Managing electronic identities is gaining ground as a necessary counter to protect Internet banking users and other online customers from the increasingly criminal usage of the worldwide Web.
According to a report from Toronto-based IT research firm IDC Canada Ltd., the current IT environment dictates that identity (ID) management should be a high priority within an enterprise.
The report, User Account Provisioning: Finding the Path of Least Resistance, notes that ID management tools can tackle business issues such as regulatory compliance, security, and IT cost and complexity.
According to David Senf, IDC senior analyst and report author, ID management solutions address these issues by “simplifying and enabling more precise control over resource access across a disparate environment.”
Wealth management firm Richardson Partners Financial Ltd., announced in April that it had selected Calgary-based M-Tech Information Technology Inc. to implement an ID management solution.
Toronto-based Richardson Partners Financial provides customized wealth management services, including investment advice, estate and tax planning. Richardson Partners is using M-Tech’s P-Synch enterprise password management software to improve staff productivity by enabling password synchronization, self-service password resets, and streamlining help desk assisted resets, the Toronto firm said.
Users who have forgotten a password or triggered a system lockout can reset their own passwords, according to M-Tech.
Andrew McKinney, director of technical services for Richardson Partners said in a statement that the ID management solution has cut down the number of calls made to the IT department’s help desk for password resets, which translates into cost savings and productivity gains.
“Calling a help desk is extraordinarily expensive,” says Ross Chevalier, CTO of Novell Canada Inc. in Toronto. “The lowest number I’ve seen is US$40 for a help desk call for passwords, and they are typically the cheapest call. If you have 1,000 customers, the data tells us that 30 per cent of them will forget their password every quarter. That’s a very high cost. If you provide a robust, auditable mechanism for self-service, your costs go way down and people are quite happy to do that.”
He says help desk calls such as ‘I can’t run my application’ or ‘I can’t print’ tend to get very expensive with help calls for printing problems averaging about $US380 per call. He says ‘who are you?’ and ‘where do you need to print?’ are programmatic responses that can also be handled “by good ID architecture.”
ID management as an overlay on security should spare the financial services organization from having to build completely disparate and separate systems for each of their constituent user groups, he says. “Good identity architecture permits integration with other line of business tools such as asset management and provisioning services…[so] that whatever device you’re using provides proper access to the application you need to do your job.”
Having the ability to integrate after an ID management framework is in place is particularly important to large Canadian financial services organizations growing through mergers and acquisitions, he adds.
Another consideration is to build consensus with other lines of business leaders, he says. “Make ID management decisions at as high a level as possible. We have encountered organizations where individual business groups have done their own thing and then someone at a very senior level asks ‘why they aren’t tied together?’ Sometimes that’s political, but your architecture shouldn’t prohibit that.”
Several challenges face financial services as they consider ID management but cost plays a major deciding factor, says Marcus Shields, enterprise product manager at Toronto-based IT security service provider Soltrus Inc. He says a financial institution may see a $60,000 strong authentication system as not cost-effective compared to $50,000 a year paid out as compensation for money stolen out of bank accounts when people’s passwords were compromised.
But, he warns that compromised data could kill off the Internet “as a source of serious commercial activity. If we allow a system to evolve on the Internet where basically the consumers think, and I believe correctly in some cases, that every one of these [online business] transactions is liable to some form of compromise, you’re going to see e-commerce slowly whither and die.”
As reported by Rebecca Reid in the May 2005 issue of IT Focus, Toronto-based market research firm TNS Canadian Facts revealed that of the 65 per cent of Canadian respondents who had not signed up for Internet banking, 59 per cent cited security concerns as their reason.
Shields argues that ID theft, phishing and pharming occur because there is no secure, trustworthy system of credentialing people’s identity on the Internet. Identity management needs to be strongly credentialed so that the identity of the person would be true to begin with and it needs to be relatively difficult for somebody to use a stolen identity from a different location, he says. “If we had rules about all this, it would put a natural break on the value of misappropriating it.”
He says to achieve an “unfakeable” component of the ID, Verisign uses an X509 digital certificate. Firms can also use a USB Token, smart card, one-time password or a biometric attribute, for example. “It has to be very difficult to use a stolen identity once you’ve got it. It’s definitely not now.” Shields also calls for an international governance to combat the lack of effective world-wide law enfor-cement of standards for Internet commerce since CDs of stolen credit card numbers are sold on the open market in some parts of the world.
“No systems that we create over here are going to be foolproof or even adequate as long as people can just go there and attack with impunity.”
At the federated level, the ID management challenge is being able to credential people adequately and to keep those credentials up to date so people are comfortable doing some financial transactions of significant magnitude, he says.
He reports that VeriSign Inc. uses a publicly identified set of criteria. “When we issue you a digital certificate, we not only say how we do it, but we also say how much liability we are willing to accept if we get it wrong. Those two components are really significantly absent from most ID management systems that I’ve seen so far at the federated level. You can see why.
The whole concept of federation is if I get an ID management assertion and I pass it along to someone else, I have a duty of care to check that and by extension I would also have some level of liability if I get it wrong. The unknown factor in all this is: if I get an ID management assertion from you, how do I know how carefully you checked my ID in the first place? My problem is I have no control over the person who first credentialed it.
“Every federated system to be successful has to have…some kind of attribute saying how qualified is this credential for different levels of security, different levels of privilege,” he adds. “Without that kind of an attribute of essentially embedding the trust level of the credential into the identity assertion, I don’t really see this system taking off.”
With the various languages and protocols, the physical semantics of getting systems to talk intelligently to each other is another challenge.
Shields takes encouragement that people are thinking about it and some international consortiums are moving forward, such as the Liberty Alliance (see page 6). IBM Corp, Sun Microsystems Inc. and Hewlett-Packard Co. have all made ID management-related acquisitions over the past two years. In April, Oracle Corp. acquired Cupertino, Calif.-based ID and Web services management vendor Oblix Inc. in March BMC Software Inc. bought access-control and single sign-on tool provider OpenNetwork Technologies Inc.
“It is going to be one of those sea changes in the way that we do business on the Internet,” he optimistically predicts. In fact, he sees an opportunity for financial services companies to differentiate themselves by presenting credentialing beyond just name and password as a better service to customers. He cites a Norwegian bank customers using smart cards to access their online bank accounts.
“A few years hence the Internet will continue to be what it’s always been: a good mechanism for informal communication,” he concludes. “But if the concept is that we want to run serious e-business over it, particularly when we’re dealing with consumers, the state of affairs now is not adequate and it is becoming less adequate with every [passing] year.”
— with file from Ryan B. Patrick