ID management: A promising new development
An emerging approach for managing digital credentialing data could enable the development of more sophisticated security and privacy measures.
There’s no getting around it: As the state of information sharing continues to advance, so too must the state of identity management technology.
Developments in mobile computing, cloud computing, data standards and other technologies have made it easier than ever to make information accessible to users at any time, from any place and with any device. Now government officials need to ensure that their information is accessible only by authorized users.
One emerging solution is something known as a backend attribute exchange. A BAE could be used to connect information-sharing systems with other systems that can verify the credentials (i.e., attributes) of a user trying to access a system.
Such an exchange could be a boon for information-sharing initiatives that cross intergovernmental boundaries. With a BAE in place, an information-sharing system would not need to store credentialing information for every individual accessing the system but instead would rely on the exchange to know where that information is kept.
The more readily available that information is, the tighter the security around a system can be.
With that in mind, the federal government’s Program Manager for the Information Sharing Environment (PM-ISE) and the General Services Administration are now working with Pennsylvania law enforcement agencies to put some emerging identity management technology to the test.
“One of the keys to responsible information sharing that gets the right information to the right person at the right time is enabling systems to securely access various credentials that may originate from multiple authoritative sources,” wrote Michael Kennedy, PM-ISE executive for assured interoperability, in a blog post earlier this year. “This is why the federal government has been working to develop a strong Backend Attribute Exchange capability.”
The pilot project involves Pennsylvania law enforcement officials accessing the Regional Information Sharing Systems (RISS) program, which offers a number of tools for information sharing, analysis and investigative work.
It’s an invaluable system, but for obvious reasons, it’s important to limit access to individuals who have training certification in handling personal privacy information. Such certification is an example of an attribute. In the pilot project, the BAE will serve as the traffic cop, directing RISS to the system where certification records are stored.
One of the benefits of a BAE is that it would focus agencies on identifying and relying on authoritative sources of such information rather than trying to collect and maintain the data on their own. That is one of the goals spelled out in the Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance, which was released in December 2011.
A BAE is an example of what the road map calls an Authoritative Attribute Exchange Service (AAES). Such a capability “allows agencies to link their authoritative sources of identity information with consumers of identity data across the agency, thus eliminating the need to redundantly collect identity data at each point where it is used,” the document states.
Beyond increasing efficiency, an AAES makes it possible to improve the security and privacy of information. Such a system also makes it possible to control who has access to what information at a very granular level, according to the road map.
“For example, specific views can be created based on a user’s role to limit access to sensitive data elements, such as [a] Social Security number,” the document states. “This can be a good method to satisfy various users with different reporting requirements while protecting sensitive data from those who lack a need to know it. Views can be dynamically created based on the authorization information, or the views can be stored and invoked on a regular basis.”
Once the BAE proves itself, GSA officials envision offering such a system as a shared service for use across government, according to the IDMGOV, a blog associated with the FICAM program.