level three, the holder of the key assertion it's signed. So it's the holder has to have the, the key as well as having a signature by the credential service provider, as well as being encrypted. So you see in all of these there's is increasing levels of assurance in order to maintain those high standards. So, as I mentioned earlier, what Canara did was create an identity assurance framework and what it has done since 2010 is it provides accreditation of assessors and approved service providers based on agreed upon service assessment criteria.
And these third party assessments are performed by accredit assessors who must be accredited on an annual basis in order to continue. And they are subject to services to determine that those services conform to the applicable criteria and the criteria is different. And you see the trust marks across the bottom here, they're really the only organization that does third party assessment against the primary niche standards for identity. I think the significance there is that because that is a standard that has been around for some time, what we find as we start to work in other countries and with other governments, that there is a great deal of similarity and that this identity assurance framework provides a lot of resilience and confidence in compliance with identity proofing standards. To give you an, a little bit more information about how the organization does this soar is very focused, obviously on standards, but also on, on cutting edge.
And, and I say that because what we are looking to do is not to say that you have to solve a specific way, right. Instead, what we hope is that we're supporting the market to do a good job with, with this balancing of privacy and security, and yet not make it so restrictive that it reduces innovation. What we wanna see is innovation across the market. What we want to see is that we provide, you know, that identity proofing services are provided at a high level without sacrificing the ability for different organizations who have different needs. So the Qatar membership, because again, it's a nonprofit is very focused on continuing to look at cutting edge. And, and I'll talk about some of the work groups that we have. So we have a whole set of work groups who work on very specific kinds of topics and then feed recommendations for criteria and things into other standards bodies like ISO to N to other organizations.
And then at the same time, we have the assurance process, which is rigorous, but is also very specific. And that continues to be improved and changed as we start to see changes in the field. So the way this works is if you look on the right hand side, hopefully of your screen, you see the Qatar membership and, and it works in a variety of working groups in particular, the identity assurance work group is the one that was responsible for creating the framework and has also been responsible for establishing the criteria in order to know how to execute on and implement these standards. It informs what and maintains that framework so that it is always current and up to date. So there are a variety of documented policies and procedures, and it has a certification scheme. The accredited assessors have to know all of that and have to be able to prove that they're capable and have the expertise in order to look at policies, processes, procedures, and so on to assess and determine whether they meet those criteria.
And then the credential service providers offer all of that. Once, once it's been, once a company and organization goes through that assurance process and has an assessment by the third party accreditors, then it makes an application to the contar assurance review board, what, which essentially looks at what the subject matter expert said about that assessment and whether or not it meets it, ask and asks questions. It's often an iterative process to make sure that it really truly has complied, and also to make sure that the process is robust and meaningful. The assurance review board is made up of a team of folks who are subject matter experts. Some are from academia and some are from standards, organizations, bodies, themselves. They come together and provide this review. Once they've looked through everything, they are subject to the nondisclosure agreements and to conflict of interest, recusal policies.
So there's a lot of tight restrictions to make sure that the process is rigorous, but also is free from any concerns of, you know, favoritism or, or anything else. And so they then review and then they make a recommendation if they find that everything is in compliance, that a trust mark be granted. So here's sort of, like I said, the cycle of that, the third party assessment is really what starts and typically an organization would ask for initial application to make sure that it seems like that this is appropriate after a quick review of that, they go through the assessment process, then the evaluation and approval by the assurance review bar. And that trust mark is granted. The trust marks are granted on a three year cycle. And obviously this is to make sure that everything is always up to date. Okay. So the first year is a, is a full blown assessment.
And it, like I said, it's pretty rigorous and it can take as much as four months to go through on an annual basis. However, we conduct conformity reviews, which means that we're still looking on an annual basis at the criteria to make sure that everything stays the same and the vendors have a duty to report if they've changed their approach and what they're doing to make sure that that compliance is always there. So it gives a level of assurance to those who are purchasing those services to know that that trust mark is not something that's one and done, right? It's always on a continuous review and we're making sure that that compliance is maintained so that those who purchase the services can have confidence about what that trust mark means. And that it actually they're actually putting at that stamp of approval saying, yes, these solutions for identity proofing are still maintaining a high standard.
There's a couple of different kinds of approvals. One of the things that has changed over time is, is back in 2010, when Tara first started this, most of the folks in the field who were doing identity proofing were providing end to end identity proofing services. So what we were looking at in this approval process was their entire process and what they were doing today, we're seeing more and more companies who are using other companies to provide components of that identity proving process. And they want assurance that the component services that they are bringing in as part of their credential service provision is also in compliance. So we're starting to see that that becomes a little bit different over time. As we, as the industry has, you know, continued to grow and change its approach, I think to meet the needs of consumers, as well as the needs of government agencies and companies that need to provide these kind of services. This is an overview of what it takes to go through that assurance program from the initial application, through the third party assessment to approval. And then the monitoring that continues, that's hopefully helpful to you in terms of understanding what it is that we've what we've tried to do.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00