Depending upon the situation, we show various faces to the world. We then prove we are who we say we are by showing the appropriate documentation — be it a credit card, driver’s license or student ID. Establishing trust online, however — in an environment devoid of traditional trust cues and identity — is much more difficult.
Identity in the digital enterprise must reflect the same context-sensitive nature that subjects enjoy in the real world, says Identity Management: Digitizing Your DNA(PDF, 5.6MB). In it, CSC’s Leading Edge Forum examines Digital Trust, a strategy for enhancing business value while addressing information risks. Since all transactions in the digital enterprise involve a subject with an identity, digital trust for identity management is a key area of focus.
Digital trust for identity management must apply to both human and non-human subjects (e.g., computers, devices, avatars and bots), support multiple sources of claims made about a subject’s identity and provide ways to prove — or disprove — those claims.
Contact us and let our experience help you produce results.
Subscribe to the Digital Trust report series (automatically receive all volumes).
Establishing reputation In the case of non-human subjects — particularly devices — the best way to earn trust is through a combination of device fingerprinting, along with the ability to track the way the device has been used. A company named iovation, devoted to making the Internet a safer place to interact, has developed Device Reputation Intelligence (DRI) technology that tracks devices’ identity based on behavior history, thereby bypassing the possibly stolen identities of the humans behind the devices. Every year, iovation processes more than 100 million device recognitions and reputations.
Even for humans, reputation — what others say about us — can be a more valid basis for trust online than what we say about ourselves. On eBay, for example, "we do not really care who we are buying from," says the report, "only that we can trust that they will deliver the goods purchased, safely and promptly."
Unfortunately, though, reputation is not transferable — your eBay reputation means nothing on Amazon and vice-versa. This situation is called the "walled garden" effect, which stems from cataloging identity claims in siloed directories. Ideally, we would need just one log-in to access all applications and systems. But we’re often required to log on separately to numerous applications — such as e-mail, human resource and Internet portal applications — all within the same enterprise.
Nor, of course, is reputation foolproof.
"My son bought a snowboard on eBay," says Paul Gustafson, director of CSC’s Leading Edge Forum. "A day after the transaction, a policeman arrived at my son’s dorm. The snowboard had been stolen off a mountain. The seller turned out to be part of a fraud ring." Luckily, Gustafson’s son had purchased the board through PayPal — which acted as a trust broker — so he wasn’t out any money. And, since he hadn’t received the board yet, he helped the police arrange the pickup and break up the ring.
Remembering — and forgetting — passwords In addition to problems with reputation, identity fraud — including online identity theft — is thriving, at a cost of nearly $50 billion annually to consumers and businesses. And, according to the report, the myriad passwords so many of us rely upon to validate our online identity are actually the weakest authentication method. A password management survey conducted by RSA Security found that, while 18 percent of survey respondents say they manage more than 15 passwords, only five percent admit they can actually remember them all. And 36 percent of respondents say they manage six to 15 passwords.
"Having so many passwords inevitably leads to bad password management policies, both by the enterprise and the employee," says Identity Management: Digitizing Your DNA’s lead researcher and IT security expert Ron Knode. "Bad password management leads to identity compromise." Alternatives — such as personal question and answer dialogues, the use of pictures and shapes along with a password, and a special log-in page with your own personal image — can help mitigate the loss of digital trust, but the most popular method for convenience and speed is the use of biometrics. In the U.S., fingerprints are the favored technique, followed by iris scans.
Choosing biometrics The Walt Disney Company is using biometrics to prevent ticket fraud and speed up entrance into Walt Disney World in Florida and Hong Kong Disneyland with special Ticket Tag turnstiles. Each ticket holder’s fingertip is read by a special optical sensor and that data is matched to his or her ticket. No photo ID is required.
In another case of advanced biometrics, CSC worked with a European Ministry of Interior to develop a border information system that verifies a traveler and his or her identity documents in 10 seconds, leaving authorities free to concentrate on the person’s behavior. The Border Control System received a 2007 CSC Award for Technical Excellence.
Unfortunately, there’s no digital equivalent to DNA.
"The longtime search for one digital identity that works for all kinds of subjects in all contexts will probably continue," says Knode, "but it seems neither possible nor really desirable." On the bright side, though, "identity convergence, faster trust negotiations and the promise of Identity 2.0 initiatives guarantee that we will need many fewer digital identifiers than we use today."
Volumes of the Digital Trust series will be published monthly, with the final volume due in November 2007.
Depending upon the situation, we show various faces to the world. We then prove we are who we say we are by showing the appropriate documentation — be it a credit card, driver’s license or student ID. Establishing trust online, however — in an environment devoid of traditional trust cues and identity — is much more difficult.
